====== Configure A System To Use An Existing Authentication Service For User And Group Information ======

**General Information**

Configuring a client to connect to an existing LDAP server.\\
In order to test this, you will need to [[http://www.unixmen.com/configure-freeipa-server-centos-7/|setup a FreeIPA server]] for the client to authenticate to.

----

===== Ways to Configure =====

  * authconfig => command line utility that you have to specify all command line options when joining the domain
    * The preferred method to learn.
  * authconfig-tui => menu drive text user interface, select options from a list
    * This method is "technically" deprecated, but will still work.
  * authconfig-gtk => GUI utility for domain authentication setup
    * **Do not expect to be able to use a GUI on the exam**.

Two different back-end authentication daemons can be used:
  * sssd => System Security Services Daemon
    * This is the preferred/newer daemon. Learn using sssd.
  * nslcd => Name Service LDAP Connection Daemon
    * This is the legacy daemon
    * Requires force legacy is set in /etc/sysconfig/authconfig<code bash>FORCELEGACY=yes</code>

----

===== authconfig =====

To get a reminder of what commands you will need, execute:<code bash>authconfig --help | grep ldap</code>

\\
Configuring LDAP authentication with authconfig cli and SSSD.

  * Install client packages<code bash>yum install sssd</code>
  * Setup authentication<code bash>authconfig --enableldap --enableldapauth --ldapserver="ipa.example.com" --ldapbasedn="dc=example,dc=com" --enableldapstarttls --enablemkhomedir --update</code>
    * enableldap => use ldap for identification
    * enableldapauth => use ldap for authentication
    * ldapserver => the fully qualified name of the IPA server
    * ldapbasedn => the base of the ldap tree
    * enableldapstarttls => start TLS encryption over the standard ldap port (tcp/389)
    * enablemkhomedir => allow the local system to create home directories if they don't exist
    * update => update system config files with these changes. (**the entire command will not do ANYTHING if you forget this option**)
  * Copy the IPA CA cert to the local system(you should be given the location to get this from on the exam)<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code>
  * Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" section<code bash>ldap_uri = ldap://ipa.example.com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never</code>
    * If you do not do this, the sssd service will report ca cert trust issues (in the output of "systemctl status sssd -l" due to a self-signed cert).
    * If you can't remember the "ldap_tls_reqcert" line:
      * Look at the **man page of "sssd-ldap"**<code bash>man sssd-ldap</code>
      * Search for "tls_" to view config options and the "Example" section for formatting.

  * Restart sssd<code bash>systemctl restart sssd</code>
  * You should now be able to authenticate as a LDAP user.

----

===== authconfig-tui =====

Configuring LDAP authentication with authconfig-tui and SSSD back-end.

  * Install client packages<code bash>yum install sssd</code>
  * Launch authconfig-tui<code bash>authconfig-tui</code>
    * Authentication Configuration box
      * User Information: Select(space-bar) "Use LDAP"
      * Authentication: Select "Use LDAP Authentication"
      * Do not unselect any defaults; Next when done
    * LDAP Settings
      * Select "Use TLS"
      * Server: ldap://ipa.example.com
      * Base DN: dc=example,dc=com
      * Ok when done, Ok on the warning screen about copying the CA Cert.
  * Copy the IPA CA cert to the local system<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code>
  * Enable auto creation of home directories<code bash>authconfig --update --enablemkhomedir</code>
  * Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" section<code bash>ldap_uri = ldap://ipa.example.com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never</code>
    * If you do not do this, the sssd service will report ca cert trust issues.
  * Restart sssd<code bash>systemctl restart sssd</code>
  * You should now be able to authenticate as a LDAP user.

----

===== GUI method: authconfig-gtk =====

**Documented for educational purposes...do not expect a GUI on the exam; learn the authconfig and/or authconfig-tui method**

\\
LDAP authentication via GUI setup and nslcd back-end.

Install authconfig gui
<code bash>
yum -y install authconfig-gtk
</code>

Open the GUI app
  * Applications > Sundry > Authentication
  * On the "Identity & Authentication" tab:
    * User Account Database: Select LDAP from the drop-down
    * This will display an extra package that is required "nss-pam-ldapd"
    * Click the "Install" button to install this package or close and install from a terminal. An additional package is required, "pam_krb5".
<code bash>
yum install -y nss-pam-ldapd
yum install -y pam_krb5
</code>
  * Note: After installing "nss-pam-ldapd", reopen the Authentication app. You will see the next required package; "pam_krb5". Install that as well.
  * Identity & Authentication tab
    * User Account Database: LDAP
    * LDAP Search Base DN: dc=example,dc=com
    * LDAP Server: ldap://ipa.example.com
    * Check "Use TLS to encrypt connections"
    * Click "Download CA Certificate..."
      * Enter URL of ca cert Example: ftp://ipa.example.com/pub/cacert.p12
      * Click Ok
  * Advanced Options tab
    * Other Authentication Options: Check "Create home directories on the first login"
  * Password Options tab
    * Change any password property requirements
  * Click Apply
  * Edit /etc/nslcd.conf and add<code bash>tls_reqcert never</code>
  * Restart nslcd<code bash>systemctl restart nslcd</code>
  * Authentication via LDAP will now work.

----

===== AutoFS and NFS Share =====

Auto mounting NFS shared user home directories.

\\
Install AutoFS and NFS utils
<code bash>
yum -y install autofs nfs-utils
</code>

\\
Create a new Master Map autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config
<code bash>
vim /etc/auto.master.d/home.autofs

# For sub directories of /home/users, look at /etc/auto.home for mappings
/home/users /etc/auto.home
</code>
  * In EL7, the "/etc/auto.master" file is part of the RPM; any updates to the autofs package could overwrite changes you make, so it is recommended to create your own master map file under /etc/auto.master.d/. The name does not matter, as long as it ends in ".autofs"

\\
Configure the new autofs indirect mappings mount file
<code bash>
vim /etc/auto.home

# For any sub directory ("*"), mount read/write from myserver.com:/nfsshare/&
*  -rw  myserver.com:/nfsshare/&
</code>
  * "*" is assigned the directory that is accessed. If someone tried to access "/home/users/luke", the "*" value is "luke".
  * The "&" in the remote server line is replaced by the key in the first column (*). So if someone accesses "/home/users/luke", the remote system (myserver.com) gets an access attempt to "/nfsshare/luke"

\\
Ensure autofs is started and enabled at boot
<code bash>
systemctl start autofs
systemctl enable autofs
</code>

----