This is an old revision of the document!
Configure A System To Use An Existing Authentication Service For User And Group Information
General Information
Configuring a client to connect to an existing LDAP server.
In order to test this, you will need to setup a FreeIPA server for the client to authenticate to.
Ways to Configure
- authconfig ⇒ command line utility that you have to specify all command line options when joining the domain
- The preferred method to learn.
- authconfig-tui ⇒ menu drive text user interface, select options from a list
- This method is “technically” deprecated, but will still work.
- authconfig-gtk ⇒ GUI utility for domain authentication setup
- Do not expect to be able to use a GUI on the exam.
Two different back-end authentication daemons can be used:
- sssd ⇒ System Security Services Daemon
- This is the preferred/newer daemon. Learn using sssd.
- nslcd ⇒ Name Service LDAP Connection Daemon
- This is the legacy daemon
- Requires force legacy is set in /etc/sysconfig/authconfig
FORCELEGACY=yes
authconfig
To get a reminder of what commands you will need, execute:
authconfig --help | grep ldap
Configuring LDAP authentication with authconfig cli and SSSD.
- Install client packages
yum install sssd
- Setup authentication
authconfig --enableldap --enableldapauth --ldapserver="ipa.example.com" --ldapbasedn="dc=example,dc=com" --enableldapstarttls --enablemkhomedir --update
- enableldap ⇒ use ldap for identification
- enableldapauth ⇒ use ldap for authentication
- ldapserver ⇒ the fully qualified name of the IPA server
- ldapbasedn ⇒ the base of the ldap tree
- enableldapstarttls ⇒ start TLS encryption over the standard ldap port (tcp/389)
- enablemkhomedir ⇒ allow the local system to create home directories if they don't exist
- update ⇒ update system config files with these changes. (the entire command will not do ANYTHING if you forget this option)
- Copy the IPA CA cert to the local system(you should be given the location to get this from on the exam)
scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/
- Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section
ldap_uri = ldap://ipa.example.com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never
- If you do not do this, the sssd service will report ca cert trust issues (in the output of “systemctl status sssd -l” due to a self-signed cert).
- If you can't remember the “ldap_tls_reqcert” line:
- Look at the man page of “sssd-ldap”
man sssd-ldap
- Search for “tls_” to view config options and the “Example” section for formatting.
- Restart sssd
systemctl restart sssd
- You should now be able to authenticate as a LDAP user.
authconfig-tui
Configuring LDAP authentication with authconfig-tui and SSSD back-end.
- Install client packages
yum install sssd
- Launch authconfig-tui
authconfig-tui
- Authentication Configuration box
- User Information: Select(space-bar) “Use LDAP”
- Authentication: Select “Use LDAP Authentication”
- Do not unselect any defaults; Next when done
- LDAP Settings
- Select “Use TLS”
- Server: ldap://ipa.example.com
- Base DN: dc=example,dc=com
- Ok when done, Ok on the warning screen about copying the CA Cert.
- Copy the IPA CA cert to the local system
scp ipa.example.com:/root/cacert.p12 /etc/openldap/cacerts/
- Enable auto creation of home directories
authconfig --update --enablemkhomedir
- Edit /etc/sssd/sssd.conf to add “ldap_tls_reqcert = never” in the “domain/default” section
ldap_uri = ldap://ipa.example.com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never
- If you do not do this, the sssd service will report ca cert trust issues.
- Restart sssd
systemctl restart sssd
- You should now be able to authenticate as a LDAP user.
GUI method: authconfig-gtk
Documented for educational purposes…do not expect a GUI on the exam; learn the authconfig and/or authconfig-tui method
LDAP authentication via GUI setup and nslcd back-end.
Install authconfig gui
yum -y install authconfig-gtk
Open the GUI app
- Applications > Sundry > Authentication
- On the “Identity & Authentication” tab:
- User Account Database: Select LDAP from the drop-down
- This will display an extra package that is required “nss-pam-ldapd”
- Click the “Install” button to install this package or close and install from a terminal. An additional package is required, “pam_krb5”.
yum install -y nss-pam-ldapd yum install -y pam_krb5
- Note: After installing “nss-pam-ldapd”, reopen the Authentication app. You will see the next required package; “pam_krb5”. Install that as well.
- Identity & Authentication tab
- User Account Database: LDAP
- LDAP Search Base DN: dc=example,dc=com
- LDAP Server: ldap://ipa.example.com
- Check “Use TLS to encrypt connections”
- Click “Download CA Certificate…”
- Enter URL of ca cert Example: ftp://ipa.example.com/pub/cacert.p12
- Click Ok
- Advanced Options tab
- Other Authentication Options: Check “Create home directories on the first login”
- Password Options tab
- Change any password property requirements
- Click Apply
- Edit /etc/nslcd.conf and add
tls_reqcert never
- Restart nslcd
systemctl restart nslcd
- Authentication via LDAP will now work.
AutoFS and NFS Share
Auto mounting NFS shared user home directories.
Install AutoFS and NFS utils
yum -y install autofs nfs-utils
Create a new Master autofs file in /etc/auto.master.d/ and have it look to the /etc/auto.home config
vim /etc/auto.master.d/home.autofs /home/users /etc/auto.home
- In EL7, the “/etc/auto.master” file is part of the RPM; any updates to the autofs package could overwrite changes you make, so it is recommended to create your own master map file under /etc/auto.master.d/. The name does not matter, as long as it ends in “.autofs”
Configure the new autofs indirect mount file
vim /etc/auto.home * -rw myserver.com:/nfsshare/&
- The “&” is replaced by the key in the first column (*)
- “*” is assigned the value that triggered access. If someone tried to access /home/users/luke, then “luke” will be the value of the key in the first column (“*”)
Ensure autofs is started and enabled at boot
systemctl start autofs && systemctl enable autofs