Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2016/03/05 16:48] billdozor [Configure A System To Use An Existing Authentication Service For User And Group Information] |
linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2019/05/25 23:50] (current) |
||
---|---|---|---|
Line 3: | Line 3: | ||
**General Information** | **General Information** | ||
- | Configuring a client to connect to an existing LDAP server. | + | Configuring a client to connect to an existing LDAP server.\\ |
+ | In order to test this, you will need to [[http:// | ||
---- | ---- | ||
- | ====== Ways to Configure | + | ===== Ways to Configure ===== |
* authconfig => command line utility that you have to specify all command line options when joining the domain | * authconfig => command line utility that you have to specify all command line options when joining the domain | ||
+ | * The preferred method to learn. | ||
* authconfig-tui => menu drive text user interface, select options from a list | * authconfig-tui => menu drive text user interface, select options from a list | ||
+ | * This method is " | ||
* authconfig-gtk => GUI utility for domain authentication setup | * authconfig-gtk => GUI utility for domain authentication setup | ||
+ | * **Do not expect to be able to use a GUI on the exam**. | ||
Two different back-end authentication daemons can be used: | Two different back-end authentication daemons can be used: | ||
* sssd => System Security Services Daemon | * sssd => System Security Services Daemon | ||
- | * This is the preferred/ | + | * This is the preferred/ |
* nslcd => Name Service LDAP Connection Daemon | * nslcd => Name Service LDAP Connection Daemon | ||
* This is the legacy daemon | * This is the legacy daemon | ||
Line 22: | Line 26: | ||
---- | ---- | ||
- | ==== authconfig ==== | + | ===== authconfig |
+ | To get a reminder of what commands you will need, execute:< | ||
+ | |||
+ | \\ | ||
Configuring LDAP authentication with authconfig cli and SSSD. | Configuring LDAP authentication with authconfig cli and SSSD. | ||
* Install client packages< | * Install client packages< | ||
- | * Setup authentication< | + | * Setup authentication< |
- | * Copy the IPA CA cert to the local system< | + | * enableldap => use ldap for identification |
+ | * enableldapauth => use ldap for authentication | ||
+ | * ldapserver => the fully qualified name of the IPA server | ||
+ | * ldapbasedn => the base of the ldap tree | ||
+ | * enableldapstarttls => start TLS encryption over the standard ldap port (tcp/389) | ||
+ | * enablemkhomedir => allow the local system to create home directories if they don't exist | ||
+ | * update => update system config files with these changes. (**the entire command will not do ANYTHING if you forget this option**) | ||
+ | * Copy the IPA CA cert to the local system(you should be given the location to get this from on the exam)<code bash>scp ipa.example.com:/ | ||
* Edit / | * Edit / | ||
ldap_id_use_start_tls = True | ldap_id_use_start_tls = True | ||
ldap_tls_cacertdir = / | ldap_tls_cacertdir = / | ||
ldap_tls_reqcert = never</ | ldap_tls_reqcert = never</ | ||
- | * If you do not do this, the sssd service will report ca cert trust issues. | + | * If you do not do this, the sssd service will report ca cert trust issues |
+ | * If you can't remember the " | ||
+ | * Look at the **man page of " | ||
+ | * Search for " | ||
* Restart sssd< | * Restart sssd< | ||
* You should now be able to authenticate as a LDAP user. | * You should now be able to authenticate as a LDAP user. | ||
Line 39: | Line 57: | ||
---- | ---- | ||
- | ==== authconfig-tui ==== | + | ===== authconfig-tui |
Configuring LDAP authentication with authconfig-tui and SSSD back-end. | Configuring LDAP authentication with authconfig-tui and SSSD back-end. | ||
Line 66: | Line 84: | ||
---- | ---- | ||
- | ==== GUI method: authconfig-gtk ==== | + | ===== GUI method: authconfig-gtk |
+ | **Documented for educational purposes...do not expect a GUI on the exam; learn the authconfig and/or authconfig-tui method** | ||
+ | |||
+ | \\ | ||
LDAP authentication via GUI setup and nslcd back-end. | LDAP authentication via GUI setup and nslcd back-end. | ||
Line 105: | Line 126: | ||
---- | ---- | ||
- | ==== AutoFS and NFS Share ==== | + | ===== AutoFS and NFS Share ===== |
Auto mounting NFS shared user home directories. | Auto mounting NFS shared user home directories. | ||
+ | \\ | ||
Install AutoFS and NFS utils | Install AutoFS and NFS utils | ||
<code bash> | <code bash> | ||
Line 115: | Line 137: | ||
\\ | \\ | ||
- | Create a new Master autofs file in / | + | Create a new Master |
<code bash> | <code bash> | ||
vim / | vim / | ||
+ | # For sub directories of / | ||
/home/users / | /home/users / | ||
</ | </ | ||
Line 124: | Line 147: | ||
\\ | \\ | ||
- | Configure the new autofs indirect mount file | + | Configure the new autofs indirect |
<code bash> | <code bash> | ||
vim / | vim / | ||
+ | # For any sub directory (" | ||
* -rw myserver.com:/ | * -rw myserver.com:/ | ||
</ | </ | ||
- | | + | * " |
- | | + | * The "&" |
\\ | \\ | ||
Ensure autofs is started and enabled at boot | Ensure autofs is started and enabled at boot | ||
<code bash> | <code bash> | ||
- | systemctl start autofs | + | systemctl start autofs |
- | </ | + | systemctl enable autofs |
- | + | ||
- | \\ | + | |
- | Configure sshd to allow ldap logins and restart sshd | + | |
- | <code bash> | + | |
- | vim / | + | |
- | + | ||
- | auth sufficient | + | |
- | auth sufficient | + | |
- | + | ||
- | systemctl restart sshd | + | |
</ | </ | ||
---- | ---- | ||