====== Configure A System To Use An Existing Authentication Service For User And Group Information ======
**General Information**
Configuring a client to connect to an existing LDAP server.\\
In order to test this, you will need to [[http://www.unixmen.com/configure-freeipa-server-centos-7/|setup a FreeIPA server]] for the client to authenticate to.
----
===== Ways to Configure =====
* authconfig => command line utility that you have to specify all command line options when joining the domain
* The preferred method to learn.
* authconfig-tui => menu drive text user interface, select options from a list
* This method is "technically" deprecated, but will still work.
* authconfig-gtk => GUI utility for domain authentication setup
* **Do not expect to be able to use a GUI on the exam**.
Two different back-end authentication daemons can be used:
* sssd => System Security Services Daemon
* This is the preferred/newer daemon. Learn using sssd.
* nslcd => Name Service LDAP Connection Daemon
* This is the legacy daemon
* Requires force legacy is set in /etc/sysconfig/authconfigFORCELEGACY=yes
----
===== authconfig =====
To get a reminder of what commands you will need, execute:authconfig --help | grep ldap
\\
Configuring LDAP authentication with authconfig cli and SSSD.
* Install client packagesyum install sssd
* Setup authenticationauthconfig --enableldap --enableldapauth --ldapserver="ipa.example.com" --ldapbasedn="dc=example,dc=com" --enableldapstarttls --enablemkhomedir --update
* enableldap => use ldap for identification
* enableldapauth => use ldap for authentication
* ldapserver => the fully qualified name of the IPA server
* ldapbasedn => the base of the ldap tree
* enableldapstarttls => start TLS encryption over the standard ldap port (tcp/389)
* enablemkhomedir => allow the local system to create home directories if they don't exist
* update => update system config files with these changes. (**the entire command will not do ANYTHING if you forget this option**)
* Copy the IPA CA cert to the local system(you should be given the location to get this from on the exam)scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/
* Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" sectionldap_uri = ldap://ipa.example.com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never
* If you do not do this, the sssd service will report ca cert trust issues (in the output of "systemctl status sssd -l" due to a self-signed cert).
* If you can't remember the "ldap_tls_reqcert" line:
* Look at the **man page of "sssd-ldap"**man sssd-ldap
* Search for "tls_" to view config options and the "Example" section for formatting.
* Restart sssdsystemctl restart sssd
* You should now be able to authenticate as a LDAP user.
----
===== authconfig-tui =====
Configuring LDAP authentication with authconfig-tui and SSSD back-end.
* Install client packagesyum install sssd
* Launch authconfig-tuiauthconfig-tui
* Authentication Configuration box
* User Information: Select(space-bar) "Use LDAP"
* Authentication: Select "Use LDAP Authentication"
* Do not unselect any defaults; Next when done
* LDAP Settings
* Select "Use TLS"
* Server: ldap://ipa.example.com
* Base DN: dc=example,dc=com
* Ok when done, Ok on the warning screen about copying the CA Cert.
* Copy the IPA CA cert to the local systemscp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/
* Enable auto creation of home directoriesauthconfig --update --enablemkhomedir
* Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" sectionldap_uri = ldap://ipa.example.com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never
* If you do not do this, the sssd service will report ca cert trust issues.
* Restart sssdsystemctl restart sssd
* You should now be able to authenticate as a LDAP user.
----
===== GUI method: authconfig-gtk =====
**Documented for educational purposes...do not expect a GUI on the exam; learn the authconfig and/or authconfig-tui method**
\\
LDAP authentication via GUI setup and nslcd back-end.
Install authconfig gui
yum -y install authconfig-gtk
Open the GUI app
* Applications > Sundry > Authentication
* On the "Identity & Authentication" tab:
* User Account Database: Select LDAP from the drop-down
* This will display an extra package that is required "nss-pam-ldapd"
* Click the "Install" button to install this package or close and install from a terminal. An additional package is required, "pam_krb5".
yum install -y nss-pam-ldapd
yum install -y pam_krb5
* Note: After installing "nss-pam-ldapd", reopen the Authentication app. You will see the next required package; "pam_krb5". Install that as well.
* Identity & Authentication tab
* User Account Database: LDAP
* LDAP Search Base DN: dc=example,dc=com
* LDAP Server: ldap://ipa.example.com
* Check "Use TLS to encrypt connections"
* Click "Download CA Certificate..."
* Enter URL of ca cert Example: ftp://ipa.example.com/pub/cacert.p12
* Click Ok
* Advanced Options tab
* Other Authentication Options: Check "Create home directories on the first login"
* Password Options tab
* Change any password property requirements
* Click Apply
* Edit /etc/nslcd.conf and addtls_reqcert never
* Restart nslcdsystemctl restart nslcd
* Authentication via LDAP will now work.
----
===== AutoFS and NFS Share =====
Auto mounting NFS shared user home directories.
\\
Install AutoFS and NFS utils
yum -y install autofs nfs-utils
\\
Create a new Master Map autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config
vim /etc/auto.master.d/home.autofs
# For sub directories of /home/users, look at /etc/auto.home for mappings
/home/users /etc/auto.home
* In EL7, the "/etc/auto.master" file is part of the RPM; any updates to the autofs package could overwrite changes you make, so it is recommended to create your own master map file under /etc/auto.master.d/. The name does not matter, as long as it ends in ".autofs"
\\
Configure the new autofs indirect mappings mount file
vim /etc/auto.home
# For any sub directory ("*"), mount read/write from myserver.com:/nfsshare/&
* -rw myserver.com:/nfsshare/&
* "*" is assigned the directory that is accessed. If someone tried to access "/home/users/luke", the "*" value is "luke".
* The "&" in the remote server line is replaced by the key in the first column (*). So if someone accesses "/home/users/luke", the remote system (myserver.com) gets an access attempt to "/nfsshare/luke"
\\
Ensure autofs is started and enabled at boot
systemctl start autofs
systemctl enable autofs
----