System authentication configuration
You enable system LDAP authentication through the System Security Services Daemon (SSSD). The correct procedure for configuring system authentication depends on your operating system.
If the desired authentication method is already configured on the system, refer to Db2® authentication
configuration.
Important: All the following commands must be run as
root.
RHEL 6 and RHEL 7 configuration using authconfig
- Back up the current authentication configuration for your system:
Your backup is saved to the following folder: /var/lib/authconfig/backup-config_backup.authconfig --savebackup=config_backup
- Configure your system using the authconfig command:
whereauthconfig --enableshadow --passalgo=sha512 --enablesssd --enablesssdauth --enableldap --enableldapauth --enableldaptls --ldapserver="ldap.example.com" --ldaploadcacert="http://example.com/cacombined.pem" --ldapbasedn="ou=Anytown,o=example.com" --update
- --enableshadow
- Enable authentication of local users.
- --passalgo=sha512
- Use SHA512 hashes for passwords of local users.
- --enablesssd --enablesssdauth
- Enable authentication using System Security Services Daemon (SSSD).
- --enableldap --enableldapauth
- Enable LDAP as an authentication provider in SSSD.
- --ldapserver=
- Hostname of the LDAP server.
- --enableldaptls
- Enable secure LDAP (LDAP over TLS).
- --ldaploadcacert=
- Save the CA certificate for the LDAP server from the given URL.
- --ldapbasedn=
- LDAP search base distinguished name (DN).
- --update
- Commit the authconfig changes to the system
- If the CA certificate is present in a file instead of being available at a given URL, remove the
--ldaploadcacert
option of the authconfig command. Copy the certificate to the directory specified by theldap_tls_cacertdir
parameter under the[domain/default]
section of /etc/sssd/sssd.conf. This is usually /etc/openldap/cacerts. - Once the necessary certificates have been added to
/etc/openldap/cacerts
, rename the files in thecacerts
directory so that the SSSD can properly recognize the certificate:cacertdir_rehash /etc/openldap/cacerts
- Restart and enable the SSSD service for the authentication changes to take
effect:
systemctl restart sssd systemctl enable sssd
Note: For more information, refer to the following RHEL documentation.
RHEL 8 configuration using authselect
- Enable the SSSD authentication profile:
authselect select sssd
- Add the LDAP server URL and the base search DN to the
/etc/openldap/ldap.conf file:
URI ldap://ldap.example.com/ BASE ou=Anytown,o=example.com
- If the directory /etc/openldap/cacerts does not exist, create the directory.
- Copy the certificate to
/etc/openldap/cacerts
. If the certificate is available from a URL, you can download it using the following command:wget <certificate URL> -P /etc/openldap/cacerts
- Examine the downloaded file and determine if there are multiple certificates
present in the file. If there is only one certificate present in the file, run the following commands to configure the certificate for use:
- Rename the files in the
cacerts
directory, so that the SSSD properly recognizes the certificates:openssl rehash /etc/openldap/cacerts
- Add the following line to the /etc/openldap/ldap.conf file:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT
in place ofTLS_CACERTDIR
:
whereTLS_CACERT /etc/openldap/cacerts/<cacombined.pem>
<cacombined.pem>
is the file name of the certificate. - Rename the files in the
- In the /etc/sssd directory, create the file sssd.conf
with the following contents:
[domain/default] autofs_provider = ldap cache_credentials = True ldap_search_base = ou=Anytown,o=example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.example.com/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] services = nss, pam, autofs domains = default [nss] homedir_substring = /home
Update the
ldap_search_base
parameter with the base DN, and updateldap_uri
with the URL to the LDAP server.If multiple certificates are present in the PEM file used in step 5, remove theldap_tls_cacertdir
parameter, and add the following in its place:ldap_tls_cacert = /etc/openldap/cacerts/cacombined.pem
- Change the permissions on the /etc/sssd/sssd.conf
file:
chmod 600 /etc/sssd/sssd.conf
- Restart and enable SSSD:
systemctl restart sssd systemctl enable sssd
SLES 12 and SLES 15 configurations
- Add SSSD to the system PAM configuration:
pam-config --add --sss
- Add the LDAP server URL and the base search DN to the
/etc/openldap/ldap.conf file:
URI ldap://ldap.example.com/ BASE ou=Anytown,o=example.com
- If it does not exist, create the directory /etc/openldap/cacerts.
- Copy the CA certificate file for the LDAP server to /etc/openldap/cacerts.
- Set up the directory so that the SSSD can find the appropriate certificates:
c_rehash /etc/openldap/cacerts
- Add the following line to the /etc/openldap/ldap.conf
file:
TLS_CACERTDIR /etc/openldap/cacerts
- The contents of the /etc/nsswitch.conf file must be modified to instruct the
system to look for user information using SSSD. Add the
sss
option to thepasswd
andgroup
properties to enable authentication of both local and LDAP users. For example:passwd: files sss group: files sss
- Add the following contents to the beginning of the /etc/sssd/sssd.conf
file:
[domain/default] cache_credentials = True ldap_search_base = ou=Anytown,o=example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.example.com/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts
Update the
ldap_search_base
parameter with the base DN, and updateldap_uri
with the URL to the LDAP server. - Add the following line under the
[sssd]
section of /etc/sssd/sssd.conf:domains = default
- Enable and restart SSSD for the changes to take effect:
chkconfig sssd on systemctl restart sssd
Ubuntu 18.04 and Ubuntu 20.04 configurations
- Add SSSD to the system PAM
configuration:
pam-auth-update --enable sss
- Copy the CA certificate file for the LDAP server to
/usr/local/share/ca-certificates. If the certificate is available from a URL,
you can download it using the following
command:
wget <certificate URL> -P /usr/local/share/ca-certificates
- If the CA certificate does not have a .crt extension, rename the file. For
example:
mv /usr/local/share/ca-certificates/cacombined.pem /usr/local/share/ca-certificates/cacombined.crt
- Instruct the system to trust the CA
certificate:
update-ca-certificates
- You can configure your system to use the certificate only for LDAP, if you do
not wish to have the system trust the CA certificate.
Edit the /etc/ldap/ldap.conf file and update the
TLS_CACERT
parameter to point to the CA certificate present in /usr/local/share/ca-certificates. For example:TLS_CACERT /usr/local/share/ca-certificates/cacombined.crt
- Create the /etc/sssd/sssd.conf file with the following
contents:
[sssd] services = nss, pam domains = default [domain/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap cache_credentials = True ldap_uri = ldap://ldap.example.com/ ldap_search_base = ou=Anytown,o=example.com ldap_id_use_start_tls = True
Update the
ldap_search_base
parameter with the base DN, and updateldap_uri
with the URL to the LDAP server. - Change the permissions on the /etc/sssd/sssd.conf
file:
chmod 600 /etc/sssd/sssd.conf
- Restart and enable SSSD:
systemctl restart sssd.service systemctl enable sssd.service
Authentication Configuration Verification
If LDAP is configured successfully, LDAP users should be able to log in to the system and using
the
id
command should be able to resolve the userid and groups of an LDAP user. For
example:$ id db2inst1
uid=1007(db2inst1) gid=1007(db2inst1) groups=1007(db2inst1),7777(ldapgroup)