Note: This is an RHCSA 7 exam objective.
LDAP Server Configuration
In order to test a LDAP client configuration, you will need to configure a LDAP directory service.
The LDAP server is called instructor.example.com in this procedure.
LDAP Client Configuration
As the authconfig-tui is deprecated, to configure the LDAP client side, there are two available options: nslcd and sssd.
In this tutorial, the nslcd option will be used, see the authconfig tutorial for the sssd option.
Install the following packages:
# yum install -y openldap-clients nss-pam-ldapd
Note: Just to mention that Sander van Vugt advises to install the Directory Client group package: # yum group install “Directory Client”
Then, type:
# authconfig --enableforcelegacy --update # authconfig --enableldap --enableldapauth --ldapserver="instructor.example.com" \ --ldapbasedn="dc=example,dc=com" --update
Note1: According to your requirements, you can need to specify the –enablemkhomedir option after the installation of the oddjob-mkhomedir package. The option creates a local user home directory at the first connection if none exists.
Note2: Type # authconfig –help | grep ldap to remember the necessary options.
Put the LDAP server certificate into the /etc/openldap/cacerts directory:
# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \ /etc/openldap/cacerts/cert.pem
Apply the correct SELinux context to the certificate:
# restorecon /etc/openldap/cacerts/cert.pem
Activate the TLS option:
# authconfig --enableldaptls --update
Test the configuration:
# getent passwd ldapuser02 ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash
NFS Server Configuration
To get the home directory mounted, you need to configure a NFS server.
The NFS server is called instructor.example.com in the procedure.
Note: It’s not required to have the LDAP server and the NFS server on the same machine, it’s only easier.
Automounter Client Configuration
Install the following packages:
# yum install -y autofs nfs-utils
Create a new indirect /etc/auto.guests map and paste the following line:
* -rw,nfs4 instructor.example.com:/home/guests/&
Add the following line at the beginning of the /etc/auto.master file:
/home/guests /etc/auto.guests
Start the Automounter daemon and enable it at boot:
# systemctl enable autofs && systemctl start autofs
Test the configuration:
# su - ldapuser02
Additional Resources
Ralph Nyberg offers an interesting video about configuring LDAP authentication (20min/2015).
The ForumSystems website provides a free online LDAP test server.
Although I passed the RHCSA 7, but I could not configure that time the ldap client, I did everything but that was not working, do you think it can be firewall I need to open in the client? or add a service to the firewall?
No, I don’t think it is related to the firewall on the client side. It’s something else.
man I found the problem, so I just wanted to share it here, I did go to /etc/nslcd.conf “client” and put ‘tls_reqcert never’ and the ldap worked on the client.
Interesting. Thanks.
Setting tls_reqcert never means it’ll ignore any certificate errors – probably not the best practice. You can get this behavior if you don’t have a certificate/name match. Double check that that your LDAP Server in authconfig and the common name on the certificate match exactly. Since the common name needs to be a name, not an IP, this may require you to make sure the name can resolve via /etc/hosts.
Interesting. Thanks.
Great site, a lot to learn, and works perfectly.
Just curious – do we have to setup directory service at the exam, or just the client-side with already existing LDAP directory ? It’s one thing to configure cert and client-side, another to remember the changes/base.ldif config 🙂
You just need to set up the client side for the exam.
But, if you want to practice at home, you need both.
While I ran the command:
# scp root@instructor.example.com:/etc/openldap/certs/cert.pem /etc/openldap/cacerts/cert.pem
I’m getting following message even I set hostname as instructor.example.com:
ssh: could not resolve hostname instructor.example.com : name or server not known.
Could you please help me to figure out?
You need to edit your local /etc/hosts file to add a line with the IP address and Full Qualified Domain Name of the LDAP server:
192.168.x.y instructor.example.com
The other option is to configure a DNS server.
Hi CertDepot,
It is necessary that when configuring an ldap client, nfs and cifs share in the exam environment we add the ip and hostname of the server in the /etc/hosts file on the client side or is it not necessary at all? Thanks! 🙂
I’m not sure if it is an absolute requirement but it is good practice to put the IP and hostname of client and server either in the /etc/hosts file or in the DNS configuration.
Thanks CertDepot!
Just passed my RHCSA today, thank you for this great site ! And keep up the good work 😉
Thank you.
very helpful site indeed. just wondered – no mention of the system-config-authentication gui tool here. can be install using yum authconfig-gtk*
thanks
alex
At the exam, you can’t rely on any GUI.
Are we required to remember the package names during installation or is it provided for the RHCSA exam?
You have to memorize the package names, they are not provided during the RHCSA exam.
“Put the LDAP server certificate into the /etc/openldap/cacerts directory when asked”
How to do this step. Could you detail me this one please?
I have updated the tutorial.
Got this error after automount, please help.
[root@rhel7-testServer ~]# su – ldapuser02
su: warning: cannot change directory to /home/guests/ldapuser02: No such file or directory
mkdir: cannot create directory ‘/home/guests/ldapuser02’: Permission denied
Will I still be able to use the “authconfig-tui” command in RHCSA exam since you mentioned that this is deprecated in another post?
Deprecated doesn’t mean the command doesn’t exist anymore. The authconfig-tui command still exists and you can use it but in the next RHEL release, it could disappear.
Check that the setsebool -P use_nfs_home_dirs on command has been applied on the NFS server.
Check the semanage command has been run on the /home/guests directory and the access rights correctly set.
how do we do that? Is it on the client side?
