traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Netgrimoire/infrastructure/identity/ldap-client-setup.md

4.2 KiB
Raw Blame History

title description published date tags editor dateCreated
LDAP Client Setup true 2026-01-21T13:24:54.016Z markdown 2026-01-21T13:21:40.588Z

Your content here LLDAP + SSSD Node Join Checklist (FINAL)

Assumptions

LLDAP server: docker4

LDAP URI: ldap://docker4:3890

Base DN: dc=netgrimoire,dc=com

Users/groups use lowercase attributes (uidnumber, gidnumber, homedirectory, unixshell, uniquemember)

No TLS (lab only)

Docker group GID = 1964 in LDAP

This node is Ubuntu/Debian-based

0 Safety first (do this every time)

Open two SSH sessions to the node

Confirm you can sudo

Do not edit nsswitch.conf until SSSD is confirmed working

1 Install required packages sudo apt update sudo apt install -y
sssd sssd-ldap sssd-tools
libpam-sss libnss-sss libsss-sudo
ldap-utils oddjob oddjob-mkhomedir

Ensure legacy LDAP NSS is NOT installed sudo apt purge -y libnss-ldap libpam-ldap nslcd libnss-ldapd libpam-ldapd || true sudo apt autoremove -y

2 Verify LDAP connectivity (must pass) getent hosts docker4 nc -vz docker4 3890 ldapwhoami -x -H ldap://docker4:3890
-D 'uid=admin,ou=people,dc=netgrimoire,dc=com' -w 'F@lcon13'

If any fail → stop and fix networking/DNS/firewall.

3 Create /etc/sssd/sssd.conf (single file, no includes) sudo vi /etc/sssd/sssd.conf

Paste exactly:

[sssd] services = nss, pam, ssh config_file_version = 2 domains = netgrimoire.com

[nss] filter_users = root filter_groups = root

[pam] offline_failed_login_attempts = 3 offline_failed_login_delay = 5

[ssh]

[domain/netgrimoire.com] id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = permit

enumerate = false cache_credentials = true

ldap_uri = ldap://docker4:3890 ldap_schema = rfc2307bis ldap_search_base = dc=netgrimoire,dc=com

ldap_auth_disable_tls_never_use_in_production = true ldap_id_use_start_tls = false ldap_tls_reqcert = never

ldap_default_bind_dn = uid=admin,ou=people,dc=netgrimoire,dc=com ldap_default_authtok = F@lcon13

USERS (lowercase attributes)

ldap_user_search_base = ou=people,dc=netgrimoire,dc=com ldap_user_object_class = posixAccount ldap_user_name = uid ldap_user_gecos = cn ldap_user_uid_number = uidnumber ldap_user_gid_number = gidnumber ldap_user_home_directory = homedirectory ldap_user_shell = unixshell

GROUPS (lowercase attributes)

ldap_group_search_base = ou=groups,dc=netgrimoire,dc=com ldap_group_object_class = groupOfUniqueNames ldap_group_name = cn ldap_group_gid_number = gidnumber ldap_group_member = uniquemember

4 Fix permissions (SSSD will NOT start without this) sudo chown root:root /etc/sssd/sssd.conf sudo chmod 600 /etc/sssd/sssd.conf sudo chmod 700 /etc/sssd

Validate:

sudo sssctl config-check

5 Start SSSD cleanly sudo systemctl enable sssd sudo systemctl stop sssd sudo rm -f /var/lib/sss/db/* /var/lib/sss/mc/* sudo systemctl start sssd

Verify:

sudo systemctl status sssd --no-pager -l sudo sssctl domain-status netgrimoire.com

Expected:

Online status: Online LDAP: docker4

6 Enable NSS lookups via SSSD (LDAP-first)

Edit /etc/nsswitch.conf:

passwd: sss files systemd group: sss files systemd shadow: sss files

Test:

getent passwd graymutt getent group docker id graymutt

7 🔑 RE-INITIALIZE PAM (THIS IS THE STEP YOU REMEMBERED)

This step is mandatory on Debian/Ubuntu.

sudo pam-auth-update

In the menu, ENABLE:

Unix authentication

SSSD

Create home directory on login

DISABLE:

LDAP Authentication (legacy)

Kerberos (unless you explicitly use it)

Press OK.

8 Verify PAM wiring grep pam_sss.so /etc/pam.d/common-* grep pam_mkhomedir /etc/pam.d/common-session

You should see:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

9 Final login test (definitive) ssh graymutt@localhost

Expected:

Login succeeds

/home/graymutt is auto-created

Correct LDAP groups present

🔟 (Optional but recommended) Remove local docker group

If the node has a local docker group (gid 998):

sudo groupdel docker

Verify:

getent group docker

Expected:

docker1964:graymutt,dockhand

🧪 Fast troubleshooting commands sudo sssctl domain-status netgrimoire.com sudo tail -n 200 /var/log/sssd/sssd_netgrimoire.com.log sudo systemctl status sssd --no-pager -l