openSUSE & SUSE Linux Enterprise

Himmelblau is available for openSUSE Tumbleweed (via the official repositories), and for Leap and SUSE Linux Enterprise via the OBS network:idm repository.

Supported versions

Distribution	Version
openSUSE Tumbleweed	Rolling
openSUSE Leap	15.5, 15.6
SUSE Linux Enterprise 15	SP5, SP6, SP7
SUSE Linux Enterprise 16	GA

Installation

Tumbleweed
Leap 15.6 / SLE 15 SP6
Leap 15.5 / SLE 15 SP5

Himmelblau is in the Tumbleweed distribution repositories. Refresh and install directly:

sudo zypper ref && sudo zypper in himmelblau nss-himmelblau pam-himmelblau himmelblau-sso

Add the OBS network:idm repository for Leap 15.6 or SLE 15 SP6, then install:

sudo zypper ar https://download.opensuse.org/repositories/network:/idm/15.6/network:idm.repo
sudo zypper ref && sudo zypper in himmelblau nss-himmelblau pam-himmelblau himmelblau-sso

Add the OBS network:idm repository for Leap 15.5 or SLE 15 SP5, then install:

sudo zypper ar https://download.opensuse.org/repositories/network:/idm/15.5/network:idm.repo
sudo zypper ref && sudo zypper in himmelblau nss-himmelblau pam-himmelblau himmelblau-sso

You can also download packages manually from the Himmelblau downloads page.

Post-installation setup

Disable nscd

The Name Service Cache Daemon (nscd) conflicts with Himmelblau’s NSS module. Stop and mask it before continuing:

sudo systemctl stop nscd
sudo systemctl disable nscd
sudo systemctl mask nscd

Configure NSS

Copy the system nsswitch.conf template and add himmelblau to the passwd, group, and shadow databases:

sudo cp /usr/etc/nsswitch.conf /etc/nsswitch.conf

Then edit /etc/nsswitch.conf so the three lines read:

passwd:     compat systemd himmelblau
group:      compat systemd himmelblau
shadow:     compat systemd himmelblau

Verify a user resolves correctly after starting the daemon:

getent passwd user@your-tenant.onmicrosoft.com

Configure PAM

On openSUSE and SLE, the pam-himmelblau package installs a pam-config fragment. The PAM stack is managed by pam-config(8), so you typically do not need to edit files by hand. If you need to verify or manually apply the configuration, the installed fragment is located at /usr/share/pam-config/pam_himmelblau.so and includes the following stacks:

Stack	Entry
Auth	`auth sufficient pam_himmelblau.so ignore_unknown_user set_authtok` (priority 800)
Account	`account sufficient pam_himmelblau.so ignore_unknown_user` (priority 300)
Password	`password sufficient pam_himmelblau.so ignore_unknown_user set_authtok` (priority 100)
Session	`session optional pam_himmelblau.so` (priority 2300)

Only modify PAM configuration files directly if you understand the syntax. An incorrect PAM stack can prevent all users from logging in, including root. Test changes in a separate session before closing your current one.

For a complete reference on PAM and NSS configuration, see PAM & NSS setup.

Get Started

Configuration

Authentication

Operations

Platform Guides

openSUSE & SUSE Linux Enterprise

Supported versions

Installation

Post-installation setup

Disable nscd

Configure NSS

Configure PAM

Build docs developers (and LLMs) love

Get Started

Configuration

Authentication

Operations

Platform Guides

​Supported versions

​Installation

​Post-installation setup

​Disable nscd

​Configure NSS

​Configure PAM

Build docs developers (and LLMs) love

Supported versions

Installation

Post-installation setup

Disable nscd

Configure NSS

Configure PAM