Part 1: Creating an LDAP client in the G Suite admin Console

Log into your G Suite admin console and from the “Home” page navigate to “Apps” then “LDAP”

In the LDAP apps page, click on “ADD CLIENT” button

Enter the “LDAP client name” and a “Description” and click on “CONTINUE”

Under Access Permissions, you will have 3 settings: 

  • Verify user credentials, 
  • Read user information and 
  • Read group information. 

Here you can specify to give the LDAP client access to the entire domain or to certain Organization Groups which you can set up in your G Suite account. In this example, we chose to go with the Entire domain option but you can choose the option that applies to your use case.

In the “Read group information” section, change the option to On and click “ADD LDAP CLIENT” button to create the client. 

 Note: Some LDAP clients such as SSSD perform a group lookup to obtain information about a user's group membership during authentication. To ensure authentication works for such LDAP clients, you'll need to turn on “Read group information”.

Wait for a few moments until LDAP client is added. Once done, you will be presented with a Google SSL certificate which you will need in order to connect to the LDAP services. 

Click on “Download certificate” and then “CONTINUE TO CLIENT DETAILS”

In the LDAP clients page click on Service status to be taken to the Status page

Note: The LDAP client details  page is where you can edit the client, modify the Access permissions,  re-download the SSL certificate and create Access credentials if needed.

In the Status page, select “ON for everyone” and click on “SAVE”

After clicking SAVE, the status will change to ON for everyone 

The GSuite Admin Console configuration is now complete. 

Part 2: Configuring SSSD on Ubuntu 16.04

Although SSSD works with Ubuntu 18.04 and 16.04, itopia Virtual Workstation deployments only support Ubuntu 16.04. 

Deploy a Virtual Workstation in the itopia portal

This process will require you to have an existing Virtual Workstation deployment where you can configure SSSD for LDAP authentication. Please follow this guide to create a deployment in the itopia portal.

Installing SSSD on the workstation

SSH into the virtual workstation from the itopia portal (Cloud Manager > Instances > CONNECT

Once you’re connected to the instance the first thing you’ll need to do is update the packages. That is done with the following command:

sudo apt update -y

After that’s done, run the following command to install the SSSD package:

sudo apt install -y sssd sssd-tools

Creating the sssd.conf file

After the packages are done installing, you will need to create a new file in /etc/sssd/ called sssd.conf. You can do that with the following command:

nano /etc/sssd/sssd.conf

Your sssd.conf file should include the following:

[sssd]
services = nss, pam
domains = itopia.com

[domain/itopia.com]
cache_credentials = true
ldap_tls_cert = /var/Google_2021_09_27_50902.crt
ldap_tls_key = /var/Google_2021_09_27_50902.key
ldap_uri = ldaps://ldap.google.com:636
ldap_search_base = dc=itopia,dc=com
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID
ldap_groups_use_matching_rule_in_chain = true
ldap_initgroups_use_matching_rule_in_chain = true
enumerate = false

Note: Please make sure to replace itopia.com, and dc=itopia,dc=com with your own domain information. The location of the tls cert and key can also change as well as the names.

Copying Google SSL certificates to the Server 

When you created the LDAP client in the G Suite admin portal, an SSL certificate and key were generated for you. This certificate is used to authenticate the LDAP client and the service trying to connect to it. You will need to make the crt and key files available on the server. By default, Google linux instances disable password authentication so trying to use a client like winscp to upload the file will fail when trying to authenticate. 

Once the certificates have been saved on the server and placed any location you deem fit, modify the sssd.conf file to update the location and cert and key names for ldap_tls_cert and ldap_tls_key.

Now that both the cert and key are in place and the sssd.conf file is ready, you will need to modify the permissions of the sssd.conf file in order to let the service run. Run the following commands to modify the permissions:

sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf

Restart the SSSD service:

sudo service sssd restart

If everything is set correctly you shouldn’t see any messages and the service should start running. To verify that SSSD is running and connecting to the LDAP server you can run the following command with any of the users in your G Suite account:

getent passwd aclavero@itopia.com

The output should look something like this:

aclavero:*:1326829605:1326829605:aclavero:/home/aclavero_itopia_com:/bin/bash

Restart the server after all of the above has been completed.

Troubleshooting

If you experience errors, can’t connect or view users, modify the sssd.conf file to include a debug_level for the services. See example below:

[sssd]
debug_level = 7
services = nss, pam
domains = itopia.com

[pam]
debug_level = 7

[nss]
debug_level = 7

[domain/itopia.com]
debug_level = 7
cache_credentials = true
ldap_tls_cert = /var/Google_2021_09_27_50902.crt
ldap_tls_key = /var/Google_2021_09_27_50902.key
ldap_uri = ldaps://ldap.google.com:636
ldap_search_base = dc=itopia,dc=com
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID
ldap_groups_use_matching_rule_in_chain = true
ldap_initgroups_use_matching_rule_in_chain = true
enumerate = false

Once you have modified the debug_level on the sssd.conf file, you can check the following logs for errors:

/var/log/sssd/sssd.log

/var/log/sssd/sssd_domain.com.log (replace domain.com with your domain)

/var/log/sssd/sssd_pam.log

/var/log/sssd/sssd_nss.log

aclavero@ldap-ubuntu-1604:# ls /var/log/sssd/
ldap_child.log  sssd_itopia.com.log  sssd.log  sssd_nss.log  sssd_pam.log

You can also check the G Suite portal for LDAP logs. In the G Suite admin portal from the Home screen go to Reporting > Audit

In the reports page click on LDAP under Audit

 

From this page, you can see if there are any failed or successful attempts to connect to the LDAP client. You can also see who’s logged in to the desktops through this LDAP Client.

Did this answer your question?