Not sure what option of ‘semanage’ to use? Thanks
From memory, the only option you really have to remember is semanage fcontext
This is what I get if I run the above: and I guess this should be run on the client machine
semanage fcontext [-h] [-n] [-N] [-S STORE] [ –add ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) | –delete ( -t TYPE -f FTYPE | -e EQUAL ) FILE_SPEC ) | –deleteall | –extract | –list -C | –modify ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) ]
My problem was not having mounted LDAP users home directory on the client. After that the problem is over. Not quite sure if that is what semanage does? Not familiar with this command. Thanks.
The semanage fcontext command applies a SELinux context to a file. Then, when a specific process tries to access the file, SELinux allows it because a preexisting rule has been specified in a policy.
Hi
When ever I tried to login with ldapuser in automounted file system, it won’t take me to user’s home directory. Below is the message am getting.
[root@rhelserver ~]# su – ldapuser6
Creating home directory for ldapuser6.
Last login: Sat Dec 12 00:13:19 EST 2015 on pts/0
su: warning: cannot change directory to /homeldap/ldapuser6: No such file or directory
-bash-4.2$
Please find my nfs and auto mount configuration:
[root@rhelserver ~]# cat /etc/exports
/data *(rw,no_root_squash)
[root@rhelserver ~]#
[root@rhelserver ~]# showmount -e rhelserver
Export list for rhelserver:
/data *
[root@rhelserver ~]#
[root@rhelserver ~]#
[root@rhelserver ~]# grep -v “^#” /etc/auto.master
/misc /etc/auto.misc
/homeldap /etc/auto.nfsserver
/net -hosts
+dir:/etc/auto.master.d
+auto.master
[root@rhelserver ~]#
[root@rhelserver ~]#
[root@rhelserver ~]#
[root@rhelserver ~]# grep -v “^#” /etc/auto.nfsserver
* -rw,nfs4 rhelserver.ihub.ca:/data/&
[root@rhelserver ~]#
Could you please let me know, where I’m doing wrong. Below listed all services are running in the server
autofs.service
nfs-server.service
nscd.service
oddjobd.service
Many Thanks
Check that you created the /homeldap/ldapuser6 directory and export it from your NFS server.
Check that the setsebool -P use_nfs_home_dirs on command has been applied on the NFS server.
Also when SUing in as a remote ldapuser somehow you must be chrooted in the users home dir…This doesnt happen automatically…Any Ideas ? 🙂
You need to configure the Automounter and NFS services.
Thanks CertDepot for a great website. I have followed this line by line and was able to set up client side without a problem. The only question I have is what do you mean by
“Put the LDAP server certificate into the /etc/openldap/cacerts directory when asked”
will it be some kind of text that we need to put in a file and leave it in this dir /etc/openldap/cacerts?
My client side is running well without this step. How important this step is?
I am using Ghori’s book and unfortunately he doesn’t go over this part or LDAP in general in detail and I am using your website to prepare for this part of exam. Your reply will be much appreciated!
I just updated the LDAP client side tutorial. I hope it will be easier to follow.
Thank you Sir!
You’re welcome.
I really like this site.
How would you set host name: station.domain.example.com?
I’m really confused. My IP address is 172.24.11.10.
# hostnamectl set-hostname station.domain11.example.com OR
# hostnamectl set-hostname station11.domain.example.com?
Here is what I would suggest:
# hostnamectl set-hostname station10.domain11.example.com
Thanks for your suggestion. Why we need to put domain11? Why not
hostnamectl set-hostname station10.domain.example.com. ? Question asks: set host name: station.domain.example.com . I think the following is also ok:
“hostnamectl set-hostname station.domain.example.com” because question doesn’t ask where “X” is your IP address. Please specify again. Thanks for your help.
If the question is in the exam, I don’t want to answer.
The purpose of my website is to make learning easier not to provide straight answers to the exam.
This is not a exam question. It is related how to set hostname and FQDN. Thanks.
Sorry, I didn’t want to hurt you.
No you did not. Please answer this question. I’m still not getting right answer from anybody. How do you set the following host name:
station.server.certdepot.com? Where, your ip is 192.168.1.2.
I’m hoping you will answer it.
Hostnames are specified either locally or remotely.
Locally, you can set up a hostname through the /etc/hosts file:
192.168.1.2 station.server.certdepot.com
Remotely, you use a DNS (Domain Name Server) server and you configure it to answer 192.168.1.2 for the station.server.certdepot.com.
Thanks.
Which one method is best for exam?
The nslcd method seems to work better according to my tests.
When I run the command on the LDAP client, I get nothing.
getent passwd ldapuser02
When I run the command on the LDAP server, I get this:
ldapuser02:x:1002:1002::/home/guests/ldapuser02:/bin/bash
I presume that my LDAP client configuration must be wrong somehow, but can you point me in the right direction or offer any advice?
Update: found out that when I disable TLS in authconfig-tui, the LDAP client can connect just fine!
With TLS enabled, this is what’s logged in /var/log/messages on the LDAP client:
nslcd[3564]: [3c9869] failed to bind to LDAP server ldap://10.213.51.12:/ Connect error: TLS error -8172:Peer’s certificate issuer has been marked as not trusted by the user.
Interesting. Thanks.
I would like to figure out what’s wrong, I used SCP to copy the certificate file over. For now, I’m going to disable TLS because I’m working a deadline, but I will update when I get TLS working.
Any advice is appreciated! It’s a little hard for me to send logs because the servers I’m working with are in a DMZ, so I’m hand typing all the output I get, but I can send any requested output or run any commands.
Maybe it would be of value for me to nuke the LDAP server and reconfigure it from scratch.
It’s clear that sometimes it’s easier to start from scratch.
