For LDAP Passwordless 2FA

(Note LDAP supports only 2FA i.e. passwords or SSH Keys are required as 1FA)

Step 1: Install SSSD

In order to configure a VM for LDAP 2FA we need to install SSSD:

Please follow these steps to install and configure SSSD.

Note: If SSSD is already installed and running please move to step 6

Run the following command in the shell as a root user

yum install sssd

Create the file /etc/sssd/sssd.conf with the following contents

    [sssd]

    config_file_version = 2
    services = nss, pam, ssh
    domains = glauth.com
    user = root

    [sudo]
    debug_level = 0x3ff0

    [domain/GLAUTH.COM]
    id_provider = ldap
    debug_level=0x3ff0
    auth_provider = ldap
    ldap_id_mapping = true
    ldap_user_name = sAMAccountName
    ldap_uri = ldaps://domain.companyname.net:636
    ldap_search_base =  OU=Users,OU=Accounts,DC=company_name,DC=net
    ldap_tls_reqcert = demand
    cache_credentials = false
    enumerate= true
    ldap_default_bind_dn = CN=EngqLDAP2,OU=Okta,OU=ServiceAccounts,OU=Accounts,DC=domain,DC=net
    #ldap_default_bind_dn = (cn=serviceuser,ou=accts,o=glauth,dc=glauth,dc=com)
    #binddn = dc=glauth.com,cn=serviceuser,ou=accts,o=glauth,dc=glauth,dc=com

    ldap_tls_cacert = /opt/company-root.pem
    ldap_default_authtok_type = password
    ldap_default_authtok = %%%%%%_some_pass
    ldap_access_filter =  OU=Users,OU=Accounts,DC=company,DC=net
    timeout = 60000
    sudo_provider=none
    ldap_group_member=member
    #ldap_schema=rfc2307bis
    ldap_schema = AD
    ldap_access_order=filter
    full_name_format = %1$s

    ldap_user_ssh_public_key = sshKey
    ldap_use_tokengroups = False
    #ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

    [pam]
    timeout = 60000
    pam_verbosity = 9
    debug_level = 9

    [nss]
    timeout = 60000

Step 2: Run the following command to give access 

    chown root:root /etc/sssd/sssd.conf

Step 3: Run the following command to give access permission 

    chmod 600 /etc/sssd/sssd.conf

Step 4: The following command will enable SSSD to start at boot time. 

    systemctl enable sssd

Step 5: Now start SSSD 

    systemctl start sssd

Step 6: Run the following command as root to configure PAM and NSS 

    authconfig --enablesssdauth --enablesssd --updateall

Step 7: Now try to login as the user with okta id 

    ssh -l username hostname

Step 8: username@hostname password: 

    Last login: Sun Aug 11 19:34:35 2019 from localhost
    -bash-4.2$