linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2016/03/05 16:52]
billdozor [authconfig] 		linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2018/03/20 23:38]
billdozor [AutoFS and NFS Share]
Line 4: Line 4:
  
 Configuring a client to connect to an existing LDAP server.\\ Configuring a client to connect to an existing LDAP server.\\
-In order to test this, you will need to setup a FreeIPA server for the client to authenticate to.+In order to test this, you will need to [[http://www.unixmen.com/configure-freeipa-server-centos-7/|setup a FreeIPA server]] for the client to authenticate to.
  
 ---- ----
  
-====== Ways to Configure ======+===== Ways to Configure =====
  
   * authconfig => command line utility that you have to specify all command line options when joining the domain   * authconfig => command line utility that you have to specify all command line options when joining the domain
 +    * The preferred method to learn.
   * authconfig-tui => menu drive text user interface, select options from a list   * authconfig-tui => menu drive text user interface, select options from a list
 +    * This method is "technically" deprecated, but will still work.
   * authconfig-gtk => GUI utility for domain authentication setup   * authconfig-gtk => GUI utility for domain authentication setup
     * **Do not expect to be able to use a GUI on the exam**.     * **Do not expect to be able to use a GUI on the exam**.
Line 17: Line 19:
 Two different back-end authentication daemons can be used: Two different back-end authentication daemons can be used:
   * sssd => System Security Services Daemon   * sssd => System Security Services Daemon
-    * This is the preferred/newer daemon+    * This is the preferred/newer daemon. Learn using sssd.
   * nslcd => Name Service LDAP Connection Daemon   * nslcd => Name Service LDAP Connection Daemon
     * This is the legacy daemon     * This is the legacy daemon
Line 24: Line 26:
 ---- ----
  
-==== authconfig ====+===== authconfig =====
  
 To get a reminder of what commands you will need, execute:<code bash>authconfig --help | grep ldap</code> To get a reminder of what commands you will need, execute:<code bash>authconfig --help | grep ldap</code>
Line 32: Line 34:
  
   * Install client packages<code bash>yum install sssd</code>   * Install client packages<code bash>yum install sssd</code>
-  * Setup authentication<code bash>authconfig --enableldap --enableldapauth --enableldapstarttls --ldapserver="ldap://ipa.example.com" --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update</code> +  * Setup authentication<code bash>authconfig --enableldap --enableldapauth --ldapserver="ipa.example.com" --ldapbasedn="dc=example,dc=com" --enableldapstarttls --enablemkhomedir --update</code> 
-  * Copy the IPA CA cert to the local system<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code>+    * enableldap => use ldap for identification 
 +    * enableldapauth => use ldap for authentication 
 +    * ldapserver => the fully qualified name of the IPA server 
 +    * ldapbasedn => the base of the ldap tree 
 +    * enableldapstarttls => start TLS encryption over the standard ldap port (tcp/389) 
 +    * enablemkhomedir => allow the local system to create home directories if they don't exist 
 +    * update => update system config files with these changes. (**the entire command will not do ANYTHING if you forget this option**) 
 +  * Copy the IPA CA cert to the local system(you should be given the location to get this from on the exam)<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code>
   * Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" section<code bash>ldap_uri = ldap://ipa.example.com   * Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" section<code bash>ldap_uri = ldap://ipa.example.com
 ldap_id_use_start_tls = True ldap_id_use_start_tls = True
 ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacertdir = /etc/openldap/cacerts
 ldap_tls_reqcert = never</code> ldap_tls_reqcert = never</code>
-    * If you do not do this, the sssd service will report ca cert trust issues.+    * If you do not do this, the sssd service will report ca cert trust issues (in the output of "systemctl status sssd -l" due to a self-signed cert). 
 +    * If you can't remember the "ldap_tls_reqcert" line: 
 +      * Look at the **man page of "sssd-ldap"**<code bash>man sssd-ldap</code> 
 +      * Search for "tls_" to view config options and the "Example" section for formatting. 
   * Restart sssd<code bash>systemctl restart sssd</code>   * Restart sssd<code bash>systemctl restart sssd</code>
   * You should now be able to authenticate as a LDAP user.   * You should now be able to authenticate as a LDAP user.
Line 44: Line 57:
 ---- ----
  
-==== authconfig-tui ====+===== authconfig-tui =====
  
 Configuring LDAP authentication with authconfig-tui and SSSD back-end. Configuring LDAP authentication with authconfig-tui and SSSD back-end.
Line 71: Line 84:
 ---- ----
  
-==== GUI method: authconfig-gtk ====+===== GUI method: authconfig-gtk =====
  
 +**Documented for educational purposes...do not expect a GUI on the exam; learn the authconfig and/or authconfig-tui method**
 +
 +\\
 LDAP authentication via GUI setup and nslcd back-end. LDAP authentication via GUI setup and nslcd back-end.
  
Line 110: Line 126:
 ---- ----
  
-==== AutoFS and NFS Share ====+===== AutoFS and NFS Share =====
  
 Auto mounting NFS shared user home directories. Auto mounting NFS shared user home directories.
  
 +\\
 Install AutoFS and NFS utils Install AutoFS and NFS utils
 <code bash> <code bash>
Line 120: Line 137:
  
 \\ \\
-Create a new Master autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config+Create a new Master Map autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config
 <code bash> <code bash>
 vim /etc/auto.master.d/home.autofs vim /etc/auto.master.d/home.autofs
  
 +# For sub directories of /home/users, look at /etc/auto.home for mappings
 /home/users /etc/auto.home /home/users /etc/auto.home
 </code> </code>
Line 129: Line 147:
  
 \\ \\
-Configure the new autofs indirect mount file+Configure the new autofs indirect mappings mount file
 <code bash> <code bash>
 vim /etc/auto.home vim /etc/auto.home
  
 +# For any sub directory ("*"), mount read/write from myserver.com:/nfsshare/&
 *  -rw  myserver.com:/nfsshare/& *  -rw  myserver.com:/nfsshare/&
 </code> </code>
-  * The "&" is replaced by the key in the first column (*) +  * "*" is assigned the directory that is accessed. If someone tried to access "/home/users/luke"the "*" value is "luke"
-  * "*" is assigned the value that triggered access. If someone tried to access /home/users/luke, then "luke" will be the value of the key in the first column ("*")+  * The "&" in the remote server line is replaced by the key in the first column (*). So if someone accesses "/home/users/luke", the remote system (myserver.comgets an access attempt to "/nfsshare/luke"
  
 \\ \\
Line 142: Line 161:
 <code bash> <code bash>
 systemctl start autofs && systemctl enable autofs systemctl start autofs && systemctl enable autofs
-</code> 
- 
-\\ 
-Configure sshd to allow ldap logins and restart sshd 
-<code bash> 
-vim /etc/pam.d/sshd 
- 
-auth  sufficient  pam_ldap.so 
-auth  sufficient  pam_permit.so 
- 
-systemctl restart sshd 
 </code> </code>
  
 ---- ----
  
  • linux_wiki/configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)