LDAP: Client configuration with authconfig.

Share this link

Two available options

As the authconfig-tui command is deprecated, you should prefer to use the authconfig command.
In this case, you’ve got two options: nslcd or sssd.

The nslcd option

Install the following packages:

# yum install -y openldap-clients nss-pam-ldapd

Then, type:

# authconfig --enableforcelegacy --update
# authconfig --enableldap --enableldapauth --ldapserver="instructor.example.com" --ldapbasedn="dc=example,dc=com" --update

Note: According to your requirements, you can need to specify the –enablemkhomedir option. This option creates a local user home directory at the first connection if none exists.

Put the LDAP server certificate into the /etc/openldap/cacerts directory:

# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

Activate the TLS option:

# authconfig --enableldaptls --update

Test the configuration:

# getent passwd ldapuser02
ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash

The sssd option

Install the following package:

# yum install -y sssd

Then, type:

# authconfig --enableldap --enableldapauth \
--ldapserver="instructor.example.com" \
--ldapbasedn="dc=example,dc=com" --update

Note: According to your requirements, you can need to specify the –enablemkhomedir option. This option creates a local user home directory at the first connection if none exists.

Put the LDAP server certificate into the /etc/openldap/cacerts directory:

# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

Activate the TLS option:

# authconfig --enableldaptls --update

Test the configuration:

# getent passwd ldapuser02
ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash

Source: Ramdev’s blog.

Additional Resources

You could be interested in reading the RedHat SSSD troubleshooting page.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

30 Comments on "LDAP: Client configuration with authconfig."

Notify of
Sort by:   newest | oldest
vivek
Member
vivek

Will I be able to install these packages “openldap-clients nss-pam-ldapd authconfig-gtk” in the exam, are these packages provided in the RHCSA exam?

brthomasusa
Member
brthomasusa

You wrote “… As the authconfig-tui command is deprecated …”. authconfig-tui is available in RHEL/CentOS 7.1 and 7.2. On what version of RHEL is authconfig-tui deprecated. I was counting on it being available.

bhill1278
Member
bhill1278
In chapter 6 of Sander’s book he uses authconfig-tui. After configuring an ipa server exactly like in appendix D of the book, I followed the steps to the letter in appendix D and the exercise in chapter 6, but no go. I could’nt authenticate with an ldap user, I kept getting user does not exist. I am running 7.2. I’m not sure that authconfig-tui is writing the correct settings to nslcd.conf. However the authconfig method works perfect, just more to remember. So much for an easier method. Has anyone else had any luck with the tui method post RHEL 7.0?… Read more »
bajeradai
Member
bajeradai

I’m having same problem in Rhel 7 and also I tried above steps with both methods but still not able to set. Everything works except this command:
# scp root@instructor.example.com:/etc/openldap/certs/cert.pem /etc/openldap/cacerts/cert.pem.
I get the message instructor.example.com is not resolved.
If anybody have ideas please share with me.
Thanks.

bizzle
Member
bizzle

Figured I’d add this because I’ve had significant complications with this as I follow along in van Vugt’s book. The server I have is configured according to Appendix D in his book and the following works for me,

Using SSSD and authconfig,

Install package sssd
echo “ip-of-server instructor.example.com instructor” >> /etc/hosts
authconfig –enableldap –enableldapauth –ldapserver=instructor.example.com –ldapbasedn=dc=instructor,dc=com
–enablemkhomedir –update

Using SSSD and authconfig-gtk,

yum install -y sssd authconfig-gtk
echo “ip-of-server instructor.example.com instructor” >> /etc/hosts
scp instructor:/etc/ipa/ca.crt /etc/openldap/cacerts
Run authconfig-gtk, User Account Database: LDAP, check “Use TLS to encrypt connections”
systemctl restart sssd

sobars2009
Member
sobars2009

Thanks, it’s working.

asifshabir
Member
asifshabir

Thanks for this nice tutorial, I don’t see any difference in all the three methods that you have described for ldap authentication. Would you be kind enough to briefly write any differences?

quaie
Member
quaie

what about the lines below ? it worked for me with the additional settings added to /etc/sssd/sssd.conf (there is no tls for this free online ldap server, but that would be quite trivial to configure on the client)

11 yum install sssd sssd-client
12 authconfig –enableldap –enableldapauth –ldapserver=”ldap.forumsys.com” –ldapbasedn=”dc=example,dc=com” –update
13 authconfig –enablesssd –update

#it seems to be working also with anonymous bind
#ldap_default_bind_dn = cn=read-only-admin,dc=example,dc=com
#ldap_default_authtok = password
ldap_tls_reqcert = never

#testing:
getent passwd tesla (the only posixuser defined in ldap)
ssh tesla@localhost

scryptkiddy
Member
scryptkiddy
Interesting. I could not get the sssd method to work, but the nslcd method worked first try no issues. Other than a package difference on install and the: # authconfig –enableforcelegacy –update command, they are pretty much the same. The sssd option kept giving me the user not found error. So a few questions: 1) Should I be concerned, or just use the nslcd method if asked to do so on the exam? 2) While not listed, I tried to reapply the seLinux context to the downloaded cert.pem file on the client. It was the same before and after anyway.… Read more »
scryptkiddy
Member
scryptkiddy

Did I ask a stupid question that was already answered, or did I stump everyone. =)

alejflor
Member
alejflor

When you talk about “the LDAP server certificate”, do you mean a CA ldap certificate? I am having problems with the cert when I start SSSD. Should I: 1)generate a CA cert from the server 2) generate a normal cert for the ldap server 3)Sign the ldap cert with the CA 4)transfer the new signed cert to the client? I am working with RHEL 7.

reaz_mahmood
Member
reaz_mahmood

Following the sander’s video tutorial, I have been practising ldap client configuration using authconfig-gtk. But as you replied in another comment that since its a graphical interface, it may not be available in the exam. I am curious to know is there any restriction on using graphical environment on the rhcsa exam?

Lisenet
Member

Independently of whether a GUI is available on the exam or not, you can always install it yourself if you believe it’s reasonable. There are no restrictions in terms of using a GUI. If it’s pre-installed – use it, if it’s not installed, then install and use it.

reaz_mahmood
Member
reaz_mahmood

So as far as exam is concerned, we will be given the ldap server name and url of the ca certificate as provided info, rest of the settings we have to figure out. Am I correct?

uco
Member
uco

For those getting “User does not exist”: authconfig --enablerfc2307bis --update since RHEL 7.2 something has changed and causes the error due to an incorrect ldap_schema setting.

Source: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html#idp37833632

yum install sssd
authconfig –enablesssd –enablesssdauth –update
authconfig –enablerfc2307bis –update
authconfig –enableldap –enableldapauth –ldapserver=ldap.example.com –ldapbasedn=dc=example,dc=com –ldaploadcacert=ftp://ldap.example.com/pub/cacert.p12 –enableldaptls –update

Btw –ldaploadcacert saves you some time instead of copying and creating the /etc/openldap/cacerts dir… 😉

And with a self-signed cert don’t forget to add ldap_tls_reqcert = never to /etc/sssd/sssd.conf and restart the sssd.service.

On the exam just remember: authconfig –help | egrep “sssd|ldap|rfc”

wpDiscuz

RHCSA7: Task of the day

Allowed time: 8 minutes.
Find all files bigger than 100MB and write their names into the /root/results.txt file.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a caching-only DNS server.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...