For configuring an Authentication Server, see the SUSE Linux Enterprise Server documentation.

YaST includes the Authentication Client module that helps with defining authentication scenarios. Start the module by selecting Network Services › Authentication Client. The YaST Authentication Client is a shell for configuring the System Security Services Daemon (SSSD). SSSD then can talk to remote directory services that provide user data, and provide various authentication methods. This way, the host can be both, an LDAP or an Active Directory (AD) client. SSSD can locally cache these user data and then allow users to use of the data, even if the real directory service is (temporarily) unreachable. An NSS (Name Service Switch) and PAM (Pluggable Authentication Module) interface are also available.

Figure 4.1: Authentication Client Configuration #

First you must configure at least one authentication domain. A authentication domain is a database that contains user information. Click Add, and as the Name of the New Domain enter an arbitrary name (alphanumeric ASCII characters, dashes, and underscores are allowed). Then select one of the available identification providers and finally select the authentication provider to be used for that domain. For example, if you want to access an LDAP directory with kerberos authentication, select ldap as the identification provider and krb5 as the authentication provider and leave Activate Domain enabled (see Figure 4.2, “Authentication Client: Adding New Domain (LDAP and Kerberos)”).

Figure 4.2: Authentication Client: Adding New Domain (LDAP and Kerberos) #

In the next step you see that id_provider and auth_provider are properly selected, must set some mandatory parameters for these providers. In the LDAP/Kerberbos scenario for example, ldap://ldap.example.com as the ldap_uri, the IP address of the Kerberbos server (192.168.1.114 as krb5_server), and EXAMPLE.COM as krb5_realm (normally, your Kerberbos realm is your domain name in uppercase letters). Then confirm.

For more information and additional configuration option you can set via the New button, see the context Help and the SSSD man pages such as sssd.conf (man sssd.conf) and sssd-ldap (man sssd-ldap). It is also possible to select later all parameters available for the selected identification and authentication providers.

Note: TLS

If you use LDAP, TLS is mandatory. Do not select ldap_tls_reqcert, if an official certificate is not available.

SSSD provides following identification providers:

Supported authentication providers are:

If you enter more then one authentication domain, SSSD will query one after the one in the order they appear in the /etc/sssd/sssd.conf configuration file. If a domain is rarely used and you can to avoid waiting for the timeout, you can configure it as inactive by either unselecting the Activate button at initial setup or by removing it later from the domains list of the sssd section.

Clicking one of the listed Services at the left side, allows you to edit sssd.conf sections such as nss or pam.

If you click Finish in the main Authentication Client dialog, YaST will enable and start the SSSD service. You can check it on the command line with:

systemctl status sssd.service
sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
   Active: active (running) since Thu 2014-09-25 10:46:43 CEST; 5s ago
   ...