Hi, I would suggest checking the SELinux context of the certificate file. I had similar issues when I moved the certificate to /etc/opeldap/cacerts from the directory I downloaded it to.
I will add an instruction for this in the tutorial. Thanks.
Hi! I ran into the same problem you did on CentOS 7. It seems that the command ‘authconfig –enableldaptls –update’ appends the directive ‘tls_cacertdir /path/to/certdir’ in the nslcd.conf file. For whatever reason, on my system, nslcd seems to ignore that directive, and it then generates the same error you reported. But if instead you use ‘tls_cacertfile /path/to/your/cacert’ (which is just the same cert used in this tutorial) in nslcd.conf, TLS will work fine.
Latest update (Centos 7.3):
I met the same issue, but rerunning authconfig-tui after that shows that something was not done properly.
On a clean install I did the following to make it running(I’m using kerberos for auth which doesn’t matter):
1.Pass authconfig with relevant params:
[root@server1 ~]# authconfig –update –enableldap –ldapserver=”ipa.example5.org” –ldapbasedn=”dc=example5,dc=org” –enableldaptls –enablekrb5 –krb5kdc=”ipa.example5.org” –krb5adminserver=”ipa.example5.org” –krb5realm=”EXAMPLE5.ORG” –enablemkhomedir
authconfig: Authentication module /lib64/security/pam_krb5.so is missing. Authentication process might not work correctly.
2.Install the packages needed:
[root@server1 ~]# yum install pam_krb5 nss-pam-ldapd
3.Copy the certificate to /etc/openldap/cacerts/:
[root@server1 cacerts]# scp ipa:/root/cert.pem /etc/openldap/cacerts/
4.Rerun the first command (otherwise ldap fails , but kerberos runs):
[root@server1 openldap]# authconfig –update –enableldap –ldapserver=”ipa.example5.org” –ldapbasedn=”dc=example5,dc=org” –enableldaptls –enablekrb5 –krb5kdc=”ipa.example5.org” –krb5adminserver=”ipa.example5.org” –krb5realm=”EXAMPLE5.ORG” –enablemkhomedir
5.Enable forcelegacy mode (disable sssd):
[root@server1 openldap]# authconfig –update –enableforcelegacy
6.Login with ldap user:
[root@server1 openldap]# su – jack
Creating directory ‘/home/jack’.
-sh-4.2$ id
uid=912000001(jack) gid=912000001(jack) groups=912000001(jack) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Why we cannot rely on authconfig-gtk during exam? Do we get negative marking for using GUI tool
During the exam, you can use GUI tool like authconfig-tui or nmtui but I don’t think you can use graphical tool like authconfig-gtk. You won’t get negative marking because you won’t be able to start this tool!
I was actually referring to this website: http://blog.remibergsma.com/2013/10/07/my-tips-for-the-red-hat-rhcsa-rhce-exam/
According to this person “””I’ve heard people complaining about the GUI/TUI tools. And I agree a GUI is not something you want on a server. But hey, if ‘system-config-authentication‘ has a ready to fill-in form and makes you configure LDAP with TLS and Kerberos in 60 seconds. Why would you want to go for the manual way on the exam? Yet, some feel they are better off configuring this on the command line. There’s simply no time for that approach, nor will it bring in more points. Be smart, take the fast track.”””
# yum install authconfig-gtk -y
Please explain if I am missing any valid points which I must know as a candidate. Thank you
Normally, you shouldn’t get access to the authconfig-gtk tool because you can’t get access to a graphical interface or it takes too much time to install it during the exam.
Also, I would like to know if LDAP is still part of RHCSA objectives? and does any questions comes related to setting up ldap client side in exam? Thanks
The LDAP client configuration is definitively part of the RHCSA exam and you can almost be sure that you will get questions about it.
I was watching Sander van Vugt tutorial video RHCSA (RHEL7)
This is how he started for client configuration,
# yum install authconfig-gtk -y
# yum install nscd nss-pam-ldapd pam_ldap -y
He said “I would recommend to use authconfig-gtk (GUI) in exam because it’s easy to use and it’s not easy if you use text interface”
I have couple of questions here:
1) why he didn’t ask us to install openldap-clients as you did?
2) why you didn’t mention to install nscd and pam_ldap?
3) How can I setup DNS server on my local network for creating ldap server. I don’t have domain but I would like to create my own domain for internal use only. For e.g server.ldaptest.local
Please extract confusion out of my mind. I am badly stuck in understanding ldap configuration from last few days. And I can eaisly understand if only I create my own DNS to setup ldap server on a seperate virtual machine. Thank you
1) The LDAP client configuration is pretty complicated at the moment. You have two options: nslcd and sssd.
According to the chosen option, you don’t install the same packages.
In his last free webinar session, Sander advises to install the “Directory Client” group package and I’m thinking about changing my current tutorial. According to the packages you install, the behavior changes. Installing the “Directory Client” group package brings a lot of packages but seems to provide a predictable behavior.
If you don’t understand how the choice of packages can change the configuration, look at the content of the /etc/pam.d directory in different scenarios.
Sander and you are perfectly right when talking about the authconfig-tui command. Because the command is officially deprecated, I decided to remove it from my tutorial but this is a mistake. This is the quickest and easiest way to configure the LDAP client. I will reintroduce it in the coming weeks.
2) The nscd daemon serves as a cache for accesses of the passwd, group, and hosts databases through standard libc interfaces (see nscd man page). This daemon is not required when configuring a LDAP client.
3) You don’t need to configure a DNS server to test the LDAP configuration.
