This guide explain how set a Linux server to permit authentication of LDAP user of a Windows Active Directory domain.
If you want join in domain you can use this guide.
Install all necessary packages
First of all install this two package and all dependecies
yum install sssd sssd-ldap
Create config file
Create (or modify) /etc/sssd.conf file as the follow
[sssd] config_file_version = 2 services = nss, pam, sudo domains = domain.example.com [nss] #debug_level = 5 #If want override the shell for all users uncomment follow line #override_shell = /bin/bash [pam] #debug_level = 5 [sudo] #debug_level = 5 [domain/domain.example.com] #debug = 5 # Unless you know you need referrals, turn them off ldap_referrals = false # Uncomment if you need offline logins cache_credentials = true enumerate = true id_provider = ldap auth_provider = ldap auth_provider = krb5 #chpass_provider = ldap #access_provider = ldap # Uncomment if service discovery is not working ldap_uri = ldap://ldapServer.domain.example.com:389 #ldap_chpass_uri = ldap://ldapServer.domain.example.com:389 # Comment out if not using SASL/GSSAPI to bind #ldap_sasl_mech = GSSAPI # Uncomment and adjust if the default principal host/fqdn@REALM is not available #ldap_sasl_authid = nfs/client.ad.example.com@AD.EXAMPLE.COM #This is required to work without tls protocol ldap_tls_reqcert = never # Define these only if anonymous binds are not allowed and no keytab is available # Enabling use_start_tls is very important, otherwise the bind password is transmitted # over the network in the clear ldap_id_use_start_tls = False ldap_default_bind_dn = CN=name,OU=nameOU,DC=domain,DC=example,DC=com ldap_default_authtok = passwordUserBind ldap_default_authtok_type = password # This is for Windows Active directory schema ldap_schema = ad # This is for searching user ldap_user_search_base = OU=nameOU,DC=domain,DC=example,DC=com ldap_user_object_class = user ldap_user_gecos = cn # Attributes of user #ldap_user_home_directory = homeDirectory ldap_user_principal = sAMAccountName # This is for searching group ldap_group_search_base = OU=nameOU,DC=domain,DC=example,DC=com ldap_group_object_class = group # Uncomment this and comment the previous if you want be more generic #ldap_search_base = DC=domain,DC=example,DC=com # This parameter for not use the FQDN (user@domain) use_fully_qualified_names = False # Other parameters ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_id_mapping = True #ldap_pwd_policy = shadow entry_cache_timeout = 600 ldap_network_timeout = 2 # Perhaps you need to redirect to certain attributes? #ldap_user_object_class = user #ldap_user_name = sAMAccountName #ldap_user_uid_number = msSFU30UidNumber #ldap_user_gid_number = msSFU30GidNumber #ldap_user_gecos = displayName #ldap_user_home_directory = msSFU30HomeDirectory #ldap_user_shell = msSFU30LoginShell #ldap_user_principal = userPrincipalName #ldap_group_object_class = group #ldap_group_name = cn #ldap_group_gid_number = msSFU30GidNumber
Then restart the sssd service after the modification
service sssd stop rm -f /var/lib/sss/db/* service sssd start
At the end provide this command to enable authentication through LDAP
authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
Fine tuning
If you want that some group or user became sudoers create a file /etc/sudoers.d/domainPolicy with this content
%Groupname ALL=(ALL) ALL Username ALL=(ALL) ALL
If you want restrict ssh access to only some groups, modify the file /etc/ssh/sshd_config at this part
AllowGroups sudo groupname sshallowed