Configure A System To Use An Existing Authentication Service For User And Group Information
General Information
Configuring a client to connect to an existing LDAP server.
In order to test this, you will need to setup a FreeIPA server for the client to authenticate to.
Ways to Configure
- authconfig ⇒ command line utility that you have to specify all command line options when joining the domain
- The preferred method to learn.
- authconfig-tui ⇒ menu drive text user interface, select options from a list
- This method is “technically” deprecated, but will still work.
- authconfig-gtk ⇒ GUI utility for domain authentication setup
- Do not expect to be able to use a GUI on the exam.
Two different back-end authentication daemons can be used:
- sssd ⇒ System Security Services Daemon
- This is the preferred/newer daemon. Learn using sssd.
- nslcd ⇒ Name Service LDAP Connection Daemon
- This is the legacy daemon
- Requires force legacy is set in /etc/sysconfig/authconfig
FORCELEGACY=yes
authconfig
To get a reminder of what commands you will need, execute:
authconfig --help | grep ldap
Configuring LDAP authentication with authconfig cli and SSSD.
- Install client packages
yum install sssd - Setup authentication
authconfig --enableldap --enableldapauth --ldapserver="ipa.example.com" --ldapbasedn="dc=example,dc=com" --enableldapstarttls --enablemkhomedir --update
- enableldap ⇒ use ldap for identification
- enableldapauth ⇒ use ldap for authentication
- ldapserver ⇒ the fully qualified name of the IPA server
- ldapbasedn ⇒ the base of the ldap tree
- enableldapstarttls ⇒ start TLS encryption over the standard ldap port (tcp/389)
- enablemkhomedir ⇒ allow the local system to create home directories if they don't exist
- update ⇒ update system config files with these changes. (the entire command will not do ANYTHING if you forget this option)
- Copy the IPA CA cert to the local system(you should be given the location to get this from on the exam)
scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/
- Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section
ldap_uri = ldap://ipa.example.com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never
- If you do not do this, the sssd service will report ca cert trust issues (in the output of “systemctl status sssd -l” due to a self-signed cert).
- If you can't remember the “ldap_tls_reqcert” line:
- Look at the man page of “sssd-ldap”
man sssd-ldap - Search for “tls_” to view config options and the “Example” section for formatting.
- Restart sssd
systemctl restart sssd
- You should now be able to authenticate as a LDAP user.
authconfig-tui
Configuring LDAP authentication with authconfig-tui and SSSD back-end.
- Install client packages
yum install sssd - Launch authconfig-tui
authconfig-tui
- Authentication Configuration box
- User Information: Select(space-bar) “Use LDAP”
- Authentication: Select “Use LDAP Authentication”
- Do not unselect any defaults; Next when done
- LDAP Settings
- Select “Use TLS”
- Server: ldap://ipa.example.com
- Base DN: dc=example,dc=com
- Ok when done, Ok on the warning screen about copying the CA Cert.
- Copy the IPA CA cert to the local system
scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/
- Enable auto creation of home directories
authconfig --update --enablemkhomedir
- Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section
ldap_uri = ldap://ipa.example.com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never
- If you do not do this, the sssd service will report ca cert trust issues.
- Restart sssd
systemctl restart sssd
- You should now be able to authenticate as a LDAP user.
GUI method: authconfig-gtk
Documented for educational purposes…do not expect a GUI on the exam; learn the authconfig and/or authconfig-tui method
LDAP authentication via GUI setup and nslcd back-end.
Install authconfig gui
yum -y install authconfig-gtk
Open the GUI app
- Applications > Sundry > Authentication
- On the “Identity & Authentication” tab:
- User Account Database: Select LDAP from the drop-down
- This will display an extra package that is required “nss-pam-ldapd”
- Click the “Install” button to install this package or close and install from a terminal. An additional package is required, “pam_krb5”.
yum install -y nss-pam-ldapd yum install -y pam_krb5
- Note: After installing “nss-pam-ldapd”, reopen the Authentication app. You will see the next required package; “pam_krb5”. Install that as well.
- Identity & Authentication tab
- User Account Database: LDAP
- LDAP Search Base DN: dc=example,dc=com
- LDAP Server: ldap://ipa.example.com
- Check “Use TLS to encrypt connections”
- Click “Download CA Certificate…”
- Enter URL of ca cert Example: ftp://ipa.example.com/pub/cacert.p12
- Click Ok
- Advanced Options tab
- Other Authentication Options: Check “Create home directories on the first login”
- Password Options tab
- Change any password property requirements
- Click Apply
- Edit /etc/nslcd.conf and add
tls_reqcert never
- Restart nslcd
systemctl restart nslcd
- Authentication via LDAP will now work.
AutoFS and NFS Share
Auto mounting NFS shared user home directories.
Install AutoFS and NFS utils
yum -y install autofs nfs-utils
Create a new Master Map autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config
vim /etc/auto.master.d/home.autofs # For sub directories of /home/users, look at /etc/auto.home for mappings /home/users /etc/auto.home
- In EL7, the “/etc/auto.master” file is part of the RPM; any updates to the autofs package could overwrite changes you make, so it is recommended to create your own master map file under /etc/auto.master.d/. The name does not matter, as long as it ends in “.autofs”
Configure the new autofs indirect mappings mount file
vim /etc/auto.home # For any sub directory ("*"), mount read/write from myserver.com:/nfsshare/& * -rw myserver.com:/nfsshare/&
- “*” is assigned the directory that is accessed. If someone tried to access “/home/users/luke”, the “*” value is “luke”.
- The “&” in the remote server line is replaced by the key in the first column (*). So if someone accesses “/home/users/luke”, the remote system (myserver.com) gets an access attempt to “/nfsshare/luke”
Ensure autofs is started and enabled at boot
systemctl start autofs
systemctl enable autofs