From c44550e2556d75b7b3a0aebb9382cbade8d3a5b3 Mon Sep 17 00:00:00 2001
From: Administrator <graymutt@netgrimoire.com>
Date: Wed, 21 Jan 2026 13:24:12 +0000
Subject: [PATCH] docs: update infrastructure/identity/ldap-client-setup

---
 infrastructure/identity/ldap-client-setup.md | 213 ++++++++++++++++++-
 1 file changed, 211 insertions(+), 2 deletions(-)

diff --git a/infrastructure/identity/ldap-client-setup.md b/infrastructure/identity/ldap-client-setup.md
index 0560f1f..da8d386 100644
--- a/infrastructure/identity/ldap-client-setup.md
+++ b/infrastructure/identity/ldap-client-setup.md
@@ -2,11 +2,220 @@
 title: LDAP Client Setup
 description: 
 published: true
-date: 2026-01-21T13:21:40.588Z
+date: 2026-01-21T13:24:03.516Z
 tags: 
 editor: markdown
 dateCreated: 2026-01-21T13:21:40.588Z
 ---
 
 # Header
-Your content here
\ No newline at end of file
+Your content here✅ LLDAP + SSSD Node Join Checklist (FINAL)
+
+Assumptions
+
+LLDAP server: docker4
+
+LDAP URI: ldap://docker4:3890
+
+Base DN: dc=netgrimoire,dc=com
+
+Users/groups use lowercase attributes (uidnumber, gidnumber, homedirectory, unixshell, uniquemember)
+
+No TLS (lab only)
+
+Docker group GID = 1964 in LDAP
+
+This node is Ubuntu/Debian-based
+
+0️⃣ Safety first (do this every time)
+
+Open two SSH sessions to the node
+
+Confirm you can sudo
+
+Do not edit nsswitch.conf until SSSD is confirmed working
+
+1️⃣ Install required packages
+sudo apt update
+sudo apt install -y \
+  sssd sssd-ldap sssd-tools \
+  libpam-sss libnss-sss libsss-sudo \
+  ldap-utils oddjob oddjob-mkhomedir
+
+Ensure legacy LDAP NSS is NOT installed
+sudo apt purge -y libnss-ldap libpam-ldap nslcd libnss-ldapd libpam-ldapd || true
+sudo apt autoremove -y
+
+2️⃣ Verify LDAP connectivity (must pass)
+getent hosts docker4
+nc -vz docker4 3890
+ldapwhoami -x -H ldap://docker4:3890 \
+  -D 'uid=admin,ou=people,dc=netgrimoire,dc=com' -w 'F@lcon13'
+
+
+❌ If any fail → stop and fix networking/DNS/firewall.
+
+3️⃣ Create /etc/sssd/sssd.conf (single file, no includes)
+sudo vi /etc/sssd/sssd.conf
+
+
+Paste exactly:
+
+[sssd]
+services = nss, pam, ssh
+config_file_version = 2
+domains = netgrimoire.com
+
+[nss]
+filter_users = root
+filter_groups = root
+
+[pam]
+offline_failed_login_attempts = 3
+offline_failed_login_delay = 5
+
+[ssh]
+
+[domain/netgrimoire.com]
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+access_provider = permit
+
+enumerate = false
+cache_credentials = true
+
+ldap_uri = ldap://docker4:3890
+ldap_schema = rfc2307bis
+ldap_search_base = dc=netgrimoire,dc=com
+
+ldap_auth_disable_tls_never_use_in_production = true
+ldap_id_use_start_tls = false
+ldap_tls_reqcert = never
+
+ldap_default_bind_dn = uid=admin,ou=people,dc=netgrimoire,dc=com
+ldap_default_authtok = F@lcon13
+
+# USERS (lowercase attributes)
+ldap_user_search_base = ou=people,dc=netgrimoire,dc=com
+ldap_user_object_class = posixAccount
+ldap_user_name = uid
+ldap_user_gecos = cn
+ldap_user_uid_number = uidnumber
+ldap_user_gid_number = gidnumber
+ldap_user_home_directory = homedirectory
+ldap_user_shell = unixshell
+
+# GROUPS (lowercase attributes)
+ldap_group_search_base = ou=groups,dc=netgrimoire,dc=com
+ldap_group_object_class = groupOfUniqueNames
+ldap_group_name = cn
+ldap_group_gid_number = gidnumber
+ldap_group_member = uniquemember
+
+4️⃣ Fix permissions (SSSD will NOT start without this)
+sudo chown root:root /etc/sssd/sssd.conf
+sudo chmod 600 /etc/sssd/sssd.conf
+sudo chmod 700 /etc/sssd
+
+
+Validate:
+
+sudo sssctl config-check
+
+5️⃣ Start SSSD cleanly
+sudo systemctl enable sssd
+sudo systemctl stop sssd
+sudo rm -f /var/lib/sss/db/* /var/lib/sss/mc/*
+sudo systemctl start sssd
+
+
+Verify:
+
+sudo systemctl status sssd --no-pager -l
+sudo sssctl domain-status netgrimoire.com
+
+
+Expected:
+
+Online status: Online
+LDAP: docker4
+
+6️⃣ Enable NSS lookups via SSSD (LDAP-first)
+
+Edit /etc/nsswitch.conf:
+
+passwd: sss files systemd
+group:  sss files systemd
+shadow: sss files
+
+
+Test:
+
+getent passwd graymutt
+getent group docker
+id graymutt
+
+7️⃣ 🔑 RE-INITIALIZE PAM (THIS IS THE STEP YOU REMEMBERED)
+
+This step is mandatory on Debian/Ubuntu.
+
+sudo pam-auth-update
+
+In the menu, ENABLE:
+
+✅ Unix authentication
+
+✅ SSSD
+
+✅ Create home directory on login
+
+DISABLE:
+
+❌ LDAP Authentication (legacy)
+
+❌ Kerberos (unless you explicitly use it)
+
+Press OK.
+
+8️⃣ Verify PAM wiring
+grep pam_sss.so /etc/pam.d/common-*
+grep pam_mkhomedir /etc/pam.d/common-session
+
+
+You should see:
+
+session required pam_mkhomedir.so skel=/etc/skel umask=0022
+
+9️⃣ Final login test (definitive)
+ssh graymutt@localhost
+
+
+Expected:
+
+Login succeeds
+
+/home/graymutt is auto-created
+
+Correct LDAP groups present
+
+🔟 (Optional but recommended) Remove local docker group
+
+If the node has a local docker group (gid 998):
+
+sudo groupdel docker
+
+
+Verify:
+
+getent group docker
+
+
+Expected:
+
+docker:x:1964:graymutt,dockhand
+
+🧪 Fast troubleshooting commands
+sudo sssctl domain-status netgrimoire.com
+sudo tail -n 200 /var/log/sssd/sssd_netgrimoire.com.log
+sudo systemctl status sssd --no-pager -l