--
ColinLeavettBrown - 2015-02-06
Linux workstation user authentication using central LDAP service
This procedure has been tested on Scientific Linux 6.6 and 7.0.
Prerequisites:
- Ensure you have the following packages installed:
- apr-util-ldap
- libsss_idmap
- nss
- nss-sysinit
- nss-softokn
- nss-softokn-freebl
- nss-tools
- nss-util
- openldap
- pam
- pam_krb5
- pam_passwdqc
- python-ldap
- python-nss
- python-sssdconfig
- sssd
- sssd-ad
- sssd-client
- sssd-common
- sssd-common-pac
- sssd-ipa
- sssd-krb5
- sssd-krb5-common
- sssd-ldap
- sssd-proxy
- You will also need central Netlink/ID management support to provide you with:
- {your_central_ldap_bind_dn}
- {your_central_ldap_password}
Process:
- Cleanup any obsolete sss configuration:
rm -f /etc/sssd/sssd.conf
- Use the authconfig command to enable LDAP authentication:
authconfig \
--enablesssd \
--enablesssdauth \
--enablecachecreds \
--enableldap \
--enableldapauth \
--ldapserver=ldaps://ldap1r.uvic.ca:636/ \
--ldapbasedn="ou=people,dc=uvic,dc=ca" \
--ldaploadcacert=file:///etc/pki/tls/cert.pem \
--disablenis \
--disablekrb5 \
--enablemkhomedir \
--updateall
- Modify the sss configuration to provide administrator credentials and request specific information.
- The following options are mandatory:
- ldap_default_bind_dn = {your_central_ldap_bind_dn}
- ldap_default_authtok_type = password
- ldap_default_authtok = {your_central_ldap_password}
- ldap_user_search_base = ou=people,dc=uvic,dc=ca *ldap_group_search_base = ou=NETLINK POSIX,ou=Groups,dc=uvic,dc=ca
- ldap_user_uid_number = uidNumber
- ldap_user_gid_number = gidNumber
- ldap_group_gid_number = gidNumber
- ldap_user_gecos = cn
- ldap_user_object_class = uvicEduperson
- ldap_schema = rfc2307bis
- emumerate = false
- You may need one or more of the following options:
- override_homedir = /hepuser/%u
- override_shell = /bin/bash
- All the above options can be applied with a single sed command:
sed -i '/cacertdir/a\\nlldap_default_bind_dn = {your_central_ldap_bind_dn}\nldap_default_authtok_type = password\nldap_default_authtok = {your_central_ldap_password}\nldap_user_search_base = ou=people,dc=uvic,dc=ca\nldap_group_search_base = ou=NETLINK POSIX,ou=Groups,dc=uvic,dc=ca\nldap_user_uid_number = uidNumber\nldap_user_gid_number = gidNumber\nldap_group_gid_number = gidNumber\nldap_user_gecos = cn\nldap_user_object_class = uvicEduperson\nldap_schema = rfc2307bis\nemumerate = false\noverride_homedir = /hepuser/%u\noverride_shell = /bin/bash\n' /etc/sssd/sssd.conf
service sssd restart
systemctl restart sssd
Making sure it works:
- Log into the workstation as root and use the getent command to verify the workstation can retrieve valid login credentials:
[root@ws ~]# getent passwd mira
Topic revision: r1 - 2015-02-06
- crlb