===== rhel6 ldap authentication/authorization client, sssd =====
scp 192.168.4.12:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts
echo '192.168.4.12 rhel6b.site rhel6b' >>/etc/hosts
echo 'TLS_CACERT /etc/openldap/cacerts/cacert.pem' >>/etc/openldap/ldap.conf
yum install sssd openldap-clients pam_ldap
cacertdir_rehash /etc/openldap/cacerts/
# cd /etc/openldap/cacerts
# for i in *; do ln -s $i $(openssl x509 -noout -hash -in $i); done
authconfig --enableldap --enableldapauth --ldapserver=rhel6b.site --ldapbasedn="dc=fluxcoil,dc=net" \
--enableldaptls --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --updateall
# example /etc/sssd/sssd.conf:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
[domain/LDAP]
auth_provider = ldap
cache_credentials = True
ldap_id_use_start_tls = False
debug_level = 5
ldap_schema = rfc2307
ldap_search_base = dc=fluxcoil,dc=net
chpass_provider = ldap
id_provider = ldap
ldap_uri = ldap://rhel6b.site/
ldap_tls_cacertdir = /etc/openldap/cacerts
enumerate = True
service sssd restart
getent passwd
getent passwd user0 # you might have to explicitly look for the user, securityfeature.
# debugging
tail -f /var/log/sssd/*
===== rhel6 ldap authentication/authorization client, nslcfd/nscd =====
* preferred way is sssd, just step back to nslcd/nscd if features are not yet provided by sssd
echo '192.168.4.12 rhel6b.site rhel6b' >>/etc/hosts
scp 192.168.4.12:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts
chmod ugo+r /etc/openldap/cacerts/cacert.pem
echo 'TLS_CACERT /etc/openldap/cacerts/cacert.pem' >>/etc/openldap/ldap.conf
rpm -e sssd
yum install openldap-clients pam_ldap nss-pam-ldapd
cd /etc/openldap/cacerts
for i in *; do ln -s $i $(openssl x509 -noout -hash -in $i); done
authconfig --enableldap --enableldapauth --ldapserver=rhel6b.site --ldapbasedn="dc=fluxcoil,dc=net" \
--enableldaptls --disablesssd --disablesssdauth --enablelocauthorize --enablemkhomedir --updateall
# this /etc/nslcd.conf works for cleartext (for debugging):
uid nslcd
gid ldap
uri ldap://rhel6b.site/
base dc=fluxcoil,dc=net
tls_cacertdir /etc/openldap/cacerts
# this /etc/nslcd.conf works for encrypted connections:
uid nslcd
gid ldap
uri ldap://rhel6b.site/
base dc=fluxcoil,dc=net
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/cacert.pem
service nslcd start
service nscd start # optional for caching
chkconfig nslcd on
chkconfig nscd on # optional for caching