This is an old revision of the document!
Configure A System To Use An Existing Authentication Service For User And Group Information
General Information
Configuring a client to connect to an existing LDAP server.
In order to test this, you will need to setup a FreeIPA server for the client to authenticate to.
Ways to Configure
- authconfig ⇒ command line utility that you have to specify all command line options when joining the domain
- authconfig-tui ⇒ menu drive text user interface, select options from a list
- authconfig-gtk ⇒ GUI utility for domain authentication setup
- Do not expect to be able to use a GUI on the exam.
Two different back-end authentication daemons can be used:
- sssd ⇒ System Security Services Daemon
- This is the preferred/newer daemon
- nslcd ⇒ Name Service LDAP Connection Daemon
- This is the legacy daemon
- Requires force legacy is set in /etc/sysconfig/authconfig
FORCELEGACY=yes
authconfig
To get a reminder of what commands you will need, execute:
authconfig --help | grep ldap
Configuring LDAP authentication with authconfig cli and SSSD.
- Install client packages
yum install sssd
- Setup authentication
authconfig --enableldap --enableldapauth --enableldapstarttls --ldapserver="ldap://ipa.example.com" --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update
- Copy the IPA CA cert to the local system
scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/
- Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section
ldap_uri = ldap://ipa.example.com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never
- If you do not do this, the sssd service will report ca cert trust issues.
- Restart sssd
systemctl restart sssd
- You should now be able to authenticate as a LDAP user.
authconfig-tui
Configuring LDAP authentication with authconfig-tui and SSSD back-end.
- Install client packages
yum install sssd
- Launch authconfig-tui
authconfig-tui
- Authentication Configuration box
- User Information: Select(space-bar) “Use LDAP”
- Authentication: Select “Use LDAP Authentication”
- Do not unselect any defaults; Next when done
- LDAP Settings
- Select “Use TLS”
- Server: ldap://ipa.example.com
- Base DN: dc=example,dc=com
- Ok when done, Ok on the warning screen about copying the CA Cert.
- Copy the IPA CA cert to the local system
scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/
- Enable auto creation of home directories
authconfig --update --enablemkhomedir
- Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section
ldap_uri = ldap://ipa.example.com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never
- If you do not do this, the sssd service will report ca cert trust issues.
- Restart sssd
systemctl restart sssd
- You should now be able to authenticate as a LDAP user.
GUI method: authconfig-gtk
LDAP authentication via GUI setup and nslcd back-end.
Install authconfig gui
yum -y install authconfig-gtk
Open the GUI app
- Applications > Sundry > Authentication
- On the “Identity & Authentication” tab:
- User Account Database: Select LDAP from the drop-down
- This will display an extra package that is required “nss-pam-ldapd”
- Click the “Install” button to install this package or close and install from a terminal. An additional package is required, “pam_krb5”.
yum install -y nss-pam-ldapd yum install -y pam_krb5
- Note: After installing “nss-pam-ldapd”, reopen the Authentication app. You will see the next required package; “pam_krb5”. Install that as well.
- Identity & Authentication tab
- User Account Database: LDAP
- LDAP Search Base DN: dc=example,dc=com
- LDAP Server: ldap://ipa.example.com
- Check “Use TLS to encrypt connections”
- Click “Download CA Certificate…”
- Enter URL of ca cert Example: ftp://ipa.example.com/pub/cacert.p12
- Click Ok
- Advanced Options tab
- Other Authentication Options: Check “Create home directories on the first login”
- Password Options tab
- Change any password property requirements
- Click Apply
- Edit /etc/nslcd.conf and add
tls_reqcert never
- Restart nslcd
systemctl restart nslcd
- Authentication via LDAP will now work.
AutoFS and NFS Share
Auto mounting NFS shared user home directories.
Install AutoFS and NFS utils
yum -y install autofs nfs-utils
Create a new Master autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config
vim /etc/auto.master.d/home.autofs /home/users /etc/auto.home
- In EL7, the “/etc/auto.master” file is part of the RPM; any updates to the autofs package could overwrite changes you make, so it is recommended to create your own master map file under /etc/auto.master.d/. The name does not matter, as long as it ends in “.autofs”
Configure the new autofs indirect mount file
vim /etc/auto.home * -rw myserver.com:/nfsshare/&
- The “&” is replaced by the key in the first column (*)
- “*” is assigned the value that triggered access. If someone tried to access /home/users/luke, then “luke” will be the value of the key in the first column (“*”)
Ensure autofs is started and enabled at boot
systemctl start autofs && systemctl enable autofs
Configure sshd to allow ldap logins and restart sshd
vim /etc/pam.d/sshd auth sufficient pam_ldap.so auth sufficient pam_permit.so systemctl restart sshd