There are again too many outdated tutorials... I'm not a full-time Fedora user, so this might not be 100% lean procedure.
Since sssd(System Security Service Daemon) and sssd-ldap are installed by default in F31, let's just jump into configuration.
Create file /etc/sssd/conf.d/00-ldap.conf:
[sssd]
services = nss, pam
domains = LDAP # should match the name below
#debug_level = 9
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.eon.lan:389/
ldap_search_base = dc=eon,dc=lan
# this is just a nitpicking
access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
Restart sssd:
systemctl restart sssd
PROFIT....?
I mean, this does work like charm, but SSSD doesn't support authentication againt unencrypted LDAP, meaning I can list users, but can't log into them. I've been avoiding TLS altogether, but I can't run away forever.
Enabling mkhomedir requires a daemon called oddjobd, which is truly odd in
its nature. Random utility tasks exposed to D-Bus... Odd... Whatever...
dnf install oddjob-mkhomedir
systemctl enable --now oddjobd
Install openldap-clients packages for LDAP utilites like ldapsearch.
EDIT: Apparently, the config file /etc/sssd/sssd.conf is required in
some setups. Maybe it's better to move 00-ldap.conf to ../sssd.conf.
EDIT: So, I set up OpenLDAP STARTTLS in Task 013, and sssd.conf now
looks like this:
[sssd]
services = nss, pam, sudo
domains = LDAP
[domain/LDAP]
cache_credentials = true
enumerate = true
id_provider = ldap
ldap_uri = ldap://ldap.eon.lan/
ldap_id_use_start_tls = true
ldap_tls_reqcert = never
ldap_search-base = dc=eon,dc=lan
ldap_sudo_search_base = ou=SUDOers,dc=eon,dc=lan