Differences

This shows you the differences between two versions of the page.

--- linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2018/03/20 23:38]
billdozor [AutoFS and NFS Share]
+++ linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2019/05/25 23:50]
@@ Line 1: / Line 1: @@
-====== Configure A System To Use An Existing Authentication Service For User And Group Information ======
-**General Information**
-Configuring a client to connect to an existing LDAP server.\\
-In order to test this, you will need to [[http://www.unixmen.com/configure-freeipa-server-centos-7/|setup a FreeIPA server]] for the client to authenticate to.
-----
-===== Ways to Configure =====
-  * authconfig => command line utility that you have to specify all command line options when joining the domain
-    * The preferred method to learn.
-  * authconfig-tui => menu drive text user interface, select options from a list
-    * This method is "technically" deprecated, but will still work.
-  * authconfig-gtk => GUI utility for domain authentication setup
-    * **Do not expect to be able to use a GUI on the exam**.
-Two different back-end authentication daemons can be used:
-  * sssd => System Security Services Daemon
-    * This is the preferred/newer daemon. Learn using sssd.
-  * nslcd => Name Service LDAP Connection Daemon
-    * This is the legacy daemon
-    * Requires force legacy is set in /etc/sysconfig/authconfig<code bash>FORCELEGACY=yes</code>
-----
-===== authconfig =====
-To get a reminder of what commands you will need, execute:<code bash>authconfig --help | grep ldap</code>
-\\
-Configuring LDAP authentication with authconfig cli and SSSD.
-  * Install client packages<code bash>yum install sssd</code>
-  * Setup authentication<code bash>authconfig --enableldap --enableldapauth --ldapserver="ipa.example.com" --ldapbasedn="dc=example,dc=com" --enableldapstarttls --enablemkhomedir --update</code>
-    * enableldap => use ldap for identification
-    * enableldapauth => use ldap for authentication
-    * ldapserver => the fully qualified name of the IPA server
-    * ldapbasedn => the base of the ldap tree
-    * enableldapstarttls => start TLS encryption over the standard ldap port (tcp/389)
-    * enablemkhomedir => allow the local system to create home directories if they don't exist
-    * update => update system config files with these changes. (**the entire command will not do ANYTHING if you forget this option**)
-  * Copy the IPA CA cert to the local system(you should be given the location to get this from on the exam)<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code>
-  * Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" section<code bash>ldap_uri = ldap://ipa.example.com
-ldap_id_use_start_tls = True
-ldap_tls_cacertdir = /etc/openldap/cacerts
-ldap_tls_reqcert = never</code>
-    * If you do not do this, the sssd service will report ca cert trust issues (in the output of "systemctl status sssd -l" due to a self-signed cert).
-    * If you can't remember the "ldap_tls_reqcert" line:
-      * Look at the **man page of "sssd-ldap"**<code bash>man sssd-ldap</code>
-      * Search for "tls_" to view config options and the "Example" section for formatting.
-  * Restart sssd<code bash>systemctl restart sssd</code>
-  * You should now be able to authenticate as a LDAP user.
-----
-===== authconfig-tui =====
-Configuring LDAP authentication with authconfig-tui and SSSD back-end.
-  * Install client packages<code bash>yum install sssd</code>
-  * Launch authconfig-tui<code bash>authconfig-tui</code>
-    * Authentication Configuration box
-      * User Information: Select(space-bar) "Use LDAP"
-      * Authentication: Select "Use LDAP Authentication"
-      * Do not unselect any defaults; Next when done
-    * LDAP Settings
-      * Select "Use TLS"
-      * Server: ldap://ipa.example.com
-      * Base DN: dc=example,dc=com
-      * Ok when done, Ok on the warning screen about copying the CA Cert.
-  * Copy the IPA CA cert to the local system<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code>
-  * Enable auto creation of home directories<code bash>authconfig --update --enablemkhomedir</code>
-  * Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" section<code bash>ldap_uri = ldap://ipa.example.com
-ldap_id_use_start_tls = True
-ldap_tls_cacertdir = /etc/openldap/cacerts
-ldap_tls_reqcert = never</code>
-    * If you do not do this, the sssd service will report ca cert trust issues.
-  * Restart sssd<code bash>systemctl restart sssd</code>
-  * You should now be able to authenticate as a LDAP user.
-----
-===== GUI method: authconfig-gtk =====
-**Documented for educational purposes...do not expect a GUI on the exam; learn the authconfig and/or authconfig-tui method**
-\\
-LDAP authentication via GUI setup and nslcd back-end.
-Install authconfig gui
-<code bash>
-yum -y install authconfig-gtk
-</code>
-Open the GUI app
-  * Applications > Sundry > Authentication
-  * On the "Identity & Authentication" tab:
-    * User Account Database: Select LDAP from the drop-down
-    * This will display an extra package that is required "nss-pam-ldapd"
-    * Click the "Install" button to install this package or close and install from a terminal. An additional package is required, "pam_krb5".
-<code bash>
-yum install -y nss-pam-ldapd
-yum install -y pam_krb5
-</code>
-  * Note: After installing "nss-pam-ldapd", reopen the Authentication app. You will see the next required package; "pam_krb5". Install that as well.
-  * Identity & Authentication tab
-    * User Account Database: LDAP
-    * LDAP Search Base DN: dc=example,dc=com
-    * LDAP Server: ldap://ipa.example.com
-    * Check "Use TLS to encrypt connections"
-    * Click "Download CA Certificate..."
-      * Enter URL of ca cert Example: ftp://ipa.example.com/pub/cacert.p12
-      * Click Ok
-  * Advanced Options tab
-    * Other Authentication Options: Check "Create home directories on the first login"
-  * Password Options tab
-    * Change any password property requirements
-  * Click Apply
-  * Edit /etc/nslcd.conf and add<code bash>tls_reqcert never</code>
-  * Restart nslcd<code bash>systemctl restart nslcd</code>
-  * Authentication via LDAP will now work.
-----
-===== AutoFS and NFS Share =====
-Auto mounting NFS shared user home directories.
-\\
-Install AutoFS and NFS utils
-<code bash>
-yum -y install autofs nfs-utils
-</code>
-\\
-Create a new Master Map autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config
-<code bash>
-vim /etc/auto.master.d/home.autofs
-# For sub directories of /home/users, look at /etc/auto.home for mappings
-/home/users /etc/auto.home
-</code>
-  * In EL7, the "/etc/auto.master" file is part of the RPM; any updates to the autofs package could overwrite changes you make, so it is recommended to create your own master map file under /etc/auto.master.d/. The name does not matter, as long as it ends in ".autofs"
-\\
-Configure the new autofs indirect mappings mount file
-<code bash>
-vim /etc/auto.home
-# For any sub directory ("*"), mount read/write from myserver.com:/nfsshare/&
-*  -rw  myserver.com:/nfsshare/&
-</code>
-  * "*" is assigned the directory that is accessed. If someone tried to access "/home/users/luke", the "*" value is "luke".
-  * The "&" in the remote server line is replaced by the key in the first column (*). So if someone accesses "/home/users/luke", the remote system (myserver.com) gets an access attempt to "/nfsshare/luke"
-\\
-Ensure autofs is started and enabled at boot
-<code bash>
-systemctl start autofs && systemctl enable autofs
-</code>
-----