LDAP: Configure a system to use an existing LDAP directory service for user and group information.

Share this link

LDAP Server configuration

In order to test a LDAP client configuration, you will need to configure a LDAP directory service.
The LDAP server is called instructor.example.com in this procedure.

LDAP Client configuration

Install the following packages:

# yum install -y openldap-clients nss-pam-ldapd

Run the authentication menu:

# authconfig-tui

Choose the following options:

- Cache Information
- Use LDAP
- Use MD5 Passwords
- Use Shadow Passwords
- Use LDAP Authentication
- Local authorization is sufficient

In the LDAP Settings, type:


Note: Don’t use TLS if you specify ldaps.
Put the LDAP server certificate into the /etc/openldap/cacerts directory when asked.

Test the connection to the LDAP server (the ldapuser02‘s line of the /etc/passwd file should be displayed):

# getent passwd ldapuser02

You can also use the authconfig command to configure the client side.

NFS server configuration

To get the home directory mounted, you need to configure a NFS server.
The NFS server is called instructor.example.com in the procedure.
Note: it’s not required to have the LDAP server and the NFS server on the same machine, it’s only easier.

Automounter Client configuration

Install the following packages:

# yum install -y autofs nfs-utils

Create a new indirect /etc/auto.guests map and type:

* -rw,nfs4 instructor.example.com:/home/guests/&

Add the following line at the beginning of the /etc/auto.master file:

/home/guests /etc/auto.guests

Start the Automounter daemon and enable it at boot:

# service autofs start && chkconfig autofs on

Test the configuration:

# su - ldapuser02
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 4.00 out of 5)
12 comments on “LDAP: Configure a system to use an existing LDAP directory service for user and group information.
  1. Shikaz says:

    First let me congrat and thank you for this amazing website, seriously there is nothing like this all over the web, it’s straight and to the point! 🙂

    Man I’ve been to RHCSA 7 Exam and I did pass BUT I had a little problem, I did not succeed in getting the ldap client running.

    I did add all the above configuration but it did not work, the openldap-client and the nss were already installed.

    The only thing am thinking of now, can this be that I have to firewall-cmd and add the service or add-port on the client?

    • CertDepot says:

      First, congratulation for your success!
      Then, concerning the LDAP configuration, there shouldn’t be any requirement to open ports on the LDAP client side as all the flows aren’t coming in but out.
      Would it be possible that there were any restrictions at the /etc/hosts.deny level or somewhere else? I sincerely don’t know.

  2. Abdelrahman says:

    Good day,

    Thank you for your effort.
    I just have a question, What do you mean by this part “Note: Don’t use TLS if you specify ldaps”? Do you mean that I shouldn’t check the “[ ] Use TLS” if I specify the ldap server in the following field “ldap://instructor.example.com” ?

    • CertDepot says:

      According to my tests (done more than one year ago), you have to make some choices:
      – check the Use TLS box and specify the ldap://instructor.example.com url,
      – or leave the Use TLS box unchecked and use the ldaps://instructor.example.com url.
      But you can’t mix the options or it won’t work!

  3. bos1234 says:

    On this line: * -rw,nfs4 instructor.example.com:/home/guests/&

    what does the ampersand signify?

    • CertDepot says:

      I’m just cuting and pasting the man 5 autofs pages:

      Wildcard Key
      A map key of * denotes a wild-card entry. This entry is consulted if
      the specified key does not exist in the map. A typical wild-card entry
      looks like this:

      * server:/export/home/&

      The special character ‘&’ will be replaced by the provided key. So, in
      the example above, a lookup for the key ‘foo’ would yield a mount of

      The & repeats what the * represented.

    • Gjorgi says:

      Ampersand means “mount point will bear the same name as the remote mount.” The asterisk will be named after whatever the ampersand is named.
      If shared resource /resource is mounted on a subdirectory of /mnt of the local host, that subdirectory will be named “resource”.

  4. lozingalo says:

    Hi all, I’m preparing RHCSA exam for next week.
    Could you explain me please what is the advantage to use autofs for ldap users although the –enablemkhomedir of authconfig tool allow the creation of the home dir? Thank you

    • CertDepot says:

      Autofs’s got nothing to do with the creation of the user’s home directory. It’s only a way to transparently mount a remote directory when a user wants to access it. Autofs removes the need for a permanent NFS mount and therefore minimizes the load on the NFS server.

Leave a Reply

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create two users "tom" and "engine". "tom" has the UID/GID 3000 and "engine" the UID/GID 4000. "engine" doesn't have an interactive shell.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a default secure MariaDB database called maria and create a table named people with two columns respectively name varchar(20) and age int(10) unsigned.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...