In conclusion, I would say that Red Hat regularly improves integration with Active Directory but, as a result, configuration is not easy.
I have Sander’s new book and the authconfig-tui method is not, in my opinion, straightforward at all. Firstly, the Directory Client group fails to install unless you mark it installed then run an update on it. After doing that and editing /etc/sysconfig/authconfig to set FORCELEGACY-yes, I ran the TUI tool. It errors on nss-pam-ldapd not being installed.
One thing I did not do was install CentOS7 with the Server with GUI option, as the book recommends. Maybe that is the missing link for the nss-pam-ldapd will try that next
Another question,
Why didn’t you create an export file /etc/exports and insert the following lines
/data -rw *(rw,no_root,squash)
after creating /data directory with files in it?
Also, I didn’t see you mentioning
# systemctl start nfs
Thank you
The syntax you use is very unusual: /data -rw *(rw,no_root,squash).
Normally we don’t specify twice rw, we only specify /data *(rw,no_root,squash).
Also, if the # systemctl start nfs was not mentioned, it is because I didn’t need it.
All the tutorials displayed on this website have been verified.
However, next time I check it, I will keep in mind your comment.
Your answers are much appreciated.
Actually, I am following your website and video tutorials by Sander van vugt at the same time and I get pretty much confused when I see different methods of approaching on the same subject.
I have loads of questions in mind which I will ask later and I am very much hopeful that you wont mind answering them precisely. Also, please check out my other questions in different topics regarding KVM awaiting for your answers. Thank you =)
Some topics like LDAP client configuration or NFS are a moving target. Not only there are differences between Sander‘s videos and my tutorials but there are certainly some differences between Sander‘s videos and his own book too! I try to keep up with all the improvements or changes happening but it’s not always easy.
Also, don’t forget a simple rule: it’s normal to rely on several sources. This forces you to understand the complexity of some configurations.
In the case of the LDAP client configuration, there is a legacy way to configure it through the nslcd daemon and there is a more modern approach through the SSSD daemon in relation with Active Directory. Due to regular improvements, the SSSD approach is constantly changing. At the same time, for an unknown reason the authconfig-tui command is deprecated, making everything more complicated.
In this context, it is very difficult to provide a definitive path.
Finally, don’t hesitate to leave a comment when you don’t understand some parts of a tutorial.
Hi Jaz, apologise for stepping in.
The /data -rw *(rw,no_root_squash) is for setting up the nfs on the server and not the client. You can for testing purposes use this to setup on the client if you are working on the same box.
You do not need to re-start the nfs as the autofs is only for the client connecting to the remote nfs/ldap server.
Hope this helps.
Hi CertDepot,
On LDAP client configuration is it okay if i can use ip address instead of instructor.example.com while copying the certificate? please see below. The ip address is the ip of my ldap server. Thanks
# scp root@192.168.199.136:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem
Yes, you can use an ip address instead.
Nah….. Why I’m always getting an error after I created ldap and nfs server. But anyways CertDepot we don’t have to be worried setting up ldap, nfs and cifs server right since it is already provided on the exam? We just have to practice the client side? Thanks and looking forward to your reply.
Yes, absolutely.
Thanks CertDepot.
* -rw,nfs4 instructor.example.com:/home/guests/&
Hi CertDepot,
What will happen if you don’t include nfs4? On Sander’s video he doesn’t include nfs4. Thanks.
I don’t know. I haven’t tried!
Hi CertDepot,
after running # authconfig –enableldaptls –update
why did you not advise to also run #authconfig –enableldapstarttls? is it not necessary? thanks
Yes, this option isn’t required in our case.
Hi CertDepot,
When adding the tls certificate the name must be exactly cert.pem or any name or as long as it is under the directory /etc/openldap/cacerts ?
As long as the certificate is under the /etc/openldap/cacerts directory, it should work.
Thanks! 🙂
I have installed a couple of VMs on a virtual box to act as a client and a server. The server side seems to work fine and returns the user info on ldapsearch. I follow the client side procedure as above and when I do getent passwd ldapuser1 simply nothing happens. Could anyone tell me how to debug this, none of the steps returned with a complaint.
It was the firewall setting, I did not implement it because I thought being on virtual machine it is not set. My bad
This problem is resolved, it was due to firewall, and I commented it here but my comment is gone
I set up the server and client and even loaded up a .ldif file where I could get a user by using getent passwd “user”. So I decided to try again. Let the server and client centos 7 machine on the VM and created another VM client for Centos 7. Followed the instructions to the end of “authconfig –enableldaptls –update”. But when I do getent passwd “user” I get nothing back. No idea what I did right on the first client! I have done nothing for NFS or mounting on the client side as I am only interested to get an answer from “getent” command. Any ideas whatsoever? Thanks a lot.
You can get a very different result if you don’t install exactly the same packages between two executions.
This is what I have done on the client side, do I need to do anything more? Thanks again.
1. Packages to install:
# yum install -y openldap-clients nss-pam-ldapd
2. Enable the followings:
# authconfig –enableforcelegacy –update
# authconfig –enableldap –enableldapauth –ldapserver=“davinci.med.cornell.edu” –ldapbasedn=“dc=davinci,dc=med,dc=university,dc=edu” –enablemkhomedir –update
3. Put the LDAP server certificate into the /etc/openldap/cacerts directory:
# scp root@davinci.med.university.edu:/etc/openldap/certs/cert.pem /etc/openldap/cacerts/cert.pem
4. Apply the correct SELinux context to the certificate:
# restorecon /etc/openldap/cacerts/cert.pem
5. Activate the TLS option:
# authconfig –enableldaptls –update
Just to add one extra comment, right now if I run the command “getent passwd vanessa” on client-1 I do get result back. But if I run it on the server, I get nothing back. So maybe the fault is with the server and not the client-2. I did check for ldap and sldap and they are running on the server, the machine was rebooted.
For my ldap-client-2 I get: “ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)” if I just type ldapsearch. All the files are owned by root, but they are the client side. On the server side they are owned by ldap. The ldap-client-1 which works has all the files inside /etc/openldap owned by root as well. I do not believe there is even an ldap user on the client sides.
I found the problem in /etc/openldap/ldap.conf, my Base and URI were in double quotes, and they should not have been, so please disregard all my questions except the one that why getent passwd vanessa is returning nothing on the server side and client-2 but returns a value on client-1. But ldapsearch return correct values.
I found the problem with getent passwd of client-2, it was a simple copy and paste, some how in my documentation there is unseen characters which get copy and pasted.
I had to run this on the server side as well to get the getent passwd work, which I guess makes sense. So all my issues are resolved:
# authconfig –enableforcelegacy –update
# authconfig –enableldap –enableldapauth –ldapserver=”instructor.example.com” \
–ldapbasedn=”dc=example,dc=com” –update
Sorry for not helping you much but I was in a business trip with almost no time to set up a LDAP lab.
Hi CertDepot,
I wonder if replication is also your forte. I am using the following to replicate the server as a master slave know as provider/consumer in the ldap world. I am using this link: http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=5
and on section 3 where I enter:
ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
I get this error:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “olcDatabase={2}hdb,cn=config”
ldap_modify: Other (e.g., implementation specific) error (80)
additional info: Error: parse_syncrepl_line: unable to parse syncrepl id “001#”
The only part I need to enter is:
provider=ldap://10.0.2.11:389/
bindmethod=simple
# own domain name
binddn=”cn=Manager,dc=davinci-clone,dc=med,dc=cornell,dc=edu”
# directory manager’s password
credentials={SSHA}2HAoA6………..
searchbase=”dc=davinci,dc=med,dc=cornell,dc=edu”
If you have any thoughts on that I would be most grateful. Thank you in advance.
Perhaps please ignore my replication question since I was not getting the last line I thought it might be an error, the last line being:
modifying entry “olcDatabase={2}hdb,cn=config”
But when I did :
ldapsearch -x -b ‘ou=People,dc=srv,dc=world’
I did get a whole bunch of people’s account outputted, so I think my replication is set. I guess I need to add something in the master and take it down and see the client can find it in the slave.
Hello Sir,
I did all the commands and installations, until I encounter this part upon entering the command:
# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem
It says
etc/openldap/cacerts/cert.pem: No such file or directory
Did I miss something?
You didn’t install the LDAP server part of the tutorial.
In this part, a certificate is created.
Hi CertDepot,
Every time I ask a question I end up finding an answer to it, maybe I get lucky again. I used this link below to create a LDAP replication and works mostly except when I try to use getent passwd userid. The link is:
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=5
I can do ldapsearch from the clients and get the result even when I switch off the Master or better know as provider VM machine, but getent passwd “userid” only works if the Master is running. In the past I had to get the getent passwd working using this config:
# authconfig –enableforcelegacy –update
# authconfig –enableldap –enableldapauth –ldapserver=“davinci.edu” –ldapbasedn=”dc=davinci,dc=edu” –update
So I tried doing it on the slave or consumer using the machine name which is davinci-clone instead of davinci, but no joy. Any thoughts on that?
I’ve been reading everyone’s comments and CertDepot’s as well. It seems “moving target” and such is the problem, but I have a different issue that no one seems to be talking about. A test LDAP server.
I realize the ForumSystems website is listed under Additional Resources. However, it doesn’t seem to have / provide a certificate for testing LDAP authentication in the secure manner in which we have to know for RHCSA. Correct me if I’m wrong.
So is there a free LDAP online test server that also provides a certificate for testing? If not, I have a Win 2008 R2 Server that’s running as a DC. However, I’m not much of a windows guy, so does anyone know what steps I need to take to generate a cert for my CentOS 7 machine to use for LDAP authentication testing?
Thanks,
SK
Instead of using the SCP command to download the TLS Certificate could i just navigate into the /etc/openldap/cacert directory and use the WGET command instead?
Such as wget TLS_CERTIFICATE_URL_LINK
The wget command will work if you’ve got an http server delivering pages located in the /etc/openldap/cacert directory which I really doubt.
I would like to clarify that during the RHCSA exam, you are given access to a VM which you need to work with (perform all exam tasks on).
You get no SSH/SCP access to the LDAP or any other server, period. Keep in mind that wget works with FTP protocol as well.
Hi CertDepot,
I have managed to setup a server client openldap on centos 7 minimum and add a user ‘newuser01″ I can retrieve data using ldaps:/// but getent -s sss passwd does not work on the client. This is the authconfig files that I ran
authconfig \
–disablesmartcard \
–disablefingerprint \
–enablesssd \
–enablesssdauth \
–enablelocauthorize \
–disablemd5 \
–passalgo=sha512 \
–enablepamaccess \
–enableldap \
–enableldapauth \
–disableldaptls \
–ldapserver=ldaps://ldap.yourdomain.tld:636 \
–ldapbasedn=dc=domain,dc=tld \
–enablemkhomedir \
–disablecachecreds \
–disablekrb5 \
–disablekrb5kdcdns \
–disablekrb5realmdns \
–krb5kdc=” #” \
–updateall
and this is what is inside my /etc/sssd/sssd.conf, nsswitch is auto configured and I think I only need to maybe twick the sssd.conf file, please let me know of your opinion:
[domain/default]
autofs_provider = ldap
ldap_schema = rfc2307bis
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://provider.example.com
ldap_search_base = dc=example,dc=com
#ldap_id_use_start_tls = True
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
#ldap_tls_cacertdir = /etc/pki/tls/certs
#ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_default_bind_dn = uid=newuser01,cn=users,cn=accounts,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = secretpassword
ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
Hello CertDepot,
First of all really appreciate your website and the effort you put in keep it running!
