Your Active Directory:
- Firewall to allow port 389 (ldap) and 636 (ldaps)
- A read-only user who has permission to read the LDAP data within the search base
- An exported certificate from Active Directory Certificate Services
Your Linux client:
SSSD is used to connect to the Active Directory server to query user information for the authentication. Run following commands to install the required packages.
sudo apt-get update
Create a new config file for SSSD at
/etc/sssd/sssd.conf with the following content
- ldap_uri is your Active Directory server
- ldap_search_base is the AD scope that SSSD will look for users
- ldap_default_bind_dn is the user that has read-only permssion
- ldap_default_authtok is the obfuscated password of that read-only user
- ldap_tls_cacert is the path to your Active Directory CA certificate, in PEM format
- ldap_user_ssh_public_key is the AD user’s attribute that SSSD will look for the SSH public key
To create the obfuscated password, run following command. Remember to change
changeme password to yours
python -c "import pysss;print(pysss.password().encrypt('changeme', pysss.password().AES_256))"
When we export the certificate from Active Directory, it has CER format. To convert it to PEM format, run the following command
openssl x509 -inform der -in ad_cert.cer -out ad_cert.pem
Now restart SSSD service
sudo systemctl restart sssd
Open your SSH config file
/etc/ssh/sshd.conf and add the following content
Then restart the SSH service
sudo systemctl restart ssh
From Active Directory Users and Computers, modify the user’s altSecurityIdentities attribute to add the SSH public key
From the Linux client, try to query the AD user SSH public key using the following command.
If you are able to get the SSH public key, you are now ready to login to that Linux machine using the AD user!
During the test, keep an eye on the SSSD log files
tail -f /var/log/sssd/sssd*
If you see something similar to the following error, it could be related to the wrong CA certificate or the read-only user doesn’t have perssmion on the ldap_search_base.
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]