Configure a system to use an existing authentication service for user and group information (part 1-LDAP)

For this objective, we already have a FreeIPA server running. To achieve this goal, they (Red Hat exam providers) must give them the LDAP configuration:

example configuration

There are three ways to do this:

I Method – authconfig-tui tool

# authconfig-tui
Authconfig-tui tool

**We will see the use of this tool in another post.**

II Method – authconfig-gtk tool

1- Being on the client side, we will install the authconfig-gtk and sssd packages that we will use:

# yum install authconfig-gtk sssd

2- Verify that the certificate and path are correct:

# curl

3- Open Applications–> Sundry –> authentication or run authconfig-gtk command :

# authconfig-gtk
In this example, the fields with the information provided have been completed.

Click on the “Download CA Certificate” button and paste the already verified path from step 2.

Paste the path of the certificate provided.
In this tab, you can tell the system that “Create home directories on the first login” of the users. But in this example I will not do it for now. Press Apply.

This configuration is saved on /etc/openldap/ldap.conf

4- Now, reboot the daemon sssd (System Security Services Daemon)

# systemctl restart sssd

5- To see some user data of ldapuser1 :

# getent passwd ldapuser1
ldapuser1:*:1827400001:1827400001:ldapuser1 ldapuser1:/home/ldap/ldapuser1:/bin/sh
and check:
# ssh ldapuser1@localhost
ldapuser1@localhost's password:
Last login: Thu Jun 14 19:47:45 2018 from localhost
Could not chdir to home directory /home/ldap/ldapuser1: No such file or directory

As you can see here, when logging in with ldapuser1, the system indicates that the user’s home directory does not exist, as we did not create it in step 3.

6- To create it, we must first install autofs:

# yum install autofs

# systemctl start autofs; systemctl enable autofs

7- Remember that this information must be provided in the exam to know where the user’s home will be mounted:


In case they do not provide it, we can know it with showmount -e:

Here we can see that the server is exporting the /home/ldap directory

8- How to mount the home directory of ldapuserx users in /home/ldap of our system:

# echo "/home/ldap /etc/ldap_homes" > /etc/auto.master.d/ldap_users.autofs

and check...

# cat /etc/auto.master.d/ldap_users.autofs

9- Now we must edit the config of the file /etc/ldap_homes, depending on what they ask us. We can do this in two ways:

A) If only a specific user (ldapuser1) must have its home directory at the time of login:

# echo "ldapuser1 -rw,sync" > /etc/ldap_homes

or (in case be request with NFS version 3 or other):
# echo "ldapuser1 -rw,sync,nfsvers=3
/ldap/ldapuser1" > /etc/ldap_homes

If necessary, restart the autofs service (systemctl restart autofs)

Note: Currently (RH 7.3), if we do not specify the NFS version type, the default system uses v4

and check:
# ssh ldapuser1@localhost
ldapuser1@localhost's password:
Last login: Thu Jun 14 19:49:02 2018 from localhost
-sh-4.2$ pwd
Widh df-h we can see the directory mounted

B) If all users must have their home directory at the time of login:

We edit the file /etc/ldap_homes and comment the line entered in step 6. Then we copy it and edit it:

ldap_homes file

10- Finally we restart the service and try connecting with a user:

# systemctl restart autofs

and check:
# ssh ldapuser3@localhost
ldapuser1@localhost's password:
Last login: Thu Jun 14 21:27:02 2018 from localhost
-sh-4.2$ pwd

III Method – authconfig command

Using the authconfig command

# yum install openldap-clients nss-pam-ldap sssd


# authconfig --help | grep ldap

Write the configuration

# authconfig  --enableldap --enableldapauth --ldapserver=ldap:// --ldapbasedn="dc=example,dc=com" --enableldaptls --ldaploadcacert= --update

Enable sssd and restart

# systemctl enable sssd; systemctl restart sssd

# getent passwd ldapuser2

and test the conexion:
# ssh ldapuser1@localhost

How to enable the home directory :

# authconfig --enablemkhomedir --update

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *