Site Tools


Sidebar

snippets:linux_quickshotsetups:ldap_auth_client6

rhel6 ldap authentication/authorization client, sssd

scp 192.168.4.12:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts
echo '192.168.4.12 rhel6b.site rhel6b' >>/etc/hosts
echo 'TLS_CACERT /etc/openldap/cacerts/cacert.pem' >>/etc/openldap/ldap.conf
yum install sssd openldap-clients pam_ldap

cacertdir_rehash /etc/openldap/cacerts/
# cd /etc/openldap/cacerts
# for i in *; do ln -s $i $(openssl x509 -noout -hash -in $i); done
authconfig --enableldap --enableldapauth --ldapserver=rhel6b.site --ldapbasedn="dc=fluxcoil,dc=net" \
  --enableldaptls --enablesssd  --enablesssdauth --enablelocauthorize --enablemkhomedir --updateall

# example /etc/sssd/sssd.conf:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
[domain/LDAP]
auth_provider = ldap
cache_credentials = True
ldap_id_use_start_tls = False
debug_level = 5
ldap_schema = rfc2307
ldap_search_base = dc=fluxcoil,dc=net
chpass_provider = ldap
id_provider = ldap
ldap_uri = ldap://rhel6b.site/
ldap_tls_cacertdir = /etc/openldap/cacerts
enumerate = True


service sssd restart
getent passwd
getent passwd user0 # you might have to explicitly look for the user, securityfeature.

# debugging
tail -f /var/log/sssd/*

rhel6 ldap authentication/authorization client, nslcfd/nscd

  • preferred way is sssd, just step back to nslcd/nscd if features are not yet provided by sssd
echo '192.168.4.12 rhel6b.site rhel6b' >>/etc/hosts
scp 192.168.4.12:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts
chmod ugo+r /etc/openldap/cacerts/cacert.pem
echo 'TLS_CACERT /etc/openldap/cacerts/cacert.pem' >>/etc/openldap/ldap.conf

rpm -e sssd
yum install openldap-clients pam_ldap nss-pam-ldapd

cd /etc/openldap/cacerts
for i in *; do ln -s $i $(openssl x509 -noout -hash -in $i); done
authconfig --enableldap --enableldapauth --ldapserver=rhel6b.site --ldapbasedn="dc=fluxcoil,dc=net" \
  --enableldaptls --disablesssd  --disablesssdauth --enablelocauthorize --enablemkhomedir --updateall

# this /etc/nslcd.conf works for cleartext (for debugging):
uid nslcd
gid ldap
uri ldap://rhel6b.site/
base dc=fluxcoil,dc=net
tls_cacertdir /etc/openldap/cacerts

# this /etc/nslcd.conf works for encrypted connections:
uid nslcd
gid ldap
uri ldap://rhel6b.site/
base dc=fluxcoil,dc=net
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/cacert.pem

service nslcd start
service nscd start  # optional for caching
chkconfig nslcd on
chkconfig nscd on  # optional for caching
snippets/linux_quickshotsetups/ldap_auth_client6.txt ยท Last modified: 2022/11/13 12:06 by 127.0.0.1