CentOS - Feb 2013 - looking for sssd basics and simple config with existing ldap centos 6.3

Hi,

I'm planing to setup a new samba fileserver as a member to an existing
samba 3.x SMB.

The old server is still nss-pam-ldapd configured (historic left overs).

As I dont have any pressure to have the new server up and running within
the next few hours, I liked to set up sssd with our existing openldap.

After googling and reading some documentations from redhat/fedora I
think I do have a basic clue on how it should work.

But at the end I'm not getting it up and running the way I expected.

My question:

"rpm -ql sssd" shows a config in /etc/sssd/sssd.conf, but this file
dose
not exist on my system. (May be some how a packagebug?)

Dose anybody has a working example file to share with me?

I tried to edit some examples from the web and put some config together,
but without working success.

	Thanks for any suggestion, hint etc. Regards G?tz

-- 
G?tz Reinicke - IT-Koordinator - Filmakademie Baden-W?rttemberg GmbH

On 21/02/2013 10:20 AM, G?tz Reinicke - IT Koordinator
wrote:
> Hi,
>
> I'm planing to setup a new samba fileserver as a member to an 
> existing
> samba 3.x SMB.
>
> The old server is still nss-pam-ldapd configured (historic left 
> overs).
>
> As I dont have any pressure to have the new server up and running 
> within
> the next few hours, I liked to set up sssd with our existing 
> openldap.
>
> After googling and reading some documentations from redhat/fedora I
> think I do have a basic clue on how it should work.
>
> But at the end I'm not getting it up and running the way I expected.
>
> My question:
>
> "rpm -ql sssd" shows a config in /etc/sssd/sssd.conf, but this
file
> dose
> not exist on my system. (May be some how a packagebug?)
>
> Dose anybody has a working example file to share with me?
>
> I tried to edit some examples from the web and put some config 
> together,
> but without working success.
>
> 	Thanks for any suggestion, hint etc. Regards G?tz

Try this  
http://www.couyon.net/1/post/2012/4/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html

I am using it with RHEL/Centos, LDAP is 389 DS and everything works.
Only problem I have found is, that on RHEL/Centos prior to 5.7 (or 5.6, 
can't remember which version), I need to configure 'pure' LDAP 
authentication instead of SSSD.

On Thu, 21 Feb 2013, G?tz Reinicke - IT Koordinator wrote:
> Dose anybody has a working example file to share with me?
Sure.

----- %< -----
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = blah.com

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/blah.com]
auth_provider = ldap
cache_credentials = True
chpass_provider = ldap
debug_level = 3
entry_cache_timeout = 600
id_provider = ldap
ldap_id_use_start_tls = True
ldap_purge_cache_timeout = 0
ldap_search_base = dc=blah,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = demand
ldap_uri = _srv_
----- %< -----

A few notes:

Our DNS servers are configured with SRV records for our LDAP server, 
hence the _srv_ token in the ldap_uri directive, e.g.,

   [bash]$ dig +nocmd _ldap._tcp.blah.com -t srv +noall +answer
   _ldap._tcp.blah.com.  3600  IN  SRV  1 0 389 ldap-1.blah.com.
   _ldap._tcp.blah.com.  3600  IN  SRV  0 0 389 ldap-2.blah.com.

Second, we use a local certificate authority to issue and sign 
internal-use certificates. The CA cert is installed in 
/etc/openldap/cacerts and cacertdir_rehash is run against it. In fact, 
we do that at kickstart time, e.g.,

   %post
   # import CA certificate and rehash it for LDAP/TLS
   curl http://www.blah.com/ca/ca.blah.com.pem \
      -s -o /etc/openldap/cacerts/ca.blah.com.pem
   /usr/sbin/cacertdir_rehash /etc/openldap/cacerts

-- 
Paul Heinlein
heinlein at madboa.com
45?38' N, 122?6' W