Using Google Workspace accounts via LDAP as central authentication method for Ubuntu Linux
With Google Workspace, some of the more enterprise focused licenses allow one to expose the users & groups created in the Google workspace via secure LDAP and thus allow remote secure LDAP clients to authenticate with the Google Workspace users & passwords.
By having this option, one can consolidate authentication for multiple systems and rely on Google Workspace providing a central user & group inventory and access control. This simplifies access control & allow a common password policy enforcement.
In this first example of a series, we look at how to configure this with Ubuntu Linux (example using Ubuntu 22.04 LTS).
First of all one need to configure the secure LDAP service in the Google Workspace. Google provides a guideline on how to do this here.
When finished with the Google Workspace configuration, you should have two certificate files from that configuration, one with the CRT and one with the KEY. We will need these two certificate files later, so make a copy.
For some LDAP clients, like pfSense, you also need a specific user & password, but with the Ubuntu client this is not needed, so in this guide we just need the two certificates to make it work.
On the Ubuntu machine, the process is to install sssd first. This is the software allowing the system to authenticate via secure LDAP :
sudo apt install sssd sssd-tools sssd-ldap ldap-utils
Then place the content of the Google LDAP CRT certificate into the following file :
And place the content of the Google LDAP KEY certificate into the following file :
Then set proper permissions :
sudo touch /etc/sssd/sssd.conf sudo chmod 600 /etc/sssd/ldap.google.com.* /etc/sssd/sssd.conf
Then put the following in /etc/sssd/sssd.conf (adjust example.com to fit your domain) :
[sssd] #services = nss, pam domains = example.com [domain/example.com] cache_credentials = true ldap_tls_cert = /etc/sssd/ldap.google.com.crt ldap_tls_key = /etc/sssd/ldap.google.com.key ldap_uri = ldaps://ldap.google.com:636 ldap_search_base = dc=example,dc=com ldap_user_search_base = ou=users,dc=example,dc=com?subtree?(memberOf= cn=unix-users,ou=groups,dc=example,dc=com)?ou=users,dc=example,dc=com?subtree?(memberOf= cn=unix-admins,ou=groups,dc=example,dc=com) ldap_group_search_base = ou=groups,dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_schema = rfc2307bis ldap_user_uuid = entryUUID enumerate = false # Option to make TLS connection with with Google Workspace ldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3 #ldap_library_debug_level = -1 #Replace LDAP primary group ID with specific group ID (in this case the group users in Ubuntu) override_gid = 100
In the example configuration file above, the users are forced to have group ID 100 as primary group. This is the ID of the local users group on Ubuntu. If this is not set, each user will have a group ID matching its user ID which is a group ID number likely not present on the local system.
For ease of giving access & sharing on the system, having a common group makes it easier. It doesn’t have to be the primary group, so you can adjust this as needed, or simply comment it out.
Then enable automatic home directory creation :
sudo pam-auth-update --enable mkhomedir
And finally restart sssd to enable all the changes :
sudo service sssd restart
This will allow users to login to a Linux machine with the Google username & password. Their $HOME will be /home/$USERNAME
The override_gid line in the config file is set to 100 in the example. Group 100 is the local UNIX group users. If this is not set, the group ID will be the same as the user ID and not map to any locally defined group, so for file server sharing purposes it’s easiest if the users are members of the same common primary group.
The LDAP authentication is set up with a filter to only allow Google users that have membership of the Google group unix-users and/or unix-admins.
For SUDO permissions, the idea is that only members of the Google group unix-admins will have access. This can be enabled by adding the following to /etc/sudoers :
%unix-admins ALL=(ALL:ALL) ALL
Here’s an example with a user called foo logged in via Google LDAP authentication :
foo@ldap-test:~$ id uid=1689664894(foo) gid=100(users) groups=100(users),186376791(unix-users),199406316(unix-admins),207652195(proxmox-users),510719476(sales),634934429(snailmail),918020421(corporate),1103606151(billing),1243675829(vpn-users),1487242262(pfsense-admins),1544347971(info),1714853775(proxmox-admins) foo@ldap-test:~$ getent passwd foo foo::1689664894:100:foo:/home/foo:/bin/bash foo@ldap-test:~$ getent group unix-users unix-users::186376791:foo foo@ldap-test:~$ getent group unix-admins unix-admins:*:199406316:foo