linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2016/03/05 16:51]
billdozor [Ways to Configure] 		linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2019/05/25 23:50]
Line 1: Line 1:
-====== Configure A System To Use An Existing Authentication Service For User And Group Information ====== 
- 
-**General Information** 
- 
-Configuring a client to connect to an existing LDAP server.\\ 
-In order to test this, you will need to setup a FreeIPA server for the client to authenticate to. 
- 
----- 
- 
-====== Ways to Configure ====== 
- 
-  * authconfig => command line utility that you have to specify all command line options when joining the domain 
-  * authconfig-tui => menu drive text user interface, select options from a list 
-  * authconfig-gtk => GUI utility for domain authentication setup 
-    * **Do not expect to be able to use a GUI on the exam**. 
- 
-Two different back-end authentication daemons can be used: 
-  * sssd => System Security Services Daemon 
-    * This is the preferred/newer daemon 
-  * nslcd => Name Service LDAP Connection Daemon 
-    * This is the legacy daemon 
-    * Requires force legacy is set in /etc/sysconfig/authconfig<code bash>FORCELEGACY=yes</code> 
- 
----- 
- 
-==== authconfig ==== 
- 
-Configuring LDAP authentication with authconfig cli and SSSD. 
- 
-  * Install client packages<code bash>yum install sssd</code> 
-  * Setup authentication<code bash>authconfig --enableldap --enableldapauth --enableldapstarttls --ldapserver="ldap://ipa.example.com" --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update</code> 
-  * Copy the IPA CA cert to the local system<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code> 
-  * Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" section<code bash>ldap_uri = ldap://ipa.example.com 
-ldap_id_use_start_tls = True 
-ldap_tls_cacertdir = /etc/openldap/cacerts 
-ldap_tls_reqcert = never</code> 
-    * If you do not do this, the sssd service will report ca cert trust issues. 
-  * Restart sssd<code bash>systemctl restart sssd</code> 
-  * You should now be able to authenticate as a LDAP user. 
- 
----- 
- 
-==== authconfig-tui ==== 
- 
-Configuring LDAP authentication with authconfig-tui and SSSD back-end. 
- 
-  * Install client packages<code bash>yum install sssd</code> 
-  * Launch authconfig-tui<code bash>authconfig-tui</code> 
-    * Authentication Configuration box 
-      * User Information: Select(space-bar) "Use LDAP" 
-      * Authentication: Select "Use LDAP Authentication" 
-      * Do not unselect any defaults; Next when done 
-    * LDAP Settings 
-      * Select "Use TLS" 
-      * Server: ldap://ipa.example.com 
-      * Base DN: dc=example,dc=com 
-      * Ok when done, Ok on the warning screen about copying the CA Cert. 
-  * Copy the IPA CA cert to the local system<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code> 
-  * Enable auto creation of home directories<code bash>authconfig --update --enablemkhomedir</code> 
-  * Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" section<code bash>ldap_uri = ldap://ipa.example.com 
-ldap_id_use_start_tls = True 
-ldap_tls_cacertdir = /etc/openldap/cacerts 
-ldap_tls_reqcert = never</code> 
-    * If you do not do this, the sssd service will report ca cert trust issues. 
-  * Restart sssd<code bash>systemctl restart sssd</code> 
-  * You should now be able to authenticate as a LDAP user. 
- 
----- 
- 
-==== GUI method: authconfig-gtk ==== 
- 
-LDAP authentication via GUI setup and nslcd back-end. 
- 
-Install authconfig gui 
-<code bash> 
-yum -y install authconfig-gtk 
-</code> 
- 
-Open the GUI app 
-  * Applications > Sundry > Authentication 
-  * On the "Identity & Authentication" tab: 
-    * User Account Database: Select LDAP from the drop-down 
-    * This will display an extra package that is required "nss-pam-ldapd" 
-    * Click the "Install" button to install this package or close and install from a terminal. An additional package is required, "pam_krb5". 
-<code bash> 
-yum install -y nss-pam-ldapd 
-yum install -y pam_krb5 
-</code> 
-  * Note: After installing "nss-pam-ldapd", reopen the Authentication app. You will see the next required package; "pam_krb5". Install that as well. 
-  * Identity & Authentication tab 
-    * User Account Database: LDAP 
-    * LDAP Search Base DN: dc=example,dc=com 
-    * LDAP Server: ldap://ipa.example.com 
-    * Check "Use TLS to encrypt connections" 
-    * Click "Download CA Certificate..." 
-      * Enter URL of ca cert Example: ftp://ipa.example.com/pub/cacert.p12 
-      * Click Ok 
-  * Advanced Options tab 
-    * Other Authentication Options: Check "Create home directories on the first login" 
-  * Password Options tab 
-    * Change any password property requirements 
-  * Click Apply 
-  * Edit /etc/nslcd.conf and add<code bash>tls_reqcert never</code> 
-  * Restart nslcd<code bash>systemctl restart nslcd</code> 
-  * Authentication via LDAP will now work. 
- 
----- 
- 
-==== AutoFS and NFS Share ==== 
- 
-Auto mounting NFS shared user home directories. 
- 
-Install AutoFS and NFS utils 
-<code bash> 
-yum -y install autofs nfs-utils 
-</code> 
- 
-\\ 
-Create a new Master autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config 
-<code bash> 
-vim /etc/auto.master.d/home.autofs 
- 
-/home/users /etc/auto.home 
-</code> 
-  * In EL7, the "/etc/auto.master" file is part of the RPM; any updates to the autofs package could overwrite changes you make, so it is recommended to create your own master map file under /etc/auto.master.d/. The name does not matter, as long as it ends in ".autofs" 
- 
-\\ 
-Configure the new autofs indirect mount file 
-<code bash> 
-vim /etc/auto.home 
- 
-*  -rw  myserver.com:/nfsshare/& 
-</code> 
-  * The "&" is replaced by the key in the first column (*) 
-  * "*" is assigned the value that triggered access. If someone tried to access /home/users/luke, then "luke" will be the value of the key in the first column ("*") 
- 
-\\ 
-Ensure autofs is started and enabled at boot 
-<code bash> 
-systemctl start autofs && systemctl enable autofs 
-</code> 
- 
-\\ 
-Configure sshd to allow ldap logins and restart sshd 
-<code bash> 
-vim /etc/pam.d/sshd 
- 
-auth  sufficient  pam_ldap.so 
-auth  sufficient  pam_permit.so 
- 
-systemctl restart sshd 
-</code> 
- 
----- 
  
  • linux_wiki/configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)