linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2016/03/05 16:48]
billdozor [Configure A System To Use An Existing Authentication Service For User And Group Information] 		linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2019/05/25 23:50] (current)
Line 3: Line 3:
 **General Information** **General Information**
  
-Configuring a client to connect to an existing LDAP server. +Configuring a client to connect to an existing LDAP server.\\ 
 +In order to test this, you will need to [[http://www.unixmen.com/configure-freeipa-server-centos-7/|setup a FreeIPA server]] for the client to authenticate to.
  
 ---- ----
  
-====== Ways to Configure ======+===== Ways to Configure =====
  
   * authconfig => command line utility that you have to specify all command line options when joining the domain   * authconfig => command line utility that you have to specify all command line options when joining the domain
 +    * The preferred method to learn.
   * authconfig-tui => menu drive text user interface, select options from a list   * authconfig-tui => menu drive text user interface, select options from a list
 +    * This method is "technically" deprecated, but will still work.
   * authconfig-gtk => GUI utility for domain authentication setup   * authconfig-gtk => GUI utility for domain authentication setup
 +    * **Do not expect to be able to use a GUI on the exam**.
  
 Two different back-end authentication daemons can be used: Two different back-end authentication daemons can be used:
   * sssd => System Security Services Daemon   * sssd => System Security Services Daemon
-    * This is the preferred/newer daemon+    * This is the preferred/newer daemon. Learn using sssd.
   * nslcd => Name Service LDAP Connection Daemon   * nslcd => Name Service LDAP Connection Daemon
     * This is the legacy daemon     * This is the legacy daemon
Line 22: Line 26:
 ---- ----
  
-==== authconfig ====+===== authconfig =====
  
 +To get a reminder of what commands you will need, execute:<code bash>authconfig --help | grep ldap</code>
 +
 +\\
 Configuring LDAP authentication with authconfig cli and SSSD. Configuring LDAP authentication with authconfig cli and SSSD.
  
   * Install client packages<code bash>yum install sssd</code>   * Install client packages<code bash>yum install sssd</code>
-  * Setup authentication<code bash>authconfig --enableldap --enableldapauth --enableldapstarttls --ldapserver="ldap://ipa.example.com" --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update</code> +  * Setup authentication<code bash>authconfig --enableldap --enableldapauth --ldapserver="ipa.example.com" --ldapbasedn="dc=example,dc=com" --enableldapstarttls --enablemkhomedir --update</code> 
-  * Copy the IPA CA cert to the local system<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code>+    * enableldap => use ldap for identification 
 +    * enableldapauth => use ldap for authentication 
 +    * ldapserver => the fully qualified name of the IPA server 
 +    * ldapbasedn => the base of the ldap tree 
 +    * enableldapstarttls => start TLS encryption over the standard ldap port (tcp/389) 
 +    * enablemkhomedir => allow the local system to create home directories if they don't exist 
 +    * update => update system config files with these changes. (**the entire command will not do ANYTHING if you forget this option**) 
 +  * Copy the IPA CA cert to the local system(you should be given the location to get this from on the exam)<code bash>scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/</code>
   * Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" section<code bash>ldap_uri = ldap://ipa.example.com   * Edit /etc/sssd/sssd.conf to add "ldap_tls_reqcert = never" in the "domain/default" section<code bash>ldap_uri = ldap://ipa.example.com
 ldap_id_use_start_tls = True ldap_id_use_start_tls = True
 ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacertdir = /etc/openldap/cacerts
 ldap_tls_reqcert = never</code> ldap_tls_reqcert = never</code>
-    * If you do not do this, the sssd service will report ca cert trust issues.+    * If you do not do this, the sssd service will report ca cert trust issues (in the output of "systemctl status sssd -l" due to a self-signed cert). 
 +    * If you can't remember the "ldap_tls_reqcert" line: 
 +      * Look at the **man page of "sssd-ldap"**<code bash>man sssd-ldap</code> 
 +      * Search for "tls_" to view config options and the "Example" section for formatting. 
   * Restart sssd<code bash>systemctl restart sssd</code>   * Restart sssd<code bash>systemctl restart sssd</code>
   * You should now be able to authenticate as a LDAP user.   * You should now be able to authenticate as a LDAP user.
Line 39: Line 57:
 ---- ----
  
-==== authconfig-tui ====+===== authconfig-tui =====
  
 Configuring LDAP authentication with authconfig-tui and SSSD back-end. Configuring LDAP authentication with authconfig-tui and SSSD back-end.
Line 66: Line 84:
 ---- ----
  
-==== GUI method: authconfig-gtk ====+===== GUI method: authconfig-gtk =====
  
 +**Documented for educational purposes...do not expect a GUI on the exam; learn the authconfig and/or authconfig-tui method**
 +
 +\\
 LDAP authentication via GUI setup and nslcd back-end. LDAP authentication via GUI setup and nslcd back-end.
  
Line 105: Line 126:
 ---- ----
  
-==== AutoFS and NFS Share ====+===== AutoFS and NFS Share =====
  
 Auto mounting NFS shared user home directories. Auto mounting NFS shared user home directories.
  
 +\\
 Install AutoFS and NFS utils Install AutoFS and NFS utils
 <code bash> <code bash>
Line 115: Line 137:
  
 \\ \\
-Create a new Master autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config+Create a new Master Map autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config
 <code bash> <code bash>
 vim /etc/auto.master.d/home.autofs vim /etc/auto.master.d/home.autofs
  
 +# For sub directories of /home/users, look at /etc/auto.home for mappings
 /home/users /etc/auto.home /home/users /etc/auto.home
 </code> </code>
Line 124: Line 147:
  
 \\ \\
-Configure the new autofs indirect mount file+Configure the new autofs indirect mappings mount file
 <code bash> <code bash>
 vim /etc/auto.home vim /etc/auto.home
  
 +# For any sub directory ("*"), mount read/write from myserver.com:/nfsshare/&
 *  -rw  myserver.com:/nfsshare/& *  -rw  myserver.com:/nfsshare/&
 </code> </code>
-  * The "&" is replaced by the key in the first column (*) +  * "*" is assigned the directory that is accessed. If someone tried to access "/home/users/luke"the "*" value is "luke"
-  * "*" is assigned the value that triggered access. If someone tried to access /home/users/luke, then "luke" will be the value of the key in the first column ("*")+  * The "&" in the remote server line is replaced by the key in the first column (*). So if someone accesses "/home/users/luke", the remote system (myserver.comgets an access attempt to "/nfsshare/luke"
  
 \\ \\
 Ensure autofs is started and enabled at boot Ensure autofs is started and enabled at boot
 <code bash> <code bash>
-systemctl start autofs && systemctl enable autofs +systemctl start autofs 
-</code> +systemctl enable autofs
- +
-\\ +
-Configure sshd to allow ldap logins and restart sshd +
-<code bash> +
-vim /etc/pam.d/sshd +
- +
-auth  sufficient  pam_ldap.so +
-auth  sufficient  pam_permit.so +
- +
-systemctl restart sshd+
 </code> </code>
  
 ---- ----
  
  • linux_wiki/configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information.1457214513.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)