I configured LDAP client with autofs as you mentioned above but noticed that the shell prompt is different for ldapuser01(-bash-4.2$) and ldapuser02(ldapuser02@localhost~$) and wondering may be you could help me figure out why is that?
I do notice ownership is still root for /home/guests/ldapuser01:
drwx——. ldapuser02 ldapuser02 system_u:object_r:nfs_t:s0 /home/guests/ldapuser02
drwxr-xr-x. root root system_u:object_r:nfs_t:s0 /home/guests/ldapuser01
uid=1002(ldapuser02) gid=1002(ldapuser02) groups=1002(ldapuser02) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[\u@\h \W]\$ (this is output of echo $PS1, it shows \s-\v\$ for ldapuser01)
You should figure out why the /home/guests/ldapuser01 directory is owned by root.
You should also check the content of the same directory, searching for .* files (ls -a).
Thank you CertDepot for pointing me in the right direction. This is resolved by doing the following:
1) chown -R ldapuser01:ldapuser01 /home/guests/ldapuser01 (as root)
2) cp -r /home/guests/ldapuser02/. /home/guests/ldapuser01/ (to copy .bash related files)
I’m assuming the most important one missing was .bash_profile that was not found for ldapuser01 for some reason.
You’re welcome.
I have one issue, to download the cert if link is (I got troubled) when downloading certificate from
ftp://server1.example.com/openldap/cert.crt
I tried every think: wget, ftp (with anonomyous/password), sftp, scp root@, scp ldapuser1@… but wget couldn’t find the file, other thinks (ftp,scp etc) I was stuck with password
Any help will be appreciated, I couldn’t finish LDAP Client question
Stick to wget and find why it doesn’t find the file.
Will check with wget, can we give path of file cacerts dir as
vi cert.pem
ftp://server1.example.com/openldap/cert.crt
In notes
#restorecon
not changing selinux from unconfined_u to system_u, needs to do with force
#restorecon -F /etc/openldap/cacerts/cert.pem
Another question, I found by installing nss-pam-ldapd, cron for users is not working, getting some pam.d error
Sorry. I don’t know.
Seem permission issue or Maybe its selinux issue, set it to permissive and see if its work,
Hi ,
while configuring autofs to automount the home directories of the LDAP server, do we need to do the following actions :
1-vim /etc/sysconfig/autofs
and then un-comment the below line :
MASTER_MAP_NAME
2-Do we have to install nfs-utils
3-what is the meaning of & and * on the below line:
* -rw,nfs4 instructor.example.com:/home/guests/&
4-Do we have to add nfs4 in the same above line ?
5-How to test the configuration (df -hT in the client and see if there is anything mounted when we cd to the home directory of the user or the shared point)
Thanks a lot for your help and I do apologies for my many questions, but your site is surely the best and very trustful.
1- No.
2- Yes.
3- */& mean whatever the information passed to autofs, append it to the specified path (instructor.example.com:/home/guests/).
4- Yes, I think so.
5- This should be fine.
Hi Certdepot ,
When configuring LDAP and autofs, in the exam:
Do we need to add the below lines into /etc/pam.d/sshd
auth sufficient pam_ldap.so
auth sufficient pam_permit.so
Many thanks for your help again.
No, it shouldn’t be necessary.
Hello,
Do we also need to know how to join an Active Directory and IPA server?
How to join an IPA server could be useful even though I don’t think it’s necessary.
Joining an Active Directory is definitively out of the scope.
Thanks, so mainly LDAP.
Yes.
Hi CertDepot, great step by step guide, it works like a charm, one question though, about the SELinux restorecon step, what is the fcontext suppose to became? Because mine did not change at all.
What SELinux restorecon step are you talking about?
Hi,
Stucked on
getent passwd ldapuser02
There is nothing in result. Is there any Ideas?
Please I need to know what is the context type that should apply with semanage fcontext on the /home/guests directory
I have the following if it helps:
# ls -dZ /home/guests/
drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/guests/
Hi there!
What kind of answer should I get for “su – ldapuser02” command. Currently I got : /home/ldapuser02 cannot be find (something like this). Any ideas, gentlemen?
Does the home directory exists? If it doesn’t, then you know why you get the warning – it’s expected.
The directory /home/guests/ldapuser02 does not exists. I’m trying to manually create directory, but I gave an error: Permission denied. Hope for your answer…
I’m figured out with “permissions” error. Now it seems that I’m able to login under ldapuser02 – I have clean bash session “-bash-4.2$”. Does this means that LDAP topic correctly solved?
If you are able to log into the system with an LDAP user, then you know the LDAP auth works. I think that’s all there is to it from a client’s perspective.
I read all LDAP previous topics, and found that bug “cannot change directory to /home/guests/ldapuser02 no such file or directory” is unsolved yet. Although the directory /home/guests/ldapuser02 exists in my lab and the owner is ldapuser02 the bug is still there. Did somebody solve this issue?
Check or disable the selinux settings for testing.
I suspect your problem is with the NFS setting. Check the services on both vm’s and the firewall settings! And also take note of the version of the os your are using.
