在Ubuntu 20.04上为SSID配置SSSD

如何在Ubuntu 20.04上使用SSSD通过OpenLDAP进行身份验证?好了,本指南将带您逐步了解如何在Ubuntu 20.04上安装和配置用于LDAP身份验证的SSSD。 固态硬盘 (系统安全服务守护程序)是一项系统服务,用于访问远程目录和身份验证机制,例如LDAP目录,身份管理(IdM)或Active Directory(AD)域或Kerberos领域。

在Ubuntu 20.04上为SSID配置SSSD

假设您已经有一个正在运行的OpenLDAP服务器,请继续阅读本指南以了解如何安装和配置用于LDAP身份验证的SSSD。

运行系统更新

确保您的系统软件包缓存是最新的。

apt update

在Ubuntu 20.04上安装SSSD

要在Ubuntu 20.04上安装SSSD和其他必需的SSSD工具,请运行以下命令;

apt install sssd libpam-sss libnss-sss

在Ubuntu 20.04上为OpenLDAP身份验证配置SSSD

创建SSSD配置文件

默认情况下,SSSD不附带任何配置文件。因此,您需要创建定义LDAP身份验证详细信息的配置文件。

vim /etc/sssd/sssd.conf

以下是我们的示例配置选项;

[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://ldapmaster.kifarunix-demo.com
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = [email protected]
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ldapcacert.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)

检查上方突出显示的行,并适当替换其值。

有关上面使用的选项的详细说明,请参阅 man sssd.confman sssd-ldap

完成配置后,保存并退出文件。

在Ubuntu 20.04 LDAP客户端上安装OpenLDAP Server CA证书

SSSD身份验证只能在加密的通信通道上工作。因此,您的OpenLDAP服务器必须配置为SSL / TLS。

如果已经执行了此操作,请通过执行以下命令将CA证书从LDAP服务器下载到LDAP客户端。

openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < /dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

复制证书部分;

-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww
GgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMSYwJAYDVQQDDB1sZGFwbWFzdGVy
...
...
ExJaMa6cJkIFmepJ6wGvk33DiLRZrAKT2/11yswYm16mdpUynmx6pZvZizjxkq+c
hegnowyEG4db/NktY44v2ryIQdEclnKmhk23vmhgZxl1IUgev2tc//JWPE9dXuP8
Uy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs
Igf9K1e9M0Q+j2XEsTeCYVU/v0Jt0kER0+V/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp
ARWZ
-----END CERTIFICATE-----

根据我们的SSSD配置,LDAP CA证书文件存储为 /etc/ssl/certs/cacert.crt。因此,复制上面的证书并将其放在此文件中;

vim /etc/ssl/certs/ldapcacert.crt
-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww
GgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMSYwJAYDVQQDDB1sZGFwbWFzdGVy
...
...
ExJaMa6cJkIFmepJ6wGvk33DiLRZrAKT2/11yswYm16mdpUynmx6pZvZizjxkq+c
hegnowyEG4db/NktY44v2ryIQdEclnKmhk23vmhgZxl1IUgev2tc//JWPE9dXuP8
Uy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs
Igf9K1e9M0Q+j2XEsTeCYVU/v0Jt0kER0+V/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp
ARWZ
-----END CERTIFICATE-----

接下来,打开 /etc/ldap/ldap.conf 并替换值 TLS_CACERT 与上面创建的CA证书的路径。

vim /etc/ldap/ldap.conf
...
# TLS certificates (needed for GnuTLS)
#TLS_CACERT     /etc/ssl/certs/ca-certificates.crt
TLS_CACERT      /etc/ssl/certs/ldapcacert.crt

保存并关闭配置文件。

在SSSD配置上设置适当的权限

之后,为root用户分配对 /etc/sssd/

chmod 600 -R /etc/sssd

重新启动SSSD服务

systemctl restart sssd

检查SSSD的状态以确保其正在运行。

systemctl status sssd
● sssd.service - System Security Services Daemon
     Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2020-05-08 11:38:21 EAT; 6s ago
   Main PID: 7004 (sssd)
      Tasks: 4 (limit: 2319)
     Memory: 34.0M
     CGroup: /system.slice/sssd.service
             ├─7004 /usr/sbin/sssd -i --logger=files
             ├─7020 /usr/libexec/sssd/sssd_be --domain default --uid 0 --gid 0 --logger=files
             ├─7021 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             └─7022 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

May 08 11:38:20 koromicha systemd[1]: Starting System Security Services Daemon...
May 08 11:38:20 koromicha sssd[7004]: Starting up
May 08 11:38:21 koromicha sssd[be[7020]: Starting up
May 08 11:38:21 koromicha sssd[7021]: Starting up
May 08 11:38:21 koromicha sssd[7022]: Starting up
May 08 11:38:21 koromicha systemd[1]: Started System Security Services Daemon.

启用S​​SSD在系统启动时运行;

systemctl enable sssd

配置自动主目录创建

要启用首次登录时自动创建用户的主目录,您需要配置PAM模块(pam_mkhomedir.so) 如下所示。

打开 /etc/pam.d/common-session 配置文件和编辑如下:

vim /etc/pam.d/common-session

在该行下方添加以下行, session optional pam_sss.so

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
...
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_sss.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional        pam_systemd.so
# end of pam-auth-update config
...

保存并退出配置文件。

验证SSSD OpenLDAP身份验证

SSSD的安装和配置完成。要验证您可以登录,请尝试针对您的LDAP服务器进行身份验证。

在本指南中,我们有两个用户, janedoejohndoe,是在我们的OpenLDAP服务器上创建的,用于演示。

ldapsearch -H ldapi:/// -Y EXTERNAL -b "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" dn -LLL -Q
dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

有关上述用户的这些信息现在应该可以在Ubuntu 20.04 ldap客户端上打印。

[email protected]:~# id johndoe
uid=10000(johndoe) gid=10000(johndoe) groups=10000(johndoe)
[email protected]:~# id janedoe
uid=10010(janedoe) gid=10010(janedoe) groups=10010(janedoe)

为了演示SSSD LDAP身份验证,我们将同时使用基于SSH和GUI的身份验证。

通过OpenLDAP SSSD验证SSH身份验证

ssh [email protected]
The authenticity of host 'ubuntu20 (192.168.58.19)' can't be established.
ECDSA key fingerprint is SHA256:gN94vPFvyZ3Rdeb/+7R+0QJy9S4MdWmgJyEShIG9YgE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ubuntu20' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Creating directory '/home/johndoe'.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-29-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * Ubuntu 20.04 LTS is out, raising the bar on performance, security,
   and optimisation for Intel, AMD, Nvidia, ARM64 and Z15 as well as
   AWS, Azure and Google Cloud.

     https://ubuntu.com/blog/ubuntu-20-04-lts-arrives


13 updates can be installed immediately.
9 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

[email protected]:~$

通过OpenLDAP SSSD验证GUI身份验证

设置SSSD后重新启动Ubuntu 20.04桌面并验证身份。

启动后,在GDM登录界面上,点击 没有列出 输入您的OpenLDAP用户名和密码。

成功登录后,您将进入Ubuntu 20.04桌面。

在Ubuntu 20.04上为SSID配置SSSD

然后你去。您已在Ubuntu 20.04上成功安装并配置了用于LDAP身份验证的SSSD。

Sidebar