Ldap Client per SSSD
Version vom 18. November 2025, 09:04 Uhr von Thomas.will (Diskussion | Beiträge) (→SSSD Client-Konfiguration)
SSSD Client-Konfiguration
SSSD (System Security Services Daemon) ersetzt die alte Konfiguration mit libnss-ldap und libpam-ldap.
Installation
- apt install sssd-ldap ldap-utils
CA Cert besorgen
- cd /etc/ldap/
- wget https://web.samogo.de/certs/ca.crt
ldap.conf (Client)
- cat /etc/ldap/ldap.conf
base dc=it113,dc=int
uri ldap://server.it113.int
ldap_version 3
SSSD Konfiguration
vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = it113.int
[domain/it113.int]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
# DNS Service Discovery nutzen (benötigt SRV Records!)
ldap_uri = _srv_
dns_discovery_domain = it113.int
ldap_search_base = dc=it113,dc=int
ldap_default_bind_dn = cn=admin,dc=it113,dc=int
ldap_default_authtok_type = password
ldap_default_authtok = 123Start$
# TLS komplett deaktivieren (für Testumgebungen)
ldap_id_use_start_tls = false
ldap_auth_disable_tls_never_use_in_production = true
ldap_tls_reqcert = never
cache_credentials = true
enumerate = true
[nss]
filter_users = root,daemon,bin,sys,sync,games,man,lp,mail,news,uucp,proxy,www-data,backup,list,irc,gnats,nobody,systemd-network,systemd-resolve,messagebus,_apt,uuidd,nslcd
filter_groups = root,daemon,bin,sys,adm,tty,disk,lp,mail,news,uucp,man,proxy,kmem,dialout,fax,voice,cdrom,floppy,tape,sudo,audio,dip,www-data,backup,operator,list,irc,src,gnats,shadow,utmp,video,sasl,plugdev,staff,games,users,nogroup,systemd-journal,systemd-network,systemd-resolve,input,kvm,render,crontab,netdev,messagebus,_apt,uuidd,ssh,nslcd
[pam]
offline_credentials_expiration = 2
Alternative ohne DNS SRV Records:
Falls die DNS SRV Records nicht funktionieren, kann man auch direkt den Server angeben:
[domain/it113.int]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
# Direkte URI statt DNS Discovery
ldap_uri = ldap://ldap.it113.int:389
ldap_search_base = dc=it113,dc=int
# TLS deaktivieren
ldap_id_use_start_tls = false
ldap_auth_disable_tls_never_use_in_production = true
ldap_tls_reqcert = never
# ... rest wie oben
Berechtigungen setzen
chmod 600 /etc/sssd/sssd.conf
SSSD Service aktivieren und starten
systemctl enable sssd systemctl start sssd