sssd (SSH 접속용 LDAP 클라이언트)

# sssd `sudo yum install sssd sssd-ldap authconfig`

/etc/sssd/sssd.conf

```jsx [domain/default] ldap_tls_reqcert = never id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap ldap_sudo_search_base = cn=sudoers,ou=Groups,dc=direa,dc=co,dc=kr sudoers_base="cn=sudoers,ou=Groups,dc=direa,dc=co,dc=kr" ldap_uri = ldap://192.168.2.59 #ldap_search_base = dc=direa,dc=co,dc=kr #Bind DN from our LDAP server configuration. ldap_default_bind_dn = cn=admin,dc=direa,dc=co,dc=kr ldap_default_authtok_type = password #Password from our LDAP server configuration. ldap_default_authtok = admin cache_credentials = True use_fully_qualified_names = False override_homedir = /home/%u resolver_provider = ldap enumerate = True debug_level = 0x3ff0 default_shell = /bin/bash access_provider = permit ldap_user_search_base = cn=Users,dc=direa,dc=co,dc=kr ldap_user_object_class = inetOrgPerson ldap_user_name = cn ldap_user_home_directory = homeDirectory ldap_user_shell = loginShell ldap_group_search_base = ou=Groups,dc=direa,dc=co,dc=kr ldap_group_object_class = groupOfUniqueNames [sssd] services = nss,pam,sudo #FQDN from LDAP server domains = default [nss] [pam] [sudo] ```

/etc/sssd/conf.d/authconfig-sssd.conf

```jsx [sssd] domains = default [domain/default] id_provider = ldap ldap_uri = ldap://192.168.2.59:389 ldap_search_base = dc=direa,dc=co,dc=kr ldap_schema = rfc2307bis ```

``` pam 스크립트 수정 명령 authconfig --enablesssd \ --enablesssdauth \ --enablelocauthorize \ --enableldap \ --enableldapauth \ --ldapserver=ldap://192.168.2.59:389 \ --disableldaptls \ --ldapbasedn=dc=direa,dc=co,dc=kr \ --enablerfc2307bis \ --enablemkhomedir \ --enablecachecreds \ --update sudo systemctl start sssd sudo systemctl enable sssd ```

/etc/nsswitch.conf

```jsx passwd: files sss systemd group: files sss systemd netgroup: sss files automount: sss files services: sss files shadow: files sss hosts: files dns myhostname aliases: files ethers: files gshadow: files networks: files dns protocols: files publickey: files rpc: files ```

/etc/ssh/sshd_config

```python HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server ```

--- 트러블 슈팅 `uidNumber` 를 1000번대 이하로 주면 보안상으로 SSH 접속 불가능 pam_sss 가 아니라 pam_unix 스크립트가 실행되어 버림 ```bash sss_cache -E sss_cache -U sss_cache -S ```