For configuring an Authentication Server, see the SUSE Linux Enterprise Server documentation.

YaST includes the Authentication Client module that helps with defining authentication scenarios. Start the module by selecting Network Services › Authentication Client. The YaST Authentication Client is a shell for configuring the System Security Services Daemon (SSSD). SSSD then can talk to remote directory services that provide user data, and provide various authentication methods. This way, the host can be both, an LDAP or an Active Directory (AD) client. SSSD can locally cache these user data and then allow users to use of the data, even if the real directory service is (temporarily) unreachable. An NSS (Name Service Switch) and PAM (Pluggable Authentication Module) interface are also available.

Figure 4.1: Authentication Client Configuration #

First you must configure at least one authentication domain. An authentication domain is a database that contains user information. Click New Service/Domain, select Domain, and as the Domain Name of the new domain enter an arbitrary name (alphanumeric ASCII characters, dashes, and underscores are allowed). Then select one of the available identification providers and finally select the authentication provider to be used for that domain. For example, if you want to access an LDAP directory with kerberos authentication, select ldap as the identification provider and krb5 as the authentication provider and leave Activate Domain enabled (see Figure 4.2, “Authentication Client: Adding New Domain (LDAP and Kerberos)”).

Figure 4.2: Authentication Client: Adding New Domain (LDAP and Kerberos) #

In the next step you see that id_provider and auth_provider are properly selected. Now you need to set some mandatory parameters for these providers. In the LDAP/Kerberbos scenario for example, ldap://ldap.example.com as the URIs of LDAP Servers, the IP address of the Kerberbos server (192.168.1.114 as IP address or host names of Kerberos servers), and EXAMPLE.COM as Kerberos realm (normally, your Kerberbos realm is your domain name in uppercase letters). Then confirm.

Figure 4.3: Authentication Client: Mandatory Parameters (LDAP and Kerberos) #

For more information and additional configuration option the SSSD man pages such as sssd.conf (man sssd.conf) and sssd-ldap (man sssd-ldap). It is also possible to select later all parameters available for the selected identification and authentication providers.

Note: TLS

If you use LDAP, TLS is mandatory. Do not select ldap_tls_reqcert, if an official certificate is not available.

SSSD provides following identification providers:

Supported authentication providers are:

If you enter more than one authentication domain, SSSD will query one after the one in the order they appear in the /etc/sssd/sssd.conf configuration file. If a domain is rarely used and you need to avoid waiting for the timeout, remove it from the Domains list of the sssd section.

Clicking one of the listed Services at the left side, allows you to edit sssd.conf sections such as nss or pam.

If you click OK in the main Authentication Client dialog, YaST will enable and start the SSSD service. You can check it on the command line with:

systemctl status sssd
sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
   Active: active (running) since Thu 2015-10-23 11:03:43 CEST; 5s ago
   ...

To allow login when the authentication back-end is unavailable, SSSD will continue to use its cache even if it was invalidated. SSSD still operates until the back-end is available again.

To invalidate the cache, run sss_cache -E (the command sss_cache is part of the package sssd-tools).

To completely remove the SSSD cache, run:

systemctl stop sssd
rm -f /var/lib/sss/db/*
systemctl start sssd