SElinux and firewall should not be disabled during exam. But for test purposes I disabled both with no luck. “–enablemkhomedir” key is enough to resolve “permission” issues
You are perfectly right. Unless asked under no circumstances are the SElinux and firewall to be disabled during the exam.
This should only be done for testing conditions only, and even then in a safe working environment (off network or behind a SECURE firewall).
That’s not a bug, it’s misconfiguration on your servers.
I have it all working, therefore I’m 100% confident it’s something at your end. Feel free to take a look at my config: https://www.lisenet.com/2016/freeipa-server-on-rhel-7-centos-7/
This one is better suited for RHCSA I believe: https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7/
Thank you, Lisenet. I appreciate your help.
Just watched the video from Ralph Nyberg. He advised to put “–enablemkhomedir” into authconfig. So I summarized bunch of arguments into one set: authconfig –enableforcelegacy –enableldap –enableldapauth –ldapserver=”instructor.example.com”
–ldapbasedn=”dc=example,dc=com” –enableldaptls –enablemkhomedir –update. Have no idea how I missed it)))))
Another issue which caused the “cannot create directory /home/guests/ldapuser02 no such file or directory” problem is the string MASTER_MAP_NAME=”yes” in /etc/sysconfig/autofs config file which is missing by default. Dear Certdepot, would you be so kind to put it into the tutorial?
I need to rebuild all the environment to test this. This will take some time.
Would it be a problem if we –enablelts when we are enabling everything else and adding the ldapserver and basedn?
When I set this * -rw,nfs4 instructor.example.com:/home/guests/& on my /etc/auto.guests didn’t work. I had to change it to * -fstype=nfs4,rw instructor.example.com:/home/guests/&
Could you please confirm?
Hi, can I use realmd to configure instead of using authconfig?
No, I don’t think so. realmd is used to connect to an Active Directory or an IPA server.
The RHCSA objective is all about using a LDAP directory service. This is not exactly the same thing.
noted. thanks!
Hi,
I managed to do the ldap client SSO, but wondering the section about “Automounter Client Configuration”. Actually, what does this section do?
This section provides a way to automatically mount a remote filesystem when a particular path is specified.
So does the forumsys LDAP server work with nslcd? I tried to setup an LDAP server on a raspberry pi but it was hell and I didn’t manage to figure it out.
I have no idea. However, setting up an LDAP server is already not an easy task on a normal server. On a raspberry PI ths could create additional difficulties.
The
authconfig -h | grep ldap
is an extremely useful tip, thanks.To neaten/shorted things, I want to add that it’s possible to do this, for the
cacert
part, on RHEL 7.3:authconfig --ldaploadcacert="file:///cert.pem" --enableldaptls --update
It adds it to the correct place, and changes the SElinux permissions to be correct – running
restorecon
doesn’t change a thingI’ve gone over this a few times now, using LVM snapshots to rollback and repeat, as I usually do.
Interesting. Thanks.
scp root@instructor.example.com:/etc/openldap/certs/cert.pem
/etc/openldap/cacerts/cert.pem
Do we get ldap server root credentials for the above step during exam?
can someone point how do we get the cert.pem file?
You don’t get LDAP server root credentials during the exam but you are given instructions to get the certificate.
As CertDepot said, you won’t get root credentials, but a way for retrieving the certificate will be provided.
Howdy, everyone!
I’m happy ! I lost my minds with this exam so …I’m happy! Failed it 3 times by now but …here’s what I did in the past 4 months regarding this…
The article posted here is very useful indeed.
It’s been a while since I’ve been reading this very good article plus everyone’s posts and comments plus the article about the automount on this website. However I failed my RHCSA7 exam …yeah . Not once but three times now.
Following the indications on this website I managed at home to replicate as close to the exam as possible my testing environment.
The LDAP server part is awesome!
During the exam I have noticed the testing RHEL7 server provided has a very old kernel and of course very old packages regarding what you need in order to successfully fulfill the LDAP + automount + SELinux part.
Of course SELinux was enabled on server side and client side as supposed to at home and during the exam for sure was on my machine.
I wonder , those who passed the exam what RHEL7 machine were provided with????
I tested with the kernel provided by Michael Jang’s book Kernel 3.10.0-123 and the client fails to change into ldapuser’s home directory. However “getent passwd ldapuser01” gets me the right response.
I also tested with a higher version of the kernel something like 223 and 514 and if you setup the client – server exactly as it is described here IT JUST WORKS! No doubt about it!
Of course , works if on the client side the necessary booleans are enabled : authlogin_nsswitch_use_ldap and eventually use_nfs_home_dirs…Am I missing any ?
Also make sure on the client the fcontext for cacerts directory and it’s contents ( the cert.pem and it’s symlink ) is slapd_cert_t ( if i remember correctly )
Beside this selinux label and the boolean mentioned above what else should be “correctly labeled” and what other darn boolean should be turned to “on”???
The error during the exam was as much as I can remember: “SELinux prevents /usr/sbin/automount getattr to file”
I couldn’t see the “file” SELinux was referring to!
That’s why I was thinking maybe that old kernel version plus the old packages provided on the repo during the exam are not working right.
Or maybe my brain is old and I should start searching for some other job ???
Any ideas, guys? I am out of options here.
I know, I know you gonna say “look at sealert -a /var/log/audit/audit.log”.
