If it helps:
When you set up a standard LDAP client you implement a certificate for the user store back end, configure dependent transport protocols and configure the systems to load and use the appropriate modules and libraries.
In the context of standard PAM_LDAP:
- Implement access to the correct certs (local usually) and how they are used (TLS_REQCERT = HARD, DEMAND, NEVER etc). by the daemon to enforce the validation of the certificate (hostname matched domain, CA signing chain, etc).
2 Decide if the transport protocol will be SSL (URI will be LDAPS://), TLS (URI can be LDAP://) of both depending on the client (can the all client send a “START_TLS” command? Best to use LDAPS:// then). The back end will usually dictate the levels of SSL and TLS support so ask your back end admin if you are unsure.
- Configure PAM to load and reference the required modules (in /etc/pam.d )and configure any client or daemon configuration files (/etc/ldap.conf. /etc/nslcd.conf, etc).
All of this can be done manually, but YaST does it for you well enough obviously.
The same is true for the SSSD if you apply the same concepts.
Again, I’ll reference the basic manual approach so what YaST is asking you seems a little more clear.
-
You will still need your certificate(s) for your user store back end.
-
use the same transport protocol your previous LDAP configuration did, initially (Consider a update to TLS from SSL if possible later ?)
-
Implement the PAM configuration and the required configuration files.
If the system uses existing authentication methods, ass them and de-configure them first.
install the sssd and sssd-ldap packages
Configure PAM:
pam-config --query --ldap
pam-config --query --krb5
pam-config --delete --ldap --krb5
pam-config --add --sss
To create home dirs on login:
pam-config --add --sss --mkhomedir
Add/modify to the /etc/nsswitch.conf:
passwd files sss
group files sss
Create the /etc/sssd/sssd.conf (owner must be root:root, permissions must be 600) (This example uses an AD back end):
[sssd]
config_file_version = 2
services = nss,pam
domains = dvc.darkvixen.com
[nss]
reconnection_retries = 3
filter_users = root
filter_groups = root
[pam]
reconnection_retries = 3
[domain/dvc.darkvixen.com]
id_provider = ldap
auth_provider = ldap
enumerate = False
cache_credentials = True
ldap_uri = ldap://dvc.darkvixen.com
ldap_search_base = dc=dvc,dc=darkvixen,dc=com
ldap_user_search_base = ou=users,dc=dvc,dc=darkvixen,dc=com
ldap_group_search_base = ou=groups,dc=dvc,dc=darkvixen,dc=com
ldap_schema = ad
ldap_id_mapping = False
ldap_referrals = False
ldap_tls_cacert = /etc/openldap/cacerts/uga-CAs.pem
ldap_tls_reqcert = never
ldap_default_bind_dn = CN=ldap-proxy,ou=proxies,dc=dvc,dc=darkvixen,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = secret
Most of this info should be present in your current LDAP configuration.
Again, of course YaST can manage all of this for you if the concepts are understood.
– lawrence