LDAP: Client configuration with authconfig.

Share this link

Two available options

As the authconfig-tui command is deprecated, you should prefer to use the authconfig command.
In this case, you’ve got two options: nslcd or sssd.

The nslcd option

Install the following packages:

# yum install -y openldap-clients nss-pam-ldapd

Then, type:

# authconfig --enableforcelegacy --update
# authconfig --enableldap --enableldapauth --ldapserver="instructor.example.com" --ldapbasedn="dc=example,dc=com" --update

Note: According to your requirements, you can need to specify the –enablemkhomedir option. This option creates a local user home directory at the first connection if none exists.

Put the CA certificate into the /etc/openldap/cacerts directory:

# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

Activate the TLS option:

# authconfig --enableldaptls --update

Test the configuration:

# getent passwd ldapuser02
ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash

The sssd option

Install the following package:

# yum install -y sssd

Then, type:

# authconfig --enableldap --enableldapauth \
--ldapserver="instructor.example.com" \
--ldapbasedn="dc=example,dc=com" --update

Note: According to your requirements, you can need to specify the –enablemkhomedir option. This option creates a local user home directory at the first connection if none exists.

Put the CA certificate into the /etc/openldap/cacerts directory:

# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

Activate the TLS option:

# authconfig --enableldaptls --update

Test the configuration:

# getent passwd ldapuser02
ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash

Source: Ramdev’s blog.

Additional Resources

You could be interested in reading the RedHat SSSD troubleshooting page.
Willem D’Haese wrote an article about Realmd and SSSD Active Directory Authentication.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
49 comments on “LDAP: Client configuration with authconfig.
  1. vivek says:

    Will I be able to install these packages “openldap-clients nss-pam-ldapd authconfig-gtk” in the exam, are these packages provided in the RHCSA exam?

    • CertDepot says:

      I don’t know for the authconfig-gtk package because it requires a graphical interface but, concerning the two others, you will be able to install them during the exam. Also, you have to keep in mind that setting up a repository (local or remote) can be part of the exam.

  2. brthomasusa says:

    You wrote “… As the authconfig-tui command is deprecated …”. authconfig-tui is available in RHEL/CentOS 7.1 and 7.2. On what version of RHEL is authconfig-tui deprecated. I was counting on it being available.

    • CertDepot says:

      The authconfig-tui command is definitively deprecated. But this doesn’t mean you can’t use it with RHEL 7 anymore. The command is still there and you can use it.
      However, all the new features (appearing in RHEL 7 included) will not be backported and this command will disappear with RHEL 8. Why would you learn a command about to disappear? I can only see an explanation: because it’s easier. I think it’s certainly possible to find a way to memorize the necessary arguments to use with the authconfig command.

      • brthomasusa says:

        Thanks for the explanation. You are right, it is easier to remember. In preparing for the exam, I’m trying to reduce the amount of facts that must be remembered. Once I am working in the field, I won’t have to memorize everything.

        • CertDepot says:

          I will try to find a way to sum up all the LDAP client side configuration.
          For the time being, I’m sticking with what is working.
          I’m still open to any shortcut.

  3. bhill1278 says:

    In chapter 6 of Sander’s book he uses authconfig-tui. After configuring an ipa server exactly like in appendix D of the book, I followed the steps to the letter in appendix D and the exercise in chapter 6, but no go. I could’nt authenticate with an ldap user, I kept getting user does not exist. I am running 7.2. I’m not sure that authconfig-tui is writing the correct settings to nslcd.conf. However the authconfig method works perfect, just more to remember. So much for an easier method. Has anyone else had any luck with the tui method post RHEL 7.0?

    Thanks for the blog, you are awesome!

    • bajeradai says:

      I’m having same problem in Rhel 7 and also I tried above steps with both methods but still not able to set. Everything works except this command:
      # scp root@instructor.example.com:/etc/openldap/certs/cert.pem /etc/openldap/cacerts/cert.pem.
      I get the message instructor.example.com is not resolved.
      If anybody have ideas please share with me.
      Thanks.

