Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2016/03/05 16:55] billdozor [authconfig] |
linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2018/04/29 23:05] billdozor [AutoFS and NFS Share] |
||
---|---|---|---|
Line 4: | Line 4: | ||
Configuring a client to connect to an existing LDAP server.\\ | Configuring a client to connect to an existing LDAP server.\\ | ||
- | In order to test this, you will need to setup a FreeIPA server for the client to authenticate to. | + | In order to test this, you will need to [[http:// |
---- | ---- | ||
- | ====== Ways to Configure | + | ===== Ways to Configure ===== |
* authconfig => command line utility that you have to specify all command line options when joining the domain | * authconfig => command line utility that you have to specify all command line options when joining the domain | ||
+ | * The preferred method to learn. | ||
* authconfig-tui => menu drive text user interface, select options from a list | * authconfig-tui => menu drive text user interface, select options from a list | ||
+ | * This method is " | ||
* authconfig-gtk => GUI utility for domain authentication setup | * authconfig-gtk => GUI utility for domain authentication setup | ||
* **Do not expect to be able to use a GUI on the exam**. | * **Do not expect to be able to use a GUI on the exam**. | ||
Line 17: | Line 19: | ||
Two different back-end authentication daemons can be used: | Two different back-end authentication daemons can be used: | ||
* sssd => System Security Services Daemon | * sssd => System Security Services Daemon | ||
- | * This is the preferred/ | + | * This is the preferred/ |
* nslcd => Name Service LDAP Connection Daemon | * nslcd => Name Service LDAP Connection Daemon | ||
* This is the legacy daemon | * This is the legacy daemon | ||
Line 24: | Line 26: | ||
---- | ---- | ||
- | ==== authconfig ==== | + | ===== authconfig |
To get a reminder of what commands you will need, execute:< | To get a reminder of what commands you will need, execute:< | ||
Line 32: | Line 34: | ||
* Install client packages< | * Install client packages< | ||
- | * Setup authentication< | + | * Setup authentication< |
* enableldap => use ldap for identification | * enableldap => use ldap for identification | ||
* enableldapauth => use ldap for authentication | * enableldapauth => use ldap for authentication | ||
- | * enableldapstarttls | + | * ldapserver |
- | * ldapserver => the ldap FQDN with " | + | |
* ldapbasedn => the base of the ldap tree | * ldapbasedn => the base of the ldap tree | ||
+ | * enableldapstarttls => start TLS encryption over the standard ldap port (tcp/389) | ||
* enablemkhomedir => allow the local system to create home directories if they don't exist | * enablemkhomedir => allow the local system to create home directories if they don't exist | ||
* update => update system config files with these changes. (**the entire command will not do ANYTHING if you forget this option**) | * update => update system config files with these changes. (**the entire command will not do ANYTHING if you forget this option**) | ||
- | * Copy the IPA CA cert to the local system< | + | * Copy the IPA CA cert to the local system(you should be given the location to get this from on the exam)<code bash>scp ipa.example.com:/ |
* Edit / | * Edit / | ||
ldap_id_use_start_tls = True | ldap_id_use_start_tls = True | ||
ldap_tls_cacertdir = / | ldap_tls_cacertdir = / | ||
ldap_tls_reqcert = never</ | ldap_tls_reqcert = never</ | ||
- | * If you do not do this, the sssd service will report ca cert trust issues (in the output of " | + | * If you do not do this, the sssd service will report ca cert trust issues (in the output of " |
+ | * If you can't remember the " | ||
+ | * Look at the **man page of " | ||
+ | * Search for " | ||
* Restart sssd< | * Restart sssd< | ||
* You should now be able to authenticate as a LDAP user. | * You should now be able to authenticate as a LDAP user. | ||
Line 51: | Line 57: | ||
---- | ---- | ||
- | ==== authconfig-tui ==== | + | ===== authconfig-tui |
Configuring LDAP authentication with authconfig-tui and SSSD back-end. | Configuring LDAP authentication with authconfig-tui and SSSD back-end. | ||
Line 78: | Line 84: | ||
---- | ---- | ||
- | ==== GUI method: authconfig-gtk ==== | + | ===== GUI method: authconfig-gtk |
+ | **Documented for educational purposes...do not expect a GUI on the exam; learn the authconfig and/or authconfig-tui method** | ||
+ | |||
+ | \\ | ||
LDAP authentication via GUI setup and nslcd back-end. | LDAP authentication via GUI setup and nslcd back-end. | ||
Line 117: | Line 126: | ||
---- | ---- | ||
- | ==== AutoFS and NFS Share ==== | + | ===== AutoFS and NFS Share ===== |
Auto mounting NFS shared user home directories. | Auto mounting NFS shared user home directories. | ||
+ | \\ | ||
Install AutoFS and NFS utils | Install AutoFS and NFS utils | ||
<code bash> | <code bash> | ||
Line 127: | Line 137: | ||
\\ | \\ | ||
- | Create a new Master autofs file in / | + | Create a new Master |
<code bash> | <code bash> | ||
vim / | vim / | ||
+ | # For sub directories of / | ||
/home/users / | /home/users / | ||
</ | </ | ||
Line 136: | Line 147: | ||
\\ | \\ | ||
- | Configure the new autofs indirect mount file | + | Configure the new autofs indirect |
<code bash> | <code bash> | ||
vim / | vim / | ||
+ | # For any sub directory (" | ||
* -rw myserver.com:/ | * -rw myserver.com:/ | ||
</ | </ | ||
- | | + | * " |
- | | + | * The "&" |
\\ | \\ | ||
Ensure autofs is started and enabled at boot | Ensure autofs is started and enabled at boot | ||
<code bash> | <code bash> | ||
- | systemctl start autofs | + | systemctl start autofs |
- | </ | + | systemctl enable autofs |
- | + | ||
- | \\ | + | |
- | Configure sshd to allow ldap logins and restart sshd | + | |
- | <code bash> | + | |
- | vim / | + | |
- | + | ||
- | auth sufficient | + | |
- | auth sufficient | + | |
- | + | ||
- | systemctl restart sshd | + | |
</ | </ | ||
---- | ---- | ||