System authentication configuration

You enable system LDAP authentication through the System Security Services Daemon (SSSD). The correct procedure for configuring system authentication depends on your operating system.

If the desired authentication method is already configured on the system, refer to Db2® authentication configuration.

Important: All the following commands must be run as root.

RHEL 6 and RHEL 7 configuration using authconfig

Back up the current authentication configuration for your system:
```
authconfig --savebackup=config_backup
```
Your backup is saved to the following folder: /var/lib/authconfig/backup-config_backup.
Configure your system using the authconfig command:
```
authconfig --enableshadow --passalgo=sha512 --enablesssd --enablesssdauth --enableldap --enableldapauth --enableldaptls --ldapserver="ldap.example.com" 
--ldaploadcacert="http://example.com/cacombined.pem" --ldapbasedn="ou=Anytown,o=example.com" --update
```
where

--enableshadow

Enable authentication of local users.

--passalgo=sha512

Use SHA512 hashes for passwords of local users.

--enablesssd --enablesssdauth

Enable authentication using System Security Services Daemon (SSSD).

--enableldap --enableldapauth

Enable LDAP as an authentication provider in SSSD.

--ldapserver=

Hostname of the LDAP server.

--enableldaptls

Enable secure LDAP (LDAP over TLS).

--ldaploadcacert=

Save the CA certificate for the LDAP server from the given URL.

--ldapbasedn=

LDAP search base distinguished name (DN).

--update

Commit the authconfig changes to the system
If the CA certificate is present in a file instead of being available at a given URL, remove the --ldaploadcacert option of the authconfig command. Copy the certificate to the directory specified by the ldap_tls_cacertdir parameter under the [domain/default] section of /etc/sssd/sssd.conf. This is usually /etc/openldap/cacerts.
Once the necessary certificates have been added to /etc/openldap/cacerts, rename the files in the cacerts directory so that the SSSD can properly recognize the certificate:
```
cacertdir_rehash /etc/openldap/cacerts
```
Restart and enable the SSSD service for the authentication changes to take effect:
```
systemctl restart sssd
systemctl enable sssd
```
Note: For more information, refer to the following RHEL documentation.

RHEL 8 configuration using authselect

Enable the SSSD authentication profile:
```
authselect select sssd
```
Add the LDAP server URL and the base search DN to the /etc/openldap/ldap.conf file:
```
URI ldap://ldap.example.com/
BASE ou=Anytown,o=example.com
```
If the directory /etc/openldap/cacerts does not exist, create the directory.
Copy the certificate to /etc/openldap/cacerts. If the certificate is available from a URL, you can download it using the following command:
```
wget <certificate URL> -P /etc/openldap/cacerts
```
Examine the downloaded file and determine if there are multiple certificates present in the file.
If there is only one certificate present in the file, run the following commands to configure the certificate for use:
1. Rename the files in the cacerts directory, so that the SSSD properly recognizes the certificates:
```
openssl rehash /etc/openldap/cacerts
```
2. Add the following line to the /etc/openldap/ldap.conf file:
```
TLS_CACERTDIR /etc/openldap/cacerts
```
If multiple certificates are present in the PEM file containing the CA certificate, add the following line to the /etc/openldap/ldap.conf file, using TLS_CACERT in place of TLS_CACERTDIR:
```
TLS_CACERT /etc/openldap/cacerts/<cacombined.pem>
```
where <cacombined.pem> is the file name of the certificate.

In the /etc/sssd directory, create the file sssd.conf with the following contents:

[domain/default]

autofs_provider = ldap
cache_credentials = True
ldap_search_base = ou=Anytown,o=example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.example.com/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs

domains = default
[nss]
homedir_substring = /home

Update the ldap_search_base parameter with the base DN, and update ldap_uri with the URL to the LDAP server.

If multiple certificates are present in the PEM file used in step 5, remove the ldap_tls_cacertdir parameter, and add the following in its place:

ldap_tls_cacert = /etc/openldap/cacerts/cacombined.pem

Change the permissions on the /etc/sssd/sssd.conf file:
```
chmod 600 /etc/sssd/sssd.conf
```

Restart and enable SSSD:

systemctl restart sssd
systemctl enable sssd

SLES 12 and SLES 15 configurations

Add SSSD to the system PAM configuration:
```
pam-config --add --sss
```
Add the LDAP server URL and the base search DN to the /etc/openldap/ldap.conf file:
```
URI ldap://ldap.example.com/
BASE ou=Anytown,o=example.com
```
If it does not exist, create the directory /etc/openldap/cacerts.
Copy the CA certificate file for the LDAP server to /etc/openldap/cacerts.
Set up the directory so that the SSSD can find the appropriate certificates:
```
c_rehash /etc/openldap/cacerts
```
Add the following line to the /etc/openldap/ldap.conf file:
```
TLS_CACERTDIR /etc/openldap/cacerts
```
The contents of the /etc/nsswitch.conf file must be modified to instruct the system to look for user information using SSSD.
Add the sss option to the passwd and group properties to enable authentication of both local and LDAP users. For example:
```
passwd: files sss
group:  files sss
```

Add the following contents to the beginning of the /etc/sssd/sssd.conf file:

[domain/default]
cache_credentials = True
ldap_search_base = ou=Anytown,o=example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.example.com/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts

Update the ldap_search_base parameter with the base DN, and update ldap_uri with the URL to the LDAP server.

Add the following line under the [sssd] section of /etc/sssd/sssd.conf:
```
domains = default
```
Enable and restart SSSD for the changes to take effect:
```
chkconfig sssd on
systemctl restart sssd
```

Ubuntu 18.04 and Ubuntu 20.04 configurations

Add SSSD to the system PAM configuration:
```
pam-auth-update --enable sss
```
Copy the CA certificate file for the LDAP server to /usr/local/share/ca-certificates. If the certificate is available from a URL, you can download it using the following command:
```
wget <certificate URL> -P /usr/local/share/ca-certificates
```

If the CA certificate does not have a .crt extension, rename the file. For example:

mv /usr/local/share/ca-certificates/cacombined.pem /usr/local/share/ca-certificates/cacombined.crt

Instruct the system to trust the CA certificate:
```
update-ca-certificates
```
You can configure your system to use the certificate only for LDAP, if you do not wish to have the system trust the CA certificate.
Edit the /etc/ldap/ldap.conf file and update the TLS_CACERT parameter to point to the CA certificate present in /usr/local/share/ca-certificates. For example:
```
TLS_CACERT /usr/local/share/ca-certificates/cacombined.crt
```

Create the /etc/sssd/sssd.conf file with the following contents:

[sssd]
services = nss, pam
domains = default

[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
cache_credentials = True

ldap_uri = ldap://ldap.example.com/
ldap_search_base = ou=Anytown,o=example.com

ldap_id_use_start_tls = True

Update the ldap_search_base parameter with the base DN, and update ldap_uri with the URL to the LDAP server.

Change the permissions on the /etc/sssd/sssd.conf file:
```
chmod 600 /etc/sssd/sssd.conf
```

Restart and enable SSSD:

systemctl restart sssd.service
systemctl enable sssd.service

Authentication Configuration Verification

If LDAP is configured successfully, LDAP users should be able to log in to the system and using the id command should be able to resolve the userid and groups of an LDAP user. For example:

$ id db2inst1
uid=1007(db2inst1) gid=1007(db2inst1) groups=1007(db2inst1),7777(ldapgroup)