Centos/RHEL 6 and authentication against LDAP with SSS approach

There was a new approach of how to setup a LDAP authentication presented with RHEL 6.
This new method called SSS is a replacement of pam_ldap.
SSS states to be more flexible and also includes own caching mechanism which also means that NSCD daemon can’t be setup to cache the users/passwords once you run it on the same machine with SSS daemon.

I don’t think it’s important to write yet-another step-by-step post of SSS which can be found on Internet by this time.
Personally I find this one pretty useful as for a nice summary what has to be done to make SSS work.

If you are already running dozens of servers having them configured to authenticate services (ssh/su etc..) against LDAP with pam_ldap there are couple of things that have to be done differently with SSS.
Besides changing PAM and NSS configuration to use sss service which is configured in /etc/sssd/sssd.conf and is pretty straightforward, there is one think which can’t be done with SSS and isn’t mentioned almost anywhere on Internet.

With pam_ldap there was a possibility to specify a pam_ldap configuration file for each of PAM services under /etc/pam.d. It’s no more possible to manage this behaviour with SSS approach as all PAM services are forced to use the same global SSS configuration and this can’t be changed within the PAM service configuration. You can check out the thread I started about this issue in SSSD’s project mailing list. I also filed this as a request in RHEL Bugzilla where I was told this feature will be implemented in next RHEL release (I suppose we’re talking about RHEL 7)

After being assured SSS doesn’t implement this feature (which we widely used wit pam_ldap in Centos4/5) we considered two possibilities:

  1. To stay with pam_ldap even on Centos6
    This doens’t seem to be a good idea to me as pam_ldap may be marked as obsolete in future RHEL releases and will be completely removed from system
  2. To move completly towards new SSS method and try to manage missing feature in another way
    We decided for this step as we believe this is a step forward even considering the obstacles with missing features of SSS

The good news is the missing feature can be altered by using another PAM modules to grand access to specific PAM services only to particular users.

We haven’t configured this yet but it can be done by configuring pam_access or pam_listfile modules.

Posted in Server administration

Leave a Reply