Tags:
create new tag
view all tags
-- ColinLeavettBrown - 2015-02-06

Linux workstation user authentication using central LDAP service

This procedure has been tested on Scientific Linux 6.6 and 7.0.

Prerequisites:

  • Ensure you have the following packages installed:
    • apr-util-ldap
    • libsss_idmap
    • nss
    • nss-sysinit
    • nss-softokn
    • nss-softokn-freebl
    • nss-tools
    • nss-util
    • openldap
    • pam
    • pam_krb5
    • pam_passwdqc
    • python-ldap
    • python-nss
    • python-sssdconfig
    • sssd
    • sssd-ad
    • sssd-client
    • sssd-common
    • sssd-common-pac
    • sssd-ipa
    • sssd-krb5
    • sssd-krb5-common
    • sssd-ldap
    • sssd-proxy
  • You will also need central Netlink/ID management support to provide you with:
    • {your_central_ldap_bind_dn}
    • {your_central_ldap_password}

Process:

  • Cleanup any obsolete sss configuration: 
            rm -f /etc/sssd/sssd.conf

  • Use the authconfig command to enable LDAP authentication: 
            authconfig \
                --enablesssd \
                --enablesssdauth \
                --enablecachecreds \
                --enableldap \
                --enableldapauth \
                --ldapserver=ldaps://ldap1r.uvic.ca:636/ \
                --ldapbasedn="ou=people,dc=uvic,dc=ca" \
                --ldaploadcacert=file:///etc/pki/tls/cert.pem \
                --disablenis \
                --disablekrb5 \
                --enablemkhomedir \
                --updateall

  • Modify the sss configuration to provide administrator credentials and request specific information.
    • The following options are mandatory:
      • ldap_default_bind_dn = {your_central_ldap_bind_dn}
      • ldap_default_authtok_type = password
      • ldap_default_authtok = {your_central_ldap_password}
      • ldap_user_search_base = ou=people,dc=uvic,dc=ca *ldap_group_search_base = ou=NETLINK POSIX,ou=Groups,dc=uvic,dc=ca
      • ldap_user_uid_number = uidNumber
      • ldap_user_gid_number = gidNumber
      • ldap_group_gid_number = gidNumber
      • ldap_user_gecos = cn
      • ldap_user_object_class = uvicEduperson
      • ldap_schema = rfc2307bis
      • emumerate = false
    • You may need one or more of the following options:
      • override_homedir = /hepuser/%u
      • override_shell = /bin/bash
    • All the above options can be applied with a single sed command: 
            sed -i '/cacertdir/a\\nlldap_default_bind_dn = {your_central_ldap_bind_dn}\nldap_default_authtok_type = password\nldap_default_authtok = {your_central_ldap_password}\nldap_user_search_base = ou=people,dc=uvic,dc=ca\nldap_group_search_base = ou=NETLINK POSIX,ou=Groups,dc=uvic,dc=ca\nldap_user_uid_number = uidNumber\nldap_user_gid_number = gidNumber\nldap_group_gid_number = gidNumber\nldap_user_gecos = cn\nldap_user_object_class = uvicEduperson\nldap_schema = rfc2307bis\nemumerate = false\noverride_homedir = /hepuser/%u\noverride_shell = /bin/bash\n' /etc/sssd/sssd.conf

  • Restart sss
    • on SL6.6: 
            service sssd restart

    • on SL7.0: 
            systemctl restart sssd

Making sure it works:

  • Log into the workstation as root and use the getent command to verify the workstation can retrieve valid login credentials: 
            [root@ws ~]# getent passwd mira
Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | More topic actions
Topic revision: r1 - 2015-02-06 - crlb
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback