How to authenticate AD users without joining AD domain

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
sssd

Issue

Authenticate AD users without joining AD domain including read-only domain(RODC)
How to integrate SSSD securely with Active Directory Server via port 636/389)
How to configure Red Hat Enterprise Linux machines as an LDAP Client using SSSD and TLS
How to configure Red Hat Enterprise Linux machines as an LDAP Client using SSSD and SSL

Resolution

Install SSSD packages:

# yum install sssd sssd-client

SSSD uses the configuration information from /etc/sssd/sssd.conf file for identity lookup and authentication.

Configure SSSD to discover the LDAP Domain which can be done two ways SSL or TLS. The terms SSL and TLS are often used interchangeably. TLS is the successor to SSL and offers greater security. The original SSL standard was renamed TLS at the time it became open source.

A) Using SSL/TLS:

[sssd]
config_file_version = 2
services = nss,pam
domains = example.com

[nss]
fallback_homedir = /home/%u
default_shell = /bin/bash

[pam]

[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://windows2008-2.example.com
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = tuser@example.com
ldap_default_authtok_type = password
ldap_default_authtok = xxxxxxxx
ldap_user_object_class = person
ldap_group_object_class = group
ldap_schema = ad
ldap_referrals = False
ldap_id_mapping = True
enumerate = false
cache_credentials = true
ldap_id_use_start_tls = False
#ldap_tls_reqcert specifies if the client requests a server certificate and what checks are performed on the certificate
ldap_tls_reqcert = demand 
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt  #ldap_tls_cacert specifies the file containing the certificate

B) Using startTLS:

[sssd]
config_file_version = 2
services = nss,pam
domains = example.com

[nss]
fallback_homedir = /home/%u
default_shell = /bin/bash

[pam]
[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://windows2008-2.example.com
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = tuser@example.com
ldap_default_authtok_type = password
ldap_default_authtok = xxxxxxxx
ldap_user_object_class = person
ldap_group_object_class = group
ldap_schema = ad
ldap_referrals = False
ldap_id_mapping = True
enumerate = false
cache_credentials = true
ldap_id_use_start_tls = true
#ldap_tls_reqcert specifies if the client requests a server certificate and what checks are performed on the certificate
ldap_tls_reqcert = demand 
#ldap_tls_cacert specifies the file containing the certificate
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

Use authconfig to set up the Name Service Switch /etc/nsswitch.conf and PAM stacks /etc/pam.d/password-auth and /etc/pam.d/system-auth :

For RHEL 6 and 7
# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update

For RHEL 8 and RHEL 9
# authselect select sssd with-mkhomedir

To avoid having a cleartext password in this option in sssd.conf follow below article:
How to obfuscate password (binddn) in sssd.conf?

Note:

Instead of mentioning the exact certificate name entire directory name can also be specified as follows under the [domain/example.com] section of /etc/sssd/sssd.conf:

ldap_tls_cacertdir = /etc/pki/tls/certs/

Execute below command

# cacertdir_rehash /etc/pki/tls/certs/
         OR
# openssl rehash /etc/openldap/certs/

If a host URL that starts with ldap and set the LDAP starttls parameter, the linux server sends a StartTLS request. This request determines if the LDAP server supports TLS on the specified port or on the default LDAP port (389). If a host URL that starts with ldaps, the Linux server authenticates using SSL on specified port or on the default LDAP port (389).
SSSD always uses an encrypted channel for authentication, which ensures that passwords are never sent over the network unencrypted. With ldap_id_use_start_tls = true, identity lookups (such as commands based on the id or getent utilities) are also encrypted.
While using SSL/TLS the communication happens on secured port 636 but while using startTLS the communication happens on the secure channel since SSSD always uses an encrypted channel for authentication.
For Kerberos authentication instead of LDAP
For more details refer Configuring Domains-Configuring a Native LDAP Domain

SBR

Identity Management

Product(s)

Red Hat Enterprise Linux

Components

sssd

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.