      • CertDepot says:

        You need to edit your local /etc/hosts file to add a line with the IP address and Full Qualified Domain Name of the LDAP server:
        192.168.x.y instructor.example.comThe other option is to configure a DNS server.

  4. bizzle says:

    Figured I’d add this because I’ve had significant complications with this as I follow along in van Vugt’s book. The server I have is configured according to Appendix D in his book and the following works for me,

    Using SSSD and authconfig,

    Install package sssd
    echo “ip-of-server instructor.example.com instructor” >> /etc/hosts
    authconfig –enableldap –enableldapauth –ldapserver=instructor.example.com –ldapbasedn=dc=instructor,dc=com
    –enablemkhomedir –update

    Using SSSD and authconfig-gtk,

    yum install -y sssd authconfig-gtk
    echo “ip-of-server instructor.example.com instructor” >> /etc/hosts
    scp instructor:/etc/ipa/ca.crt /etc/openldap/cacerts
    Run authconfig-gtk, User Account Database: LDAP, check “Use TLS to encrypt connections”
    systemctl restart sssd

  5. sobars2009 says:

    Thanks, it’s working.

  6. asifshabir says:

    Thanks for this nice tutorial, I don’t see any difference in all the three methods that you have described for ldap authentication. Would you be kind enough to briefly write any differences?

    • CertDepot says:

      There are differences in which files are written into and which daemons are started but I’m not able at this time to describe all of them: it’s a difficult work to do because it depends on the version of RHEL 7 (7.0, 7.1, 7.2) and the level of patches applied for each of the packages involved (pam, sssd, etc). This is the reason why Sander van Vugt advises to install the package group called Directory Client and to keep the same minor version when preparing the exam without any patch.

  7. quaie says:

    what about the lines below ? it worked for me with the additional settings added to /etc/sssd/sssd.conf (there is no tls for this free online ldap server, but that would be quite trivial to configure on the client)

    11 yum install sssd sssd-client
    12 authconfig –enableldap –enableldapauth –ldapserver=”ldap.forumsys.com” –ldapbasedn=”dc=example,dc=com” –update
    13 authconfig –enablesssd –update

    #it seems to be working also with anonymous bind
    #ldap_default_bind_dn = cn=read-only-admin,dc=example,dc=com
    #ldap_default_authtok = password
    ldap_tls_reqcert = never

    #testing:
    getent passwd tesla (the only posixuser defined in ldap)
    ssh tesla@localhost

  8. scryptkiddy says:

    Interesting. I could not get the sssd method to work, but the nslcd method worked first try no issues. Other than a package difference on install and the:

    # authconfig –enableforcelegacy –update

    command, they are pretty much the same. The sssd option kept giving me the user not found error.

    So a few questions:

    1) Should I be concerned, or just use the nslcd method if asked to do so on the exam?
    2) While not listed, I tried to reapply the seLinux context to the downloaded cert.pem file on the client. It was the same before and after anyway. Did I do something incorrect, or is the seLinux context not going to be an issue anyway?
    3) I tested having the ldap server ip and hostname in the /etc/hosts and with it commented out. The test I used (su – ldapuser02) worked in either case. Is that normal and/or should the ldapserver ip/hostname be in the /etc/hosts file normally?

    Thanks!

    SK

  9. alejflor says:

    When you talk about “the LDAP server certificate”, do you mean a CA ldap certificate? I am having problems with the cert when I start SSSD. Should I: 1)generate a CA cert from the server 2) generate a normal cert for the ldap server 3)Sign the ldap cert with the CA 4)transfer the new signed cert to the client? I am working with RHEL 7.

  10. reaz_mahmood says:

    Following the sander’s video tutorial, I have been practising ldap client configuration using authconfig-gtk. But as you replied in another comment that since its a graphical interface, it may not be available in the exam. I am curious to know is there any restriction on using graphical environment on the rhcsa exam?

    • CertDepot says:

      As I’m sure the Command Line Interface will be available during the exam ;), I advise to use it. However, the graphical environment is perhaps available but I can’t give you any additional information on this point.

    • Lisenet says:

      Independently of whether a GUI is available on the exam or not, you can always install it yourself if you believe it’s reasonable. There are no restrictions in terms of using a GUI. If it’s pre-installed – use it, if it’s not installed, then install and use it.

