Symas OpenLDAP Knowledge Base

Configure Ubuntu Client with SSSD Authentication and autofs/automount with LDAP backend

Configure Ubuntu Client with SSSD Authentication and autofs/automount with LDAP backend

Configure SSSD with LDAP on Client

If /opt/symas/ssl/ca/ does not exist, create the directory.

mkdir -p /opt/symas/ssl/ca/

Place the CA certificate (gdroot-g2.crt) in necessary directory. CA certificate can be found here.

/opt/symas/ssl/ca/gdroot-g2.crt
Install SSSD client on the Ubuntu client
apt install sssd libpam-sss libnss-sss sssd-tools oddjob-mkhomedir
Configure connection and authentication to LDAP

There are two files that need to be addressed:

  • /etc/sssd/sssd.conf
  • /etc/pam.d/common-session

Create and Configure SSSD configuration:

vi /etc/sssd/sssd.conf

Insert the following:

[sssd]
services = nss, pam
config_file_version = 2
domains = sraeng


[nss]

[pam]
offline_credentials_expiration = 60

[domain/sraeng]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = ou=people,dc=sraeng,dc=com
ldap_group_search_base = ou=Groups,dc=sraeng,dc=com?subtree?(objectclass=posixGroup)
ldap_netgroup_search_base = ou=netgroups,dc=sraeng,dc=com?subtree?(objectclass=nisNetGroup)
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://ma1prdldap01.stratus.com
ldap_default_bind_dn = cn=admin,dc=sraeng,dc=com
ldap_default_authtok = secret
ldap_tls_reqcert = demand
ldap_tls_cacert = /opt/symas/ssl/ca/gdroot-g2.crt
ldap_tls_cacertdir = /opt/symas/ssl/ca
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
enumerate = True

Configure auto-home directory creation

vi /etc/pam.d/common-session`

And insert the following:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_sss.so
session optional                        pam_ldap.so
session optional        pam_systemd.so
session required                pam_mkhomedir.so skel=/etc/skel/ umask=0022
# end of pam-auth-update config

Set proper permissions for sssd folder and content

chown -R root:root /etc/sssd/
chmod -R 600 /etc/sssd/

Check sssd.conf for errors

sssctl config-check

To clear SSSD cache, if needed

systemctl stop sssd
sss_cache -E
rm -f /var/lib/sss/db/*
systemctl start sssd

Install and configure autofs/automount with LDAP on Ubuntu

Install autofs for LDAP
sudo apt install autofs-ldap
Configure connection and authentication with LDAP server

There are three files that need to be addressed:

  • /etc/default/autofs
  • /etc/autofs_ldap_auth.conf
  • /etc/nsswitch.conf

Modify /etc/default/autofs to point to the LDAP server, correct mapping and search base. Edit the file:

vim /etc/default/autofs

And insert the following:

#
# Init system options
#
# If the kernel supports using the autofs miscellanous device
# and you wish to use it you must set this configuration option
# to "yes" otherwise it will not be used.
#
USE_MISC_DEVICE="yes"
#
# Use OPTIONS to add automount(8) command line options that
# will be used when the daemon is started.
#
#OPTIONS=""
#
MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=sraeng,dc=com"
LOGGING="verbose"
LDAP_URI="ldap://10.104.42.98"
SEARCH_BASE="ou=automount,dc=sraeng,dc=com"
# Define the LDAP schema to used for lookups
#
# If no schema is set autofs will check each of the schemas
# below in the order given to try and locate an appropriate
# basdn for lookups. If you want to minimize the number of
# queries to the server set the values here.
#
# (...)
#
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"

Modify /etc/autofs_ldap_auth.conf to configure the correct authentication to the LDAP server. Edit the file:

vim /etc/autofs_ldap_auth.conf

and insert the following:

<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
        usetls="no"
        tlsrequired="no"
        authrequired="simple"
        user="cn=admin,dc=sraeng,dc=com"
        secret="secret"
/>

Lastly, modify /etc/nsswitch.conf to add the LDAP map. Edit the file:

vim /etc/nsswitch.conf

and insert the following:

passwd:         sss files systemd
group:          sss files systemd
shadow:         files sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
automount:      ldap
Restart autofs service and review the status
systemctl restart autofs
systemctl status autofs

Example output:

oldapadmin@ma1tstldap02:~$ sudo systemctl status autofs
● autofs.service - Automounts filesystems on demand
     Loaded: loaded (/lib/systemd/system/autofs.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-10-10 14:40:29 EDT; 6s ago
       Docs: man:autofs(8)
    Process: 287458 ExecStart=/usr/sbin/automount $OPTIONS --pid-file /var/run/autofs.pid (code=exited, status=0/SUCCESS)
   Main PID: 287459 (automount)
      Tasks: 15 (limit: 4557)
     Memory: 3.9M
        CPU: 99ms
     CGroup: /system.slice/autofs.service
             └─287459 /usr/sbin/automount --pid-file /var/run/autofs.pid

Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /ire with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /sim with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /swt with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /auto with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /lang with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /pubs with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /serv with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /sinap with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /tpdbms with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 systemd[1]: Started Automounts filesystems on demand.
Troubleshooting
automount -m -v > /tmp/auto-error1.txt 2>&1`