At home with the old kernel version mentioned but I guess newer RPM packages ( for autofs, selinux,etc) my error for ldapuser is : “Can’t change home directory . Directory does not exist
During the exam with the same old kernel but who knows …maybe also older RPM’s for autofs and selinux the error was:
“SELinux prevents /usr/sbin/automount getattr to file”
I know that all works smooth if you do exactly as this article says regarding ldap server-client and if you have only
authlogin_nsswitch_use_ldap turned on and the correct label applied for cacerts directory on client.
Am I missing some other label or boolean here???
Oh, one more thing, the command I used at home and during the exam was this one:
authconfig –enableldap –enableldapauth –enableforcelegacy –ldapserver=ldap://whatever_the_exam_wanted –ldapbasedn=”dc=,dc=,dc=” –enableldaptls –ldaploadcacert=http://whatever_was_the_name –update
The certificate is imported nice , no errors at home and during the exam, but you need to do the fcontext trick for cacerts directory
Call me crazy guys but I also had time to use the other method during the exam .
The one where you install sssd stuff.
I tested also by using it the similar way the “authconfig” command but first disabling ldapauth and ldapforcelagecy stuff
Then activating the necessary ones for sssd
If you switch from ldap with nslcd service enabled to ldap with sssd service enabled be very careful first the service you choose to be enabled while the other one should be disabled, then configure /etc/nsswitch.conf with this :
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
services: files sss ldap
netgroup: files sss ldap
automount: files sss ldap
Then be ready to manually switch (edit) in between using pam_ldap.so and pam_sss.so in /etc/pam.d/system-auth and in /etc/pam.d/password-auth
It works at home just fine with a higher version of the operating system , higher versions of RPM packages and of course higher kernel versions.
But 3.10.0-123 ….no way ! Didn’t work for me at all!
So, boys, if you have any ideas/indications/directions please let me know ’cause this really gives me nightmares already!
Oh, one more personal observation ( don;t want to offend anyone, just correct me if I am wrong!) : I don’t think that during the exam doing everything minus the part regarding ldap + automount will pass you.
I just don’t think so as I had same bitter experience with RHEL5 certification.
I passed that one but ONLY because I solved ( at that time!) the automount + NIS stuff !
Thanks for the feedback. The LDAP stuff is one of the most difficult tasks in the RHCSA exam because there are so many possible combinations between the client and the server configurations. The client and server LDAP tutorials have been tested many times with success but I’m sure there are certainly improvements to be found at least on the client side (the most critical!).
I know what you’re talking about, and yes, sealert is the answer.
Update of what I have managed to do at home :
I tried to replicate as closer as I could my problem encountered at the exam described in my preview post so for that first I had to modify a little bit the LDAP server part ( took me 5 minutes tops to do it thanks again for the notes in the article about configuring an LDAP server!)
So instead of exporting /home/guests I made my LDAP server export /rhost.
Very easy to do if someone reads carefully the last part in your article regarding how to configure the LDAP server.
Then I have downloaded the infamous kernel-3.10.0-123 from the DVD that comes with Michael Jang’s book.
My lab uses an older Centos 7 DVD ISO that comes with a a kernel like 3.10.0-325 or something similar.
So , using my kickstart file that gives me Centos 7 machines very stripped off of unnecessary stuff , I created fast a testing server on which I installed the infamous kernel 3.10.0-123
1. Made sure the following RPM’s were installed first on my client machine : openldap, openldap-clients, nss-pam-ldapd, autofs, authconfig, nfs-utils, policycoreutils-*, setroubleshoot-server
2. Turned on the boolean regarding the use of nsswitch and the one regarding the use of nfs home directories
3. Used this command with the following options ( no more no less!) :
authconfig –enableldap –enableldapauth –enableforcelegacy –ldapserver=ldap://name_of_my_LDAP_server:389 –ldapbasedn=”dc=example,dc=com” –enableldaptls –ldaploadcacert=http://my_http_server/cert.crt –update
4. Once the certificate imported into my client I had to apply the fcontext on /etc/openldap/cacerts and it’s contents
semanage fcontext -a -t slapd_cert_t /etc/openldap’/cacerts(/.*)?’
restorecon -RF -v /etc/openldap/cacerts
5. Created and edited /etc/auto.rhost :
* -rw,nfs,intr,soft my_server_here:/rhost/&
6. Added into /etc/auto.home:
/rhost /etc/auto.rhost
7. systemctl enable nslcd ( authconfig already started it,right?)
systemctl enable autofs
systemctl start autofs
I have checked immediately the status of both mentioned services and they started smooth and clean
I have checked /etc/openldap/ldap.conf, /etc/nsswitch.conf and all seemed fine for this TLS stuff connection
getent passwd ldapuser – got the correct response – at this point I was surprised because I am using the kernel I thought has problems. Hope kicked in! Yeah! During the exam I had no response from this command which of course lead to “User does not exist”
Final test : su – ldapuser : BANG! SUCCESS! I am in as ldapuser
browsing the directories exported along with this my very own home directory
Still I can’t believe this is happening nice and clean so I do :
sealert -a /var/log/audit/audit.log – ZERO ALERTS!
Thrilling experience at home but desolating looking forward to the exam.
Why this works at home and at the exam I can’t connect this client to the LDAP server??
What am I doing wrong actually???
Ideas, eh ? Boys??? ..HELP!!!
Are you sure that the packages used during the exam are the same version like the packages at home ?
Well… I don’t know. I can’t remember the version of the packages used by the machine served me at the exam.
At one point I was suspecting that the kernel version and SELinux packages were not working together as they were supposed to.
Later I managed (at home) to use the same kernels they served me at the exam (3.10.0-123 and 3.10.0.123-1.2.) and … without doing absolutely nothing different from what I was doing at the exam it just worked!
So, at this point