# Ubuntu / Fedora LDAP (SSSD) Configuration Last Updated: November 30, 2025 By: @yuna0x0 ## 1. Install Dependencies - Ubuntu ```bash $ sudo apt update $ sudo apt install sssd libpam-sss libnss-sss sssd-tools sssd-ldap ldap-utils ``` - Fedora ```bash $ sudo dnf upgrade $ sudo dnf install sssd sssd-tools sssd-ldap oddjob-mkhomedir ``` ## 2. Create the SSSD Configuration File ```bash # Use nano or your preferred editor to create the SSSD configuration file $ sudo nano /etc/sssd/sssd.conf # Copy the example configuration below into the file, then save [sssd] config_file_version = 2 services = nss,pam,sudo,autofs,ssh # Example: example.com domains = {YOUR_LDAP_BASE_DOMAIN} [domain/{YOUR_LDAP_BASE_DOMAIN}] # Fix issue: SSSD Child was terminated by own WATCHDOG # https://www.suse.com/support/kb/doc/?id=000021345 timeout = 30 id_provider = ldap auth_provider = ldap # Default permit all LDAP users to login # Change to `simple` to setup access control access_provider = permit # [Access Control] Allow users below to login # simple_allow_users = fubuki,nekomimi # [Access Control] Allow anyone who belongs to groups below to login # simple_allow_groups = administrators chpass_provider = ldap sudo_provider = ldap autofs_provider = ldap resolver_provider = ldap ldap_user_ssh_public_key = postalAddress ldap_id_use_start_tls = true # Uncomment to allow invalid or no certificate from LDAP server # ldap_tls_reqcert = allow # Example: ldaps://ldap.example.com ldap_uri = ldaps://{YOUR_LDAP_SERVER_HOSTNAME} # Example: dc=example,dc=com ldap_search_base = {YOUR_LDAP_SEARCH_BASE} # Example: uid=ldap-client,cn=users,dc=example,dc=com ldap_default_bind_dn = {YOUR_LDAP_BIND_DN} cache_credentials = true [nss] override_shell = /bin/bash [pam] [sudo] [autofs] [ssh] ``` ## 3. Ensure Correct Permissions of `/etc/sssd/sssd.conf` ```bash # Set permissions to 600 (a+rwx,u-x,g-rwx,o-rwx) $ sudo chmod 600 /etc/sssd/sssd.conf # Set both ownership and group as root $ sudo chown root:root /etc/sssd/sssd.conf ``` ## 4. Obfuscate and Add LDAP Bind DN Client Password to SSSD Config ```bash $ sudo sss_obfuscate -d {YOUR_LDAP_BASE_DOMAIN} Enter password = Enter the LDAP Bind DN Client password Enter again = Re-enter the LDAP Bind DN Client password ``` ## 5. Set Up Automatic Home Directory Creation - Ubuntu ```bash # Use nano or your preferred editor to edit the mkhomedir PAM config $ sudo nano /usr/share/pam-configs/mkhomedir # Find these lines and add umask=0077 after pam_mkhomedir.so, then save Session: optional pam_mkhomedir.so umask=0077 # Enable PAM automatic home directory creation $ sudo pam-auth-update --enable mkhomedir ``` - Fedora ```bash # Enable the oddjobd service for automatic home directory creation $ sudo systemctl enable --now oddjobd.service # Use authselect to authenticate with SSSD and enable automatic home directory creation $ sudo authselect select sssd with-mkhomedir ``` ## 6. Enable the SSSD Service ```bash # Enable the SSSD service $ sudo systemctl enable --now sssd ``` ## 7. Configure LDAP SSH Key Login ```bash # Use nano or your preferred editor to create a new sshd_config drop-in $ sudo nano /etc/ssh/sshd_config.d/20-ldap_authorized_keys.conf # Copy the example configuration below into the file, then save AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody # Restart SSH # Ubuntu $ sudo systemctl restart ssh # Fedora $ sudo systemctl restart sshd ``` ## 8. Grant LDAP Admin Accounts Sudo Access ```bash # Use visudo to create this file (never use nano or other editors) $ sudo visudo -f /etc/sudoers.d/ldap # Copy the example configuration below into the file, then save # Allow members of LDAP group administrators to execute any command %administrators ALL=(ALL:ALL) ALL ``` ## 9. Verify the Configuration ```bash # Check if you can retrieve accounts from LDAP $ getent passwd fubuki@example.com fubuki:*:1000010:1000001:Shirakami Fubuki:/home/fubuki:/bin/bash # Check if you can retrieve groups from LDAP $ getent group administrators@example.com administrators:*:1000002:fubuki # Use SSH locally to log into your LDAP account ssh fubuki@my-based-server.example.com ```