Configure A System To Use An Existing Authentication Service For User And Group Information

General Information

Configuring a client to connect to an existing LDAP server.
In order to test this, you will need to setup a FreeIPA server for the client to authenticate to.

• authconfig ⇒ command line utility that you have to specify all command line options when joining the domain
  • The preferred method to learn.
• authconfig-tui ⇒ menu drive text user interface, select options from a list
  • This method is “technically” deprecated, but will still work.
• authconfig-gtk ⇒ GUI utility for domain authentication setup
  • Do not expect to be able to use a GUI on the exam.

Two different back-end authentication daemons can be used:

• sssd ⇒ System Security Services Daemon
  • This is the preferred/newer daemon. Learn using sssd.
• nslcd ⇒ Name Service LDAP Connection Daemon
  • This is the legacy daemon
  • Requires force legacy is set in /etc/sysconfig/authconfig

    FORCELEGACY=yes

To get a reminder of what commands you will need, execute:

authconfig --help | grep ldap

Configuring LDAP authentication with authconfig cli and SSSD.

• Install client packages

  yum install sssd

• Setup authentication

  authconfig --enableldap --enableldapauth --ldapserver="ipa.example.com" --ldapbasedn="dc=example,dc=com" --enableldapstarttls --enablemkhomedir --update

  • enableldap ⇒ use ldap for identification
  • enableldapauth ⇒ use ldap for authentication
  • ldapserver ⇒ the fully qualified name of the IPA server
  • ldapbasedn ⇒ the base of the ldap tree
  • enableldapstarttls ⇒ start TLS encryption over the standard ldap port (tcp/389)
  • enablemkhomedir ⇒ allow the local system to create home directories if they don't exist
  • update ⇒ update system config files with these changes. (the entire command will not do ANYTHING if you forget this option)
• Copy the IPA CA cert to the local system(you should be given the location to get this from on the exam)

  scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/

• Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section

  ldap_uri = ldap://ipa.example.com
  ldap_id_use_start_tls = True
  ldap_tls_cacertdir = /etc/openldap/cacerts
  ldap_tls_reqcert = never

  • If you do not do this, the sssd service will report ca cert trust issues (in the output of “systemctl status sssd -l” due to a self-signed cert).
  • If you can't remember the “ldap_tls_reqcert” line:
    • Look at the man page of “sssd-ldap”

      man sssd-ldap

    • Search for “tls_” to view config options and the “Example” section for formatting.

• Restart sssd

  systemctl restart sssd

• You should now be able to authenticate as a LDAP user.

Configuring LDAP authentication with authconfig-tui and SSSD back-end.

• Install client packages

  yum install sssd

• Launch authconfig-tui

  authconfig-tui

  • Authentication Configuration box
    • User Information: Select(space-bar) “Use LDAP”
    • Authentication: Select “Use LDAP Authentication”
    • Do not unselect any defaults; Next when done
  • LDAP Settings
    • Select “Use TLS”
    • Server: ldap://ipa.example.com
    • Base DN: dc=example,dc=com
    • Ok when done, Ok on the warning screen about copying the CA Cert.
• Copy the IPA CA cert to the local system

  scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/

• Enable auto creation of home directories

  authconfig --update --enablemkhomedir

• Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section

  ldap_uri = ldap://ipa.example.com
  ldap_id_use_start_tls = True
  ldap_tls_cacertdir = /etc/openldap/cacerts
  ldap_tls_reqcert = never

  • If you do not do this, the sssd service will report ca cert trust issues.
• Restart sssd

  systemctl restart sssd

• You should now be able to authenticate as a LDAP user.

Documented for educational purposes…do not expect a GUI on the exam; learn the authconfig and/or authconfig-tui method

LDAP authentication via GUI setup and nslcd back-end.

Install authconfig gui

yum -y install authconfig-gtk

Open the GUI app

• Applications > Sundry > Authentication
• On the “Identity & Authentication” tab:
  • User Account Database: Select LDAP from the drop-down
  • This will display an extra package that is required “nss-pam-ldapd”
  • Click the “Install” button to install this package or close and install from a terminal. An additional package is required, “pam_krb5”.

yum install -y nss-pam-ldapd
yum install -y pam_krb5

• Note: After installing “nss-pam-ldapd”, reopen the Authentication app. You will see the next required package; “pam_krb5”. Install that as well.
• Identity & Authentication tab
  • User Account Database: LDAP
  • LDAP Search Base DN: dc=example,dc=com
  • LDAP Server: ldap://ipa.example.com
  • Check “Use TLS to encrypt connections”
  • Click “Download CA Certificate…”
    • Enter URL of ca cert Example: ftp://ipa.example.com/pub/cacert.p12
    • Click Ok
• Advanced Options tab
  • Other Authentication Options: Check “Create home directories on the first login”
• Password Options tab
  • Change any password property requirements
• Click Apply
• Edit /etc/nslcd.conf and add

  tls_reqcert never

• Restart nslcd

  systemctl restart nslcd

• Authentication via LDAP will now work.

Auto mounting NFS shared user home directories.

Install AutoFS and NFS utils

yum -y install autofs nfs-utils

Create a new Master Map autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config

vim /etc/auto.master.d/home.autofs
 
# For sub directories of /home/users, look at /etc/auto.home for mappings
/home/users /etc/auto.home

• In EL7, the “/etc/auto.master” file is part of the RPM; any updates to the autofs package could overwrite changes you make, so it is recommended to create your own master map file under /etc/auto.master.d/. The name does not matter, as long as it ends in “.autofs”

Configure the new autofs indirect mappings mount file

vim /etc/auto.home
 
# For any sub directory ("*"), mount read/write from myserver.com:/nfsshare/&
*  -rw  myserver.com:/nfsshare/&

• “*” is assigned the directory that is accessed. If someone tried to access “/home/users/luke”, the “*” value is “luke”.
• The “&” in the remote server line is replaced by the key in the first column (*). So if someone accesses “/home/users/luke”, the remote system (myserver.com) gets an access attempt to “/nfsshare/luke”

Ensure autofs is started and enabled at boot

systemctl start autofs
systemctl enable autofs