Skip to main content

Configure LDAP 2FA

For LDAP Passwordless 2FA

(Note LDAP supports only 2FA i.e. passwords or SSH Keys are required as 1FA)

Step 1: Install SSSD

In order to configure a VM for LDAP 2FA we need to install SSSD:

Please follow these steps to install and configure SSSD.

Note: If SSSD is already installed and running please move to step 6

Run the following command in the shell as a root user

yum install sssd

Create the file /etc/sssd/sssd.conf with the following contents

[sssd]

config_file_version = 2 services = nss, pam, ssh domains = glauth.com user = root

[sudo] debug_level = 0x3ff0

[domain/GLAUTH.COM] id_provider = ldap debug_level=0x3ff0 auth_provider = ldap ldap_id_mapping = true ldap_user_name = sAMAccountName ldap_uri = ldaps://domain.companyname.net:636 ldap_search_base = OU=Users,OU=Accounts,DC=company_name,DC=net ldap_tls_reqcert = demand cache_credentials = false enumerate= true ldap_default_bind_dn = CN=EngqLDAP2,OU=Okta,OU=ServiceAccounts,OU=Accounts,DC=domain,DC=net #ldap_default_bind_dn = (cn=serviceuser,ou=accts,o=glauth,dc=glauth,dc=com) #binddn = dc=glauth.com,cn=serviceuser,ou=accts,o=glauth,dc=glauth,dc=com

ldap_tls_cacert = /opt/company-root.pem ldap_default_authtok_type = password ldap_default_authtok = %%%%%%_some_pass ldap_access_filter = OU=Users,OU=Accounts,DC=company,DC=net timeout = 60000 sudo_provider=none ldap_group_member=member #ldap_schema=rfc2307bis ldap_schema = AD ldap_access_order=filter full_name_format = %1$s

ldap_user_ssh_public_key = sshKey ldap_use_tokengroups = False #ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

[pam] timeout = 60000 pam_verbosity = 9 debug_level = 9

[nss] timeout = 60000

Step 2: Run the following command to give access

chown root:root /etc/sssd/sssd.conf

Step 3: Run the following command to give access permission

chmod 600 /etc/sssd/sssd.conf

Step 4: The following command will enable SSSD to start at boot time.

systemctl enable sssd

Step 5: Now start SSSD

systemctl start sssd

Step 6: Run the following command as root to configure PAM and NSS

authconfig --enablesssdauth --enablesssd --updateall

Step 7: Now try to login as the user with okta id

ssh -l username hostname

Step 8: username@hostname password:

Last login: Sun Aug 11 19:34:35 2019 from localhost -bash-4.2$