--- title: LDAP Client Setup description: published: true date: 2026-01-22T03:36:37.380Z tags: editor: markdown dateCreated: 2026-01-21T13:21:40.588Z --- Your content here✅ LLDAP + SSSD Node Join Checklist (FINAL) Assumptions LLDAP server: docker4 LDAP URI: ldap://docker4:3890 Base DN: dc=netgrimoire,dc=com Users/groups use lowercase attributes (uidnumber, gidnumber, homedirectory, unixshell, uniquemember) No TLS (lab only) Docker group GID = 1964 in LDAP This node is Ubuntu/Debian-based 0️⃣ Safety first (do this every time) Open two SSH sessions to the node Confirm you can sudo Do not edit nsswitch.conf until SSSD is confirmed working 1️⃣ Install required packages sudo apt update sudo apt install -y sssd sssd-ldap sssd-tools libpam-sss libnss-sss libsss-sudo ldap-utils oddjob oddjob-mkhomedir Ensure legacy LDAP NSS is NOT installed sudo apt purge -y libnss-ldap libpam-ldap nslcd libnss-ldapd libpam-ldapd || true sudo apt autoremove -y 2️⃣ Verify LDAP connectivity (must pass) getent hosts docker4 nc -vz docker4 3890 ldapwhoami -x -H ldap://docker4:3890 \ -D 'uid=admin,ou=people,dc=netgrimoire,dc=com' -w 'F@lcon13' ❌ If any fail → stop and fix networking/DNS/firewall. 3️⃣ Create /etc/sssd/sssd.conf (single file, no includes) sudo vi /etc/sssd/sssd.conf Paste exactly: [sssd] services = nss, pam, ssh config_file_version = 2 domains = netgrimoire.com [nss] filter_users = root filter_groups = root [pam] offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [ssh] [domain/netgrimoire.com] id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = permit enumerate = false cache_credentials = true ldap_uri = ldap://docker4:3890 ldap_schema = rfc2307bis ldap_search_base = dc=netgrimoire,dc=com ldap_auth_disable_tls_never_use_in_production = true ldap_id_use_start_tls = false ldap_tls_reqcert = never ldap_default_bind_dn = uid=admin,ou=people,dc=netgrimoire,dc=com ldap_default_authtok = F@lcon13 # USERS (lowercase attributes) ldap_user_search_base = ou=people,dc=netgrimoire,dc=com ldap_user_object_class = posixAccount ldap_user_name = uid ldap_user_gecos = cn ldap_user_uid_number = uidnumber ldap_user_gid_number = gidnumber ldap_user_home_directory = homedirectory ldap_user_shell = unixshell # GROUPS (lowercase attributes) ldap_group_search_base = ou=groups,dc=netgrimoire,dc=com ldap_group_object_class = groupOfUniqueNames ldap_group_name = cn ldap_group_gid_number = gidnumber ldap_group_member = uniquemember 4️⃣ Fix permissions (SSSD will NOT start without this) sudo chown root:root /etc/sssd/sssd.conf sudo chmod 600 /etc/sssd/sssd.conf sudo chmod 700 /etc/sssd Validate: sudo sssctl config-check 5️⃣ Start SSSD cleanly sudo systemctl enable sssd sudo systemctl stop sssd sudo rm -f /var/lib/sss/db/* /var/lib/sss/mc/* sudo systemctl start sssd Verify: sudo systemctl status sssd --no-pager -l sudo sssctl domain-status netgrimoire.com Expected: Online status: Online LDAP: docker4 6️⃣ Enable NSS lookups via SSSD (LDAP-first) Edit /etc/nsswitch.conf: passwd: sss files systemd group: sss files systemd shadow: sss files Test: getent passwd graymutt getent group docker id graymutt 7️⃣ 🔑 RE-INITIALIZE PAM (THIS IS THE STEP YOU REMEMBERED) This step is mandatory on Debian/Ubuntu. sudo pam-auth-update In the menu, ENABLE: ✅ Unix authentication ✅ SSSD ✅ Create home directory on login DISABLE: ❌ LDAP Authentication (legacy) ❌ Kerberos (unless you explicitly use it) Press OK. 8️⃣ Verify PAM wiring grep pam_sss.so /etc/pam.d/common-* grep pam_mkhomedir /etc/pam.d/common-session You should see: session required pam_mkhomedir.so skel=/etc/skel umask=0022 9️⃣ Final login test (definitive) ssh graymutt@localhost Expected: Login succeeds /home/graymutt is auto-created Correct LDAP groups present 🔟 (Optional but recommended) Remove local docker group If the node has a local docker group (gid 998): sudo groupdel docker Verify: getent group docker Expected: docker:x:1964:graymutt,dockhand 🧪 Fast troubleshooting commands sudo sssctl domain-status netgrimoire.com sudo tail -n 200 /var/log/sssd/sssd_netgrimoire.com.log sudo systemctl status sssd --no-pager -l