Replace ‘certfile.crt’ with your own .crt file.

Before proceeding make sure you have a CA certificate created, learn how to by clicking here.

1. Place the CA certificate in the necessary directory:

/opt/symas/ssl/ca/certfile.crt

2. If /opt/symas/ssl/ca/ does not exist, create the directory: 

mkdir -p /opt/symas/ssl/ca/

3. Install SSSD client on the CentOS/RHEL7 client: 

yum update

yum install sssd sssd-client sssd-tools oddjob-mkhomedir

4. Configure nsswitch.conf:

vi /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: sss files systemd
group: sss files systemd
shadow: files sss
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files sss
ethers: db files
rpc: db files

netgroup: nis sss
automount: sss

5. Create and Configure SSSD configuration:  

vi /etc/sssd/sssd.conf

[sssd]
services = nss, pam
config_file_version = 2
domains = sraeng

[nss]

[pam]
offline_credentials_expiration = 60

[domain/example]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = ou=people,dc=example,dc=com
ldap_group_search_base = ou=groups,dc=example,dc=com?subtree?
(objectclass=posixGroup)
ldap_netgroup_search_base = ou=netgroups,dc=example,dc=com?subtree?
(objectclass=nisNetGroup)
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://example.com
ldap_default_bind_dn = cn=admin,dc=example,dc=com
ldap_default_authtok = secret
ldap_tls_reqcert = demand
ldap_tls_cacert = /opt/symas/ssl/ca/certfile.crt
ldap_tls_cacertdir = /opt/symas/ssl/ca
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
enumerate = True

6. Set proper permissions for sssd folder and content: 

chown -R root:root /etc/sssd/
chmod -R 600 /etc/sssd/

7. Configure auto-home directory creation: 

echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

8. If /etc/pam.d/common-session exists, perform the following:   

vi /etc/pam.d/common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1] 					pam_permit.so
# here's the fallback if no module succeeds
session requisite 						pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required 						pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional 						pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required 		pam_unix.so
session optional 						pam_sss.so
session optional 						pam_ldap.so
session optional 		pam_systemd.so
session required 			pam_mkhomedir.so skel=/etc/skel/ umask=0022
# end of pam-auth-update config

9. Use authconfig to recalibrate login process for pam: 

authconfig --enablesssdauth --enablesssd --enablemkhomedir --updateall

If you receive the error ‘authconfig: command not found’, use the following command to install the utility:  

yum install authconfig

10. Enable the 'oddjobd' and 'sssd' service to start automatically when the system reboots:

systemctl enable --now oddjobd

systemctl enable --now sssd

11. Check sssd.conf for errors: 

sssctl config-check

12. To clear SSSD cache, if needed:

service sssd stop
sss_cache -E
rm -f /var/lib/sss/db/*
service sssd start