First configure yum and install SSSD

# Configure yum in the /etc/yum.repos.d/
Get it from

Install SSSD

yum install sssd sssd-client

# yum tip
yum clean all
yum makecache

our SSSD config – /etc/sssd/sssd.conf

services = nss, pam, sudo, autofs
config_file_version = 2

domains = default


ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base =,dc=devtech101,dc=com
#krb5_realm = DEVTECH101.COM
#krb5_server =,
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://,ldaps://
ldap_tls_reqcert = allow
#ldap_tls_reqcert = never
#ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_group_member = memberUid
entry_cache_timeout = 600
ldap_network_timeout = 3
#ldap_access_filter = (&(object)(object))
ldap_default_bind_dn = cn=proxyagent,ou=profile,dc=devtech101,dc=com
#ldap_default_authtok_type = password
ldap_default_authtok = password
enumerate = True
ldap_user_search_base = ou=people,,dc=devtech101,dc=com?sub?
ldap_group_search_base = ou=group,,dc=devtech101,dc=com
ldap_netgroup_search_base = ou=netgroup,,dc=devtech101,dc=com
#access_provider = ldap
#ldap_access_filter = memberOf=cn=bda-group,ou=netgroup,,dc=devtech101,dc=com
#ldap_access_filter = uniquemember=cn=bda-group,ou=netgroup,,dc=devtech101,dc=com
access_provider = simple
simple_allow_groups = bda-login-allow

autofs_provider = ldap
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_realm = DEVTECH101.COM
krb5_server =,





Secure and start SSSD

chmod 0600 /etc/sssd/sssd.conf
service sssd start
chkconfig sssd on

Create LDAP configuration – /etc/ldap.conf

binddn cn=proxyagent,ou=profile,dc=devtech101,dc=com
bindpw password

scope sub
timelimit 120
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_lookup_policy yes

nss_base_passwd		ou=People,,dc=devtech101,dc=com?sub
nss_base_shadow		ou=People,,dc=devtech101,dc=com?sub
nss_base_group		ou=Group,,dc=devtech101,dc=com?one
nss_base_netgroup	ou=Netgroup,,dc=devtech101,dc=com?one

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman

uri ldaps:// ldaps://
#ssl start_tls
#tls_cacertdir /etc/openldap/cacerts
ssl no
bind_policy soft
pam_password md5
tls_cacertdir /etc/openldap/cacert

Note: Update also /etc/openldap/ldap.conf

mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf-org;ln -s /etc/ldap.conf /etc/openldap/ldap.conf

Modify /etc/security/access.conf

+ : @bda-group : ALL
+ : root : ALL

Initialize LDAP and update OS files for first time

authconfig --enableldap --enableldapauth --ldapserver=ldaps://,ldaps:// --ldapbasedn=",dc=devtech101,dc=com" --update

Note: You need to add users to the LDAP bda-login-allow group to be able to login

Add NFS for users mount

# Test on commend line
mount -o vers=3 /users

# Add to /etc/fstab
# Users home directory's /users nfs vers=3,intr
* SSSD tips 
Flush sss cache
sss_cache -E

Issues need to address

You need to create and ldap user for example hive, and in Hue add it the proper group for example bda_dwbi to get it to work

In Hue by creating a table from a file hive user needs full access to move the file from the src directory to not errror, it will still create the table but will error if not.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x
%d bloggers like this: