Project summary
In this project I configured an OpenLDAP server to centralise Linux user authentication,
integrating with SSSD and PAM. The goal is to have user accounts only in the
directory and reuse them across multiple servers, with password policies and consistent management.
I worked from the DN/OU design and LDIF-based user creation up to full login integration on the clients.
OpenLDAP
SSSD
PAM
Centralised auth
Directory model
Directory layout used (simplified example):
dc=lab,dc=local
├── ou=People,dc=lab,dc=local
│ ├── uid=carlos,ou=People,dc=lab,dc=local
│ └── uid=devuser,ou=People,dc=lab,dc=local
└── ou=Groups,dc=lab,dc=local
└── cn=developers,ou=Groups,dc=lab,dc=localLDIF example – user creation
dn: uid=carlos,ou=People,dc=lab,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: Carlos Menezes
sn: Menezes
uid: carlos
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/carlos
loginShell: /bin/bash
mail: carlos.menezes@example.comPassword configured via:
ldappasswd -H ldap://ldap.lab.local \
-D "cn=admin,dc=lab,dc=local" -W \
"uid=carlos,ou=People,dc=lab,dc=local"Client configuration – /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.lab.local
ldap_search_base = dc=lab,dc=local
ldap_id_use_start_tls = true
cache_credentials = true
enumerate = falsePAM & NSS integration
# /etc/nsswitch.conf
passwd: files sss
group: files sss
shadow: files sss# /etc/pam.d/common-auth
auth [success=1 default=ignore] pam_sss.so use_first_pass