Part 1: Creating an LDAP client in the G Suite admin Console
Log into your G Suite admin console and from the “Home” page navigate to “Apps” then “LDAP”
In the LDAP apps page, click on “ADD CLIENT” button
Enter the “LDAP client name” and a “Description” and click on “CONTINUE”
Under Access Permissions, you will have 3 settings:
Verify user credentials,
Read user information and
Read group information.
Here you can specify to give the LDAP client access to the entire domain or to certain Organization Groups which you can set up in your G Suite account. In this example, we chose to go with the Entire domain option but you can choose the option that applies to your use case.
In the “Read group information” section, change the option to On and click “ADD LDAP CLIENT” button to create the client.
Note: Some LDAP clients such as SSSD perform a group lookup to obtain information about a user's group membership during authentication. To ensure authentication works for such LDAP clients, you'll need to turn on “Read group information”.
Wait for a few moments until LDAP client is added. Once done, you will be presented with a Google SSL certificate which you will need in order to connect to the LDAP services.
Click on “Download certificate” and then “CONTINUE TO CLIENT DETAILS”
In the LDAP clients page click on Service status to be taken to the Status page
Note: The LDAP client details page is where you can edit the client, modify the Access permissions, re-download the SSL certificate and create Access credentials if needed.
In the Status page, select “ON for everyone” and click on “SAVE”
After clicking SAVE, the status will change to ON for everyone
The GSuite Admin Console configuration is now complete.
Part 2: Configuring SSSD on Ubuntu 16.04
Although SSSD works with Ubuntu 18.04 and 16.04, itopia Virtual Workstation deployments only support Ubuntu 16.04.
Deploy a Virtual Workstation in the itopia portal
This process will require you to have an existing Virtual Workstation deployment where you can configure SSSD for LDAP authentication. Please follow this guide to create a deployment in the itopia portal.
Installing SSSD on the workstation
SSH into the virtual workstation from the itopia portal (Cloud Manager > Instances > CONNECT
Once you’re connected to the instance the first thing you’ll need to do is update the packages. That is done with the following command:
sudo apt update -y
After that’s done, run the following command to install the SSSD package:
sudo apt install -y sssd sssd-tools
Creating the sssd.conf file
After the packages are done installing, you will need to create a new file in /etc/sssd/ called sssd.conf. You can do that with the following command:
nano /etc/sssd/sssd.conf
Your sssd.conf file should include the following:
[sssd]
services = nss, pam
domains = itopia.com
[domain/itopia.com]
cache_credentials = true
ldap_tls_cert = /var/Google_2021_09_27_50902.crt
ldap_tls_key = /var/Google_2021_09_27_50902.key
ldap_uri = ldaps://ldap.google.com:636
ldap_search_base = dc=itopia,dc=com
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID
ldap_groups_use_matching_rule_in_chain = true
ldap_initgroups_use_matching_rule_in_chain = true
enumerate = false
Note: Please make sure to replace itopia.com, and dc=itopia,dc=com with your own domain information. The location of the tls cert and key can also change as well as the names.
Copying Google SSL certificates to the Server
When you created the LDAP client in the G Suite admin portal, an SSL certificate and key were generated for you. This certificate is used to authenticate the LDAP client and the service trying to connect to it. You will need to make the crt and key files available on the server. By default, Google linux instances disable password authentication so trying to use a client like winscp to upload the file will fail when trying to authenticate.
Once the certificates have been saved on the server and placed any location you deem fit, modify the sssd.conf file to update the location and cert and key names for ldap_tls_cert and ldap_tls_key.
Now that both the cert and key are in place and the sssd.conf file is ready, you will need to modify the permissions of the sssd.conf file in order to let the service run. Run the following commands to modify the permissions:
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
Restart the SSSD service:
sudo service sssd restart
If everything is set correctly you shouldn’t see any messages and the service should start running. To verify that SSSD is running and connecting to the LDAP server you can run the following command with any of the users in your G Suite account:
getent passwd aclavero@itopia.com
The output should look something like this:
aclavero:*:1326829605:1326829605:aclavero:/home/aclavero_itopia_com:/bin/bash
Restart the server after all of the above has been completed.
Troubleshooting
If you experience errors, can’t connect or view users, modify the sssd.conf file to include a debug_level for the services. See example below:
[sssd]
debug_level = 7
services = nss, pam
domains = itopia.com
[pam]
debug_level = 7
[nss]
debug_level = 7
[domain/itopia.com]
debug_level = 7
cache_credentials = true
ldap_tls_cert = /var/Google_2021_09_27_50902.crt
ldap_tls_key = /var/Google_2021_09_27_50902.key
ldap_uri = ldaps://ldap.google.com:636
ldap_search_base = dc=itopia,dc=com
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID
ldap_groups_use_matching_rule_in_chain = true
ldap_initgroups_use_matching_rule_in_chain = true
enumerate = false
Once you have modified the debug_level on the sssd.conf file, you can check the following logs for errors:
/var/log/sssd/sssd.log
/var/log/sssd/sssd_domain.com.log (replace domain.com with your domain)
/var/log/sssd/sssd_pam.log
/var/log/sssd/sssd_nss.log
aclavero@ldap-ubuntu-1604:# ls /var/log/sssd/
ldap_child.log sssd_itopia.com.log sssd.log sssd_nss.log sssd_pam.log
You can also check the G Suite portal for LDAP logs. In the G Suite admin portal from the Home screen go to Reporting > Audit
In the reports page click on LDAP under Audit
From this page, you can see if there are any failed or successful attempts to connect to the LDAP client. You can also see who’s logged in to the desktops through this LDAP Client.