  11. reaz_mahmood says:

    So as far as exam is concerned, we will be given the ldap server name and url of the ca certificate as provided info, rest of the settings we have to figure out. Am I correct?

  12. uco says:

    For those getting “User does not exist”: authconfig --enablerfc2307bis --update since RHEL 7.2 something has changed and causes the error due to an incorrect ldap_schema setting.

    Source: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html#idp37833632

    yum install sssd
    authconfig –enablesssd –enablesssdauth –update
    authconfig –enablerfc2307bis –update
    authconfig –enableldap –enableldapauth –ldapserver=ldap.example.com –ldapbasedn=dc=example,dc=com –ldaploadcacert=ftp://ldap.example.com/pub/cacert.p12 –enableldaptls –update

    Btw –ldaploadcacert saves you some time instead of copying and creating the /etc/openldap/cacerts dir… 😉

    And with a self-signed cert don’t forget to add ldap_tls_reqcert = never to /etc/sssd/sssd.conf and restart the sssd.service.

    On the exam just remember: authconfig –help | egrep “sssd|ldap|rfc”

  13. ispada says:

    To remember the different options, I found this tip helping. Just type authconfig | grep ldap. It’ll show all the required ldap options. Helps a lot to remember.

    • CertDepot says:

      Interesting tip. Thanks.

    • blahblah says:

      ^^ VERY helpful tip. I remember it as 1 4 2 – as in, to setup with nslcd, it’s 1 argument (--enableforcelegacy) plus --update, then 4 arguments plus --update, then 2 arguments plus --update

      I also tried doing some weird things, to emulate what happens, for example, if you yum install sssd nss-pam-ldapd openldap-clients all together, then do/don’t run --enableforcelegacy. Or if you accidentally install these things after running authconfig commands, then rebooting, then running the authconfig commands again. Generally, it seems the LDAP client software is pretty robust, and always lets you login to ldapuser02, as long as the correct sequence of install *then* authconfig are run last. Also, I was only testing the LDAP side with these strange combinations, not in combination with autofs, though I can’t see why there’d be a problem with autofs, as long as you *can* login to an LDAP user and whoami shows an LDAP username

  14. zi says:

    can we change/modify ldap accounts such as change password gid and so on?
    if yes, How?

  15. alexie says:

    Thanks for this, just working on a way of remembering it.

  16. centosuser says:

    Hi there, please advise if you can, Redhat recommends to use ipa-client-install instead of authconfig (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-install.html), is LDAP a part of identity management system? I didn’t have any luck with authconfig to configure the client but using api-client-install was very quick and easy, first you install “Directory Client” (#yum -y group install “Directory Client”), which installs both sssd and ipa-client, then run api-client-install –mkhomedir.
    Basically my question is can I use api-client-install instead of authconfig? Thank you

    • CertDepot says:

      This question was already asked at least one year and half ago. And, as before, I don’t have the answer.
      The secure way is to use the authconfig or authconfig-tui commands, even though the latter has been deprecated.
      Using the api-client-install command may work but it’s your call.

  17. bankai says:

    Hi Certdepot, do you have a ldapserver configuration here? I need to setup ldapserver in rhel7 to test my ldapserver client.
    Thanks

  18. bankai says:

    Also to some people here. same with my toughts. I think authconfig-tui is easy? right? you will just type the address and you are good? Can somebody please tell me how do you test if your ldap client is working?
    Thank you

  19. rusky says:

    I’m sorry, can you tell me the differences between nslcd option and sssd option? I see the two configurations are the same.

  20. Kg says:

    not getting output of command : getent passwd ldapuser02

  21. lozingalo says:

    Hi all, is the installation of openldap and openldap-clients necessary if I use sssd?

  22. nbona says:

    Just a little input…”Put the LDAP server certificate into the /etc/openldap/cacerts directory:” should say Put the CA certificate into the /etc/openldap/cacerts directory:

Leave a Reply

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 5 minutes.
Add 100MB of swap space to the machine using a new logical volume.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a NFS server that exports the /opt directory in read-only mode.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...