General Information

Configuring a client to connect to an existing LDAP server.
In order to test this, you will need to setup a FreeIPA server for the client to authenticate to.

• authconfig ⇒ command line utility that you have to specify all command line options when joining the domain
• authconfig-tui ⇒ menu drive text user interface, select options from a list
• authconfig-gtk ⇒ GUI utility for domain authentication setup
  • Do not expect to be able to use a GUI on the exam.

Two different back-end authentication daemons can be used:

• sssd ⇒ System Security Services Daemon
  • This is the preferred/newer daemon
• nslcd ⇒ Name Service LDAP Connection Daemon
  • This is the legacy daemon
  • Requires force legacy is set in /etc/sysconfig/authconfig

    FORCELEGACY=yes

To get a reminder of what commands you will need, execute:

authconfig --help | grep ldap

Configuring LDAP authentication with authconfig cli and SSSD.

• Install client packages

  yum install sssd

• Setup authentication

  authconfig --enableldap --enableldapauth --enableldapstarttls --ldapserver="ldap://ipa.example.com" --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update

  • enableldap ⇒ use ldap for identification
  • enableldapauth ⇒ use ldap for authentication
  • enableldapstarttls ⇒ start TLS encryption over the standard ldap port (tcp/389)
  • ldapserver ⇒ the ldap FQDN with “ldap:” protocol specification * ldapbasedn ⇒ the base of the ldap tree * enablemkhomedir ⇒ allow the local system to create home directories if they don't exist * update ⇒ update system config files with these changes. (the entire command will not do ANYTHING if you forget this option) * Copy the IPA CA cert to the local system<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code> * Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section<code bash>ldap_uri = ldap://ipa.example.com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never</code> * If you do not do this, the sssd service will report ca cert trust issues (in the output of “systemctl status sssd” due to a self-signed cert). * Restart sssd<code bash>systemctl restart sssd</code> * You should now be able to authenticate as a LDAP user. —- ==== authconfig-tui ==== Configuring LDAP authentication with authconfig-tui and SSSD back-end. * Install client packages<code bash>yum install sssd</code> * Launch authconfig-tui<code bash>authconfig-tui</code> * Authentication Configuration box * User Information: Select(space-bar) “Use LDAP” * Authentication: Select “Use LDAP Authentication” * Do not unselect any defaults; Next when done * LDAP Settings * Select “Use TLS” * Server: ldap://ipa.example.com * Base DN: dc=example,dc=com * Ok when done, Ok on the warning screen about copying the CA Cert. * Copy the IPA CA cert to the local system<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code> * Enable auto creation of home directories<code bash>authconfig –update –enablemkhomedir</code> * Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section<code bash>ldap_uri = ldap://ipa.example.com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never</code> * If you do not do this, the sssd service will report ca cert trust issues. * Restart sssd<code bash>systemctl restart sssd</code> * You should now be able to authenticate as a LDAP user. —- ==== GUI method: authconfig-gtk ==== LDAP authentication via GUI setup and nslcd back-end. Install authconfig gui <code bash> yum -y install authconfig-gtk </code> Open the GUI app * Applications > Sundry > Authentication * On the “Identity & Authentication” tab: * User Account Database: Select LDAP from the drop-down * This will display an extra package that is required “nss-pam-ldapd” * Click the “Install” button to install this package or close and install from a terminal. An additional package is required, “pam_krb5”. <code bash> yum install -y nss-pam-ldapd yum install -y pam_krb5 </code> * Note: After installing “nss-pam-ldapd”, reopen the Authentication app. You will see the next required package; “pam_krb5”. Install that as well. * Identity & Authentication tab * User Account Database: LDAP * LDAP Search Base DN: dc=example,dc=com * LDAP Server: ldap://ipa.example.com * Check “Use TLS to encrypt connections” * Click “Download CA Certificate…” * Enter URL of ca cert Example: ftp://ipa.example.com/pub/cacert.p12 * Click Ok * Advanced Options tab * Other Authentication Options: Check “Create home directories on the first login” * Password Options tab * Change any password property requirements * Click Apply * Edit /etc/nslcd.conf and add<code bash>tls_reqcert never</code> * Restart nslcd<code bash>systemctl restart nslcd</code> * Authentication via LDAP will now work. —- ==== AutoFS and NFS Share ==== Auto mounting NFS shared user home directories. Install AutoFS and NFS utils <code bash> yum -y install autofs nfs-utils </code>
    Create a new Master autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config <code bash> vim /etc/auto.master.d/home.autofs /home/users /etc/auto.home </code> * In EL7, the “/etc/auto.master” file is part of the RPM; any updates to the autofs package could overwrite changes you make, so it is recommended to create your own master map file under /etc/auto.master.d/. The name does not matter, as long as it ends in “.autofs”
    Configure the new autofs indirect mount file <code bash> vim /etc/auto.home * -rw myserver.com:/nfsshare/& </code> * The “&” is replaced by the key in the first column (*) * “*” is assigned the value that triggered access. If someone tried to access /home/users/luke, then “luke” will be the value of the key in the first column (“*”)
    Ensure autofs is started and enabled at boot <code bash> systemctl start autofs && systemctl enable autofs </code>
    Configure sshd to allow ldap logins and restart sshd <code bash> vim /etc/pam.d/sshd auth sufficient pam_ldap.so auth sufficient pam_permit.so systemctl restart sshd </code> —-