https://documentation.ubuntu.com/server/how-to/openldap/install-openldap/
https://documentation.ubuntu.com/server/how-to/openldap/ldap-and-tls/
Since your username on the onboarding machine likely differs from your fd.vertel.se username,
you must provide it to the script.If it doesn't, you don't need to add it to the end of the command.
bash <(curl -sSL https://raw.githubusercontent.com/vertelab/ldap/refs/heads/main/onboard-client-sssd) -u [username on fd.vertel.se]
Install sssd on the onbording machine
sudo apt update
sudo apt install sssd
Enable sssd
sudo systemctl enable sssd.service
Add the following to the file /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = fd.vertel.se
services = ssh
[ssh]
ssh_authorized_keys_cache_timeout = 60
ldap_user_ssh_public_key = sshPublicKey
[domain/fd.vertel.se]
#debug_level = 9
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://fd.vertel.se
cache_credentials = True
ldap_search_base = ou=vertel,dc=nodomain
ldap_access_filter = (uid=*)
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/ssl/certs/mycacert.pem
Make sure that sssd.conf has the right owner and permissions
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 0600 /etc/sssd/sssd.conf
Copy the certificate on the fd.vertel.se server (usr/local/share/ca-certificates/mycacert.crt)
to the same location on the onbording machine.
If you are lost, this is what the script does, but it's probably easier to just log on to the fd.vertel.se server.
ssh -t -q <username>@fd.vertel.se "sudo cp /usr/local/share/ca-certificates/mycacert.crt ~/ && sudo chown $USER:$USER ~/mycacert.crt"
scp <username>@fd.vertel.se:mycacert.crt ~/
ssh -t -q <username>@fd.vertel.se "sudo rm ~/mycacert.crt"
sudo sudo chmod 440 ~/mycacert.crt && sudo chown root:root ~/mycacert.crt
sudo mv ~/mycacert.crt /usr/local/share/ca-certificates/
Just like the script after moving it to /usr/local/share/ca-certificates/mycacert.crt on the onbording machine
make sure the it has the right owner and permissions.
sudo sudo chmod 440 /usr/local/share/ca-certificates/mycacert.crt
sudo chown root:root /usr/local/share/ca-certificates/mycacert.crt
Add the certificate to the onbording machine properly
sudo update-ca-certificates
Add lines to /etc/ssh/sshd_config to enable private key authentication through LDAP
echo -e "\nAuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\nAuthorizedKeysCommandUser nobody" | sudo tee -a /etc/ssh/sshd_config
Activate user directory creation on login.
sudo pam-auth-update --enable mkhomedir
Restart the sssd service
sudo systemctl restart sssd.service