Advanced user account management using LDAP¶
How to configure LDAP to access user account information
There are different ways to configure user accounts at CERN. If you only need to create a few local accounts, you should simply use the useraddcern command with the --directory argument.
If you need to give access to larger groups of accounts, that are centrally managed in FIM / Active Directory, read on...
This document describes how to configure a client machine to use the central LDAP service xldap.cern.ch to give access to AFS user groups. Examples:
- How to give access to all users of some Unix groups?
- How to give access to all member of an E-group?
- How to deny access to users with disabled accounts?
- How to override certain attributes, like the login shell or the homedirectoy
The xldap.cern.ch LDAP serviceThe xldap.cern.ch LDAP service allows anonymous read-access to the user information in FIM / Active Directory. In particular, it contains the account information for all AFS users, and the membership of the CERN E-groups.
The xldap.cern.ch LDAP service is described here
What is sssd ?SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources as well as D-Bus interface.
Configuring sssdThe /etc/sssd/sssd.conf configuration describes the CERN configuration.
Note on CS8 and newer, it's possible that the package 'cern-krb5-conf' is installed. This package provides a base minimum for kerberos configuration, but the example below is more feature complete
If you are using CS8 or newer, you may want to consider deploying configuration into a separate file in /etc/sssd/conf.d/ rather than using /etc/sssd/sssd.conf to avoid conflicts with the 'cern-krb5-conf' package.
[sssd] services = nss, pam domains = LOCAL_CERN.CH, CERN.CH [domain/LOCAL_CERN.CH] id_provider = files auth_provider = krb5 krb5_realm = CERN.CH krb5_server = cerndc.cern.ch [domain/CERN.CH] id_provider = ldap ignore_group_members = True access_provider = ldap ldap_schema = AD ldap_uri = ldap://xldap.cern.ch:389, ldap://xldap.cern.ch:389, ldap://xldap.cern.ch:389 ldap_referrals = False ldap_id_use_start_tls = False ldap_search_base = DC=cern,DC=ch ldap_user_search_base = OU=Users,OU=Organic Units,DC=cern,DC=ch ldap_user_search_scope = one ldap_user_object_class = person ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_group_search_base = OU=Unix,OU=Workgroups,DC=cern,DC=ch ldap_group_search_scope = one ldap_group_object_class = group # Allowing users * : (&(objectClass=user) (cn=*)) ldap_access_filter = (&(objectClass=user) (cn=*)) # GID # ldap_access_filter = (&(objectClass=user) (gidNumber=1160)) # Egroup # ldap_access_filter = (&(objectClass=user) (memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch)) # Filter disabled AD accounts: # ldap_access_filter = (&;(|(|(&(objectClass=user) (cn=*))))(!(userAccountControl:1.2.840.1135126.96.36.1993:=2))) ldap_force_upper_case_realm = True krb5_realm = CERN.CH krb5_server = cerndc.cern.ch auth_provider = krb5 chpass_provider = krb5 cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacertsYou can install it by following this recipe as root :
# curl -o /etc/sssd/sssd.conf https://linux.web.cern.ch/docs/sssd.conf.example # chown root:root /etc/sssd/sssd.conf # chmod 0600 /etc/sssd/sssd.conf # restorecon /etc/sssd/sssd.confIn the following section we will explain how it can be tweaked.
General optionsThis section describes the main options to be configured in /etc/sssd/sssd.conf.
- services is a comma separated list of services that are started when sssd itself starts. Supported services: nss, pam , sudo, autofs, ssh, pac, ifp
- domain is a database containing user information.SSSD can use more domains at the same time.
- filter_users, filter_groups exclude certain users from being fetched from the sss NSS database.This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the particular domain.
- pam_id_timeout option controls how long we can cache the identity information to avoid excessive round-trips to the identity provider
Filtering resultsWith the general options above, your machine now has allows access from all accounts in the LDAP service. That is probable not what you want... This section gives some examples of filters that you can set to restrict the results to some useful sets of accounts.
- How to give access to all users of some Unix groups?
- Only allow the users of Unix group xx (gid 1160):
ldap_access_filter = (&(objectClass=user) (gidNumber=1160))
ldap_access_filter = (&(objectClass=user) (|(gidNumber=1160) (gidNumber=1307)))
- Allows members of lxsoft-admins (non-recursive) e-group:
ldap_access_filter = (&(objectClass=user) (memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
ldap_access_filter = (&(objectClass=user) (memberOf:1.2.840.1135188.8.131.521:=CN=info-experiments,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
Accounts that are disabled in Active Directory can be filtered out like this:
ldap_access_filter = (&;(|(|(&(objectClass=user) (cn=*))))(!(userAccountControl:1.2.840.1135184.108.40.2063:=2)))For an explanation, please go the Microsoft Knowledge Base
Overriding attribute valuessssd-ldap allows to override certain attribute values, like the login shell or the use home directory. This may be useful on certain server machines. Example:
ldap_user_shell = /dev/null ldap_user_home_directory = /nfs/home/%u (man sssd.conf for allowed sequences)All available settings can be found in the manual
# man sssd-ldap
Notes from linux support
- To enable verbose debug messages you can append "debug_level = 0x1310" to each section.
- If you have to deal with old user ID < 1000 you can use "min_id/max_id" in the [domain/CERN] section
# ## FOR CC7 ONLY ## # authconfig --enablesssd --enablesssdauth --update # ## FOR CS8 AND NEWER ## # authselect select sssd with-silent-lastlog --forceThe /etc/nsswitch.conf configuration file describes the order in which password-file lookups are performed. This file should not need to be ever changed, and should always contain content such as:
passwd: files sss group: files sss
Run sssdNow you need to make sure sssd runs and is enabled by default :
# systemctl enable sssd # systemctl stop sssd # systemctl start sssdNOTE: If you experiment with sssd and you want to be sure to clean all the caches please run the folllowing command :
# systemctl stop sssd # rm -f /var/lib/sss/mc/* # rm -f /var/lib/sss/db/* # systemctl start sssd # sss_cache -E
Run a simple testYou can run the following command where "login" correspond to an authorized CERN user :
# getent passwd login