linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information

This is an old revision of the document!

Configure A System To Use An Existing Authentication Service For User And Group Information

General Information

Configuring a client to connect to an existing LDAP server.
In order to test this, you will need to setup a FreeIPA server for the client to authenticate to.

Ways to Configure

  • authconfig ⇒ command line utility that you have to specify all command line options when joining the domain
  • authconfig-tui ⇒ menu drive text user interface, select options from a list
  • authconfig-gtk ⇒ GUI utility for domain authentication setup
    • Do not expect to be able to use a GUI on the exam.

Two different back-end authentication daemons can be used:

  • sssd ⇒ System Security Services Daemon
    • This is the preferred/newer daemon
  • nslcd ⇒ Name Service LDAP Connection Daemon
    • This is the legacy daemon
    • Requires force legacy is set in /etc/sysconfig/authconfig
      FORCELEGACY=yes

authconfig

Configuring LDAP authentication with authconfig cli and SSSD.

  • Install client packages
    yum install sssd
  • Setup authentication
    authconfig --enableldap --enableldapauth --enableldapstarttls --ldapserver="ldap://ipa.example.com" --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update
  • Copy the IPA CA cert to the local system
    scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/
  • Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section
    ldap_uri = ldap://ipa.example.com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never
    • If you do not do this, the sssd service will report ca cert trust issues.
  • Restart sssd
    systemctl restart sssd
  • You should now be able to authenticate as a LDAP user.

authconfig-tui

Configuring LDAP authentication with authconfig-tui and SSSD back-end.

  • Install client packages
    yum install sssd
  • Launch authconfig-tui
    authconfig-tui
    • Authentication Configuration box
      • User Information: Select(space-bar) “Use LDAP”
      • Authentication: Select “Use LDAP Authentication”
      • Do not unselect any defaults; Next when done
    • LDAP Settings
      • Select “Use TLS”
      • Server: ldap://ipa.example.com
      • Base DN: dc=example,dc=com
      • Ok when done, Ok on the warning screen about copying the CA Cert.
  • Copy the IPA CA cert to the local system
    scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/
  • Enable auto creation of home directories
    authconfig --update --enablemkhomedir
  • Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section
    ldap_uri = ldap://ipa.example.com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never
    • If you do not do this, the sssd service will report ca cert trust issues.
  • Restart sssd
    systemctl restart sssd
  • You should now be able to authenticate as a LDAP user.

GUI method: authconfig-gtk

LDAP authentication via GUI setup and nslcd back-end.

Install authconfig gui 

yum -y install authconfig-gtk

Open the GUI app

  • Applications > Sundry > Authentication
  • On the “Identity & Authentication” tab:
    • User Account Database: Select LDAP from the drop-down
    • This will display an extra package that is required “nss-pam-ldapd”
    • Click the “Install” button to install this package or close and install from a terminal. An additional package is required, “pam_krb5”.
yum install -y nss-pam-ldapd
yum install -y pam_krb5
  • Note: After installing “nss-pam-ldapd”, reopen the Authentication app. You will see the next required package; “pam_krb5”. Install that as well.
  • Identity & Authentication tab
  • Advanced Options tab
    • Other Authentication Options: Check “Create home directories on the first login”
  • Password Options tab
    • Change any password property requirements
  • Click Apply
  • Edit /etc/nslcd.conf and add
    tls_reqcert never
  • Restart nslcd
    systemctl restart nslcd
  • Authentication via LDAP will now work.

AutoFS and NFS Share

Auto mounting NFS shared user home directories.

Install AutoFS and NFS utils 

yum -y install autofs nfs-utils


Create a new Master autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config 

vim /etc/auto.master.d/home.autofs
 
/home/users /etc/auto.home
  • In EL7, the “/etc/auto.master” file is part of the RPM; any updates to the autofs package could overwrite changes you make, so it is recommended to create your own master map file under /etc/auto.master.d/. The name does not matter, as long as it ends in “.autofs”


Configure the new autofs indirect mount file 

vim /etc/auto.home
 
*  -rw  myserver.com:/nfsshare/&
  • The “&” is replaced by the key in the first column (*)
  • “*” is assigned the value that triggered access. If someone tried to access /home/users/luke, then “luke” will be the value of the key in the first column (“*”)


Ensure autofs is started and enabled at boot 

systemctl start autofs && systemctl enable autofs


Configure sshd to allow ldap logins and restart sshd 

vim /etc/pam.d/sshd
 
auth  sufficient  pam_ldap.so
auth  sufficient  pam_permit.so
 
systemctl restart sshd
  • linux_wiki/configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information.1457214680.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)