linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2016/03/05 17:02]
billdozor [Ways to Configure] 		linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information [2019/05/25 23:50] (current)
Line 4: Line 4:
  
 Configuring a client to connect to an existing LDAP server.\\ Configuring a client to connect to an existing LDAP server.\\
-In order to test this, you will need to setup a FreeIPA server for the client to authenticate to.+In order to test this, you will need to [[http://www.unixmen.com/configure-freeipa-server-centos-7/|setup a FreeIPA server]] for the client to authenticate to.
  
 ---- ----
Line 34: Line 34:
  
   * Install client packages<code bash>yum install sssd</code>   * Install client packages<code bash>yum install sssd</code>
-  * Setup authentication<code bash>authconfig --enableldap --enableldapauth --enableldapstarttls --ldapserver="ldap://ipa.example.com" --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update</code>+  * Setup authentication<code bash>authconfig --enableldap --enableldapauth --ldapserver="ipa.example.com" --ldapbasedn="dc=example,dc=com" --enableldapstarttls --enablemkhomedir --update</code>
     * enableldap => use ldap for identification     * enableldap => use ldap for identification
     * enableldapauth => use ldap for authentication     * enableldapauth => use ldap for authentication
-    * enableldapstarttls => start TLS encryption over the standard ldap port (tcp/389) +    * ldapserver => the fully qualified name of the IPA server
-    * ldapserver => the ldap FQDN with the ldap protocol specification+
     * ldapbasedn => the base of the ldap tree     * ldapbasedn => the base of the ldap tree
 +    * enableldapstarttls => start TLS encryption over the standard ldap port (tcp/389)
     * enablemkhomedir => allow the local system to create home directories if they don't exist     * enablemkhomedir => allow the local system to create home directories if they don't exist
     * update => update system config files with these changes. (**the entire command will not do ANYTHING if you forget this option**)     * update => update system config files with these changes. (**the entire command will not do ANYTHING if you forget this option**)
Line 47: Line 47:
 ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacertdir = /etc/openldap/cacerts
 ldap_tls_reqcert = never</code> ldap_tls_reqcert = never</code>
-    * If you do not do this, the sssd service will report ca cert trust issues (in the output of "systemctl status sssd" due to a self-signed cert).+    * If you do not do this, the sssd service will report ca cert trust issues (in the output of "systemctl status sssd -l" due to a self-signed cert). 
 +    * If you can't remember the "ldap_tls_reqcert" line: 
 +      * Look at the **man page of "sssd-ldap"**<code bash>man sssd-ldap</code> 
 +      * Search for "tls_" to view config options and the "Example" section for formatting. 
   * Restart sssd<code bash>systemctl restart sssd</code>   * Restart sssd<code bash>systemctl restart sssd</code>
   * You should now be able to authenticate as a LDAP user.   * You should now be able to authenticate as a LDAP user.
Line 133: Line 137:
  
 \\ \\
-Create a new Master autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config+Create a new Master Map autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config
 <code bash> <code bash>
 vim /etc/auto.master.d/home.autofs vim /etc/auto.master.d/home.autofs
  
 +# For sub directories of /home/users, look at /etc/auto.home for mappings
 /home/users /etc/auto.home /home/users /etc/auto.home
 </code> </code>
Line 142: Line 147:
  
 \\ \\
-Configure the new autofs indirect mount file+Configure the new autofs indirect mappings mount file
 <code bash> <code bash>
 vim /etc/auto.home vim /etc/auto.home
  
 +# For any sub directory ("*"), mount read/write from myserver.com:/nfsshare/&
 *  -rw  myserver.com:/nfsshare/& *  -rw  myserver.com:/nfsshare/&
 </code> </code>
-  * The "&" is replaced by the key in the first column (*) +  * "*" is assigned the directory that is accessed. If someone tried to access "/home/users/luke"the "*" value is "luke"
-  * "*" is assigned the value that triggered access. If someone tried to access /home/users/luke, then "luke" will be the value of the key in the first column ("*")+  * The "&" in the remote server line is replaced by the key in the first column (*). So if someone accesses "/home/users/luke", the remote system (myserver.comgets an access attempt to "/nfsshare/luke"
  
 \\ \\
 Ensure autofs is started and enabled at boot Ensure autofs is started and enabled at boot
 <code bash> <code bash>
-systemctl start autofs && systemctl enable autofs+systemctl start autofs 
 +systemctl enable autofs
 </code> </code>
  
 ---- ----
  
  • linux_wiki/configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information.1457215362.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)