Centralised authentication through LDAP is very useful. No matter the number of machine that used it, the user have the same login and groups. When the user change his password on one of the machine, the password is updated everywhere. However in case of lack of connection with the LDAP server it is no more possible to login. Here we will see how to configure sssd to provide caching and offline support of identity and authentication to the system.

You will need to have a working LDAP server that is able to provide authentication. On the client first install sssd package:

# apt-get install sssd

It should also install libpam-sss and libnss-sss packages that provide the binding for authentication and identity. Be sure to remove any other caching server like nscd.

All the configuration is done in the /etc/sssd/sssd.conf file.

config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
debug_level = 10

services = nss, pam
domains = EXAMPLE

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

auth_provider = ldap
ldap_uri = ldap://ldap.example.com/
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_default_bind_dn = cn=admin,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = xxxxxxxxx