Netgrimoire/infrastructure/identity/ldap-client-setup.md

title	description	published	date	tags	editor	dateCreated
LDAP Client Setup		true	2026-01-21T13:24:03.516Z		markdown	2026-01-21T13:21:40.588Z

Header

Your content here✅ LLDAP + SSSD Node Join Checklist (FINAL)

Assumptions

LLDAP server: docker4

LDAP URI: ldap://docker4:3890

Base DN: dc=netgrimoire,dc=com

Users/groups use lowercase attributes (uidnumber, gidnumber, homedirectory, unixshell, uniquemember)

No TLS (lab only)

Docker group GID = 1964 in LDAP

This node is Ubuntu/Debian-based

0️⃣ Safety first (do this every time)

Open two SSH sessions to the node

Confirm you can sudo

Do not edit nsswitch.conf until SSSD is confirmed working

1️⃣ Install required packages sudo apt update sudo apt install -y
sssd sssd-ldap sssd-tools
libpam-sss libnss-sss libsss-sudo
ldap-utils oddjob oddjob-mkhomedir

Ensure legacy LDAP NSS is NOT installed sudo apt purge -y libnss-ldap libpam-ldap nslcd libnss-ldapd libpam-ldapd || true sudo apt autoremove -y

2️⃣ Verify LDAP connectivity (must pass) getent hosts docker4 nc -vz docker4 3890 ldapwhoami -x -H ldap://docker4:3890
-D 'uid=admin,ou=people,dc=netgrimoire,dc=com' -w 'F@lcon13'

❌ If any fail → stop and fix networking/DNS/firewall.

3️⃣ Create /etc/sssd/sssd.conf (single file, no includes) sudo vi /etc/sssd/sssd.conf

Paste exactly:

[sssd] services = nss, pam, ssh config_file_version = 2 domains = netgrimoire.com

[nss] filter_users = root filter_groups = root

[pam] offline_failed_login_attempts = 3 offline_failed_login_delay = 5

[ssh]

[domain/netgrimoire.com] id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = permit

enumerate = false cache_credentials = true

ldap_uri = ldap://docker4:3890 ldap_schema = rfc2307bis ldap_search_base = dc=netgrimoire,dc=com

ldap_auth_disable_tls_never_use_in_production = true ldap_id_use_start_tls = false ldap_tls_reqcert = never

ldap_default_bind_dn = uid=admin,ou=people,dc=netgrimoire,dc=com ldap_default_authtok = F@lcon13

USERS (lowercase attributes)

ldap_user_search_base = ou=people,dc=netgrimoire,dc=com ldap_user_object_class = posixAccount ldap_user_name = uid ldap_user_gecos = cn ldap_user_uid_number = uidnumber ldap_user_gid_number = gidnumber ldap_user_home_directory = homedirectory ldap_user_shell = unixshell

GROUPS (lowercase attributes)

ldap_group_search_base = ou=groups,dc=netgrimoire,dc=com ldap_group_object_class = groupOfUniqueNames ldap_group_name = cn ldap_group_gid_number = gidnumber ldap_group_member = uniquemember

4️⃣ Fix permissions (SSSD will NOT start without this) sudo chown root:root /etc/sssd/sssd.conf sudo chmod 600 /etc/sssd/sssd.conf sudo chmod 700 /etc/sssd

Validate:

sudo sssctl config-check

5️⃣ Start SSSD cleanly sudo systemctl enable sssd sudo systemctl stop sssd sudo rm -f /var/lib/sss/db/* /var/lib/sss/mc/* sudo systemctl start sssd

Verify:

sudo systemctl status sssd --no-pager -l sudo sssctl domain-status netgrimoire.com

Expected:

Online status: Online LDAP: docker4

6️⃣ Enable NSS lookups via SSSD (LDAP-first)

Edit /etc/nsswitch.conf:

passwd: sss files systemd group: sss files systemd shadow: sss files

Test:

getent passwd graymutt getent group docker id graymutt

7️⃣ 🔑 RE-INITIALIZE PAM (THIS IS THE STEP YOU REMEMBERED)

This step is mandatory on Debian/Ubuntu.

sudo pam-auth-update

In the menu, ENABLE:

✅ Unix authentication

✅ SSSD

✅ Create home directory on login

DISABLE:

❌ LDAP Authentication (legacy)

❌ Kerberos (unless you explicitly use it)

Press OK.

8️⃣ Verify PAM wiring grep pam_sss.so /etc/pam.d/common-* grep pam_mkhomedir /etc/pam.d/common-session

You should see:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

9️⃣ Final login test (definitive) ssh graymutt@localhost

Expected:

Login succeeds

/home/graymutt is auto-created

Correct LDAP groups present

🔟 (Optional but recommended) Remove local docker group

If the node has a local docker group (gid 998):

sudo groupdel docker

Verify:

getent group docker

Expected:

docker❌1964:graymutt,dockhand

🧪 Fast troubleshooting commands sudo sssctl domain-status netgrimoire.com sudo tail -n 200 /var/log/sssd/sssd_netgrimoire.com.log sudo systemctl status sssd --no-pager -l