Skip to content

Advanced user account management using LDAP

How to configure LDAP to access user account information

There are different ways to configure user accounts at CERN. If you only need to create a few local accounts, you should simply use the useraddcern command with the --directory argument.

If you need to give access to larger groups of accounts, that are centrally managed in FIM / Active Directory, read on...

This document describes how to configure a client machine to use the central LDAP service xldap.cern.ch or AD service cerndc.cern.ch to give access to AFS user groups. Examples:

  • How to give access to all users of some Unix groups?
  • How to give access to all members of an E-group?
  • How to deny access to users with disabled accounts?
  • How to override certain attributes, like the login shell or the home directory
There are two services which can provide account information, xldap or cerndc.

The xldap.cern.ch LDAP service

The xldap.cern.ch LDAP service allows anonymous read-access to the user information in FIM / Active Directory. In particular, it contains the account information for all AFS users, and the membership of the CERN E-groups.

The xldap.cern.ch LDAP service is described here

The cerndc.cern.ch Active Directory service

The cerndc.cern.ch Active Directory (AD) service allows authenticated read-access to the user information in FIM / Active Directory. In particular, it contains the account information for all AFS users, and the membership of the CERN E-groups.

The cerndc.cern.ch AD service is described here

What is sssd ?

SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources as well as D-Bus interface.

Configuring sssd

The /etc/sssd/sssd.conf or /etc/sssd/conf.d/*.conf configuration describes the CERN configuration.

It's possible that the package 'cern-krb5-conf' is installed. This package provides a base minimum for kerberos configuration however it can and should be removed for more advanced configurations. Two options for advanced sssd configuration are available, xldap or ad.

Use xldap.cern.ch for identity

This can be enabled with: 
# dnf erase -y cern-sssd-conf-\*
# dnf install -y cern-sssd-conf-domain-cernch cern-sssd-conf-global-cernch cern-sssd-conf-servers-cernch-gpn
# systemctl restart sssd
# authselect profile sssd
This configuration can be browsed cern-sssd-conf/xldap.

Use cerndc.cern.ch for identity

Using cerndc.cern.ch was only made available in March of 2026 and should be considered experimental. Please try and use and provide feedback. This can be enabled with: 
# cern-get-keytab
# dnf erase -y cern-sssd-conf-\*
# dnf install -y cern-sssd-conf-ad
# systemctl restart sssd
# authselect profile sssd
This configuration can be browsed cern-sssd-conf/ad. In the following sections we will explain how it can be tweaked. In all cases do not edit the files supplied by the configuration packages. They can and will be overwritten on upgrade. Create a new file 10_local_sssd.conf and it will override earlier settings. It should contain the domain we are going to apply the settings to: 
[sssd]

[domain/cern.ch]

General options

This section describes the main options to be configured in /etc/sssd/conf.d/10_sssd.conf.
  • services is a comma separated list of services that are started when sssd itself starts. Supported services: nss, pam , sudo, autofs, ssh, pac, ifp
  • domain is a database containing user information.SSSD can use more domains at the same time.
  • filter_users, filter_groups exclude certain users from being fetched from the sss NSS database.This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the particular domain.
  • pam_id_timeout option controls how long we can cache the identity information to avoid excessive round-trips to the identity provider

Filtering results

With the general options above, your machine now allows access from all accounts in the LDAP service. That is probably not what you want... This section gives some examples of filters that you can set to restrict the results to some useful sets of accounts. The following ldap_access_filter examples are for filtering on xldap.cern.ch. If using cerndc.cern.ch then the equivalent option is ad_access_filter. When using ad_access_filter note the extra prefix DOM:cern.ch: documented in man sssd-ad.

How to give access to all users of some Unix groups?

Only allow the users of Unix group xx (gid 1160): 
ldap_access_filter = (&(objectClass=user) (gidNumber=1160))
Allow users from Unix groups t3 and zp (gids 1081 and 1307): 
ldap_access_filter = (&(objectClass=user) (|(gidNumber=1160) (gidNumber=1307)))
Only allow the users of Unix group xx (gid 1160) when using cerndc.cern.ch for accounts: 
ad_access_filter = DOM:cern.ch:(&(objectClass=user) (gidNumber=1160))
Allow users from Unix groups t3 and zp (gid's 1081 and 1307): 
ad_access_filter = DOM:cern.ch:(&(objectClass=user) (|(gidNumber=1160) (gidNumber=1307)))

How to give access to all members of an e-group?

Allows members of lxsoft-admins (non-recursive) e-group: 
ldap_access_filter = (&(objectClass=user) (memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
The above does not work for "recursive e-groups", where some members are e-groups themselves. To support such e-groups, you can modify the filter: 
ldap_access_filter = (&(objectClass=user) (memberOf:1.2.840.113556.1.4.1941:=CN=info-experiments,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))

How to deny access to users with disabled accounts?

Accounts that are disabled in xldap can be filtered out like this: 
ldap_access_filter = (&(|(|(&(objectClass=user) (cn=*))))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
For an explanation, please go the Microsoft Knowledge Base Note: ldap_access_filter or ad_access_filter accepts standard LDAP filter syntax so get as creative as you want.

Overriding attribute values

sssd-ldap allows to override certain attribute values, like the login shell or the user home directory. This may be useful on certain server machines. Example: 
ldap_user_shell = /dev/null
ldap_user_home_directory = /nfs/home/%u (man sssd.conf for allowed sequences)
All available settings can be found in the manual 
# man sssd-ldap

Notes from Linux Support

  • To enable verbose debug messages you can append "debug_level = 0x1310" to each section.
  • If you have to deal with old user ID < 1000 you can use "min_id/max_id" in the [domain/CERN] section

Enable sssd

# authselect select sssd with-silent-lastlog --force
The /etc/nsswitch.conf configuration file describes the order in which password-file lookups are performed. This file is generated when authselect is used and may well overwrite local changes. For adjustments use authselect, do not fight it.

Run sssd

Now you need to make sure sssd runs and is enabled by default : 
# systemctl enable sssd
# systemctl stop sssd
# systemctl start sssd
NOTE: If you experiment with sssd and you want to be sure to clean all the caches please run the following command : 
# sss_cache -E

Run a simple test

You can run the following command where "login" corresponds to an authorized CERN user : 
# getent passwd login

Query the cache

The sssctl command can query the sssd service state, for instance the cache status of user. 
# dnf install sssd-tools
# sssctl user-show steve
Name: steve
Cache entry creation date: 03/16/26 12:10:37
Cache entry last update time: 03/16/26 14:09:07
Cache entry expiration time: 03/16/26 15:39:07
Initgroups expiration time: 03/16/26 15:39:07
Cached in InfoPipe: No

References

Feedback

Please send feedback and comments on this document to Linux support.
This web replaces the old version of the Linux website. Please check linux-old.web.cern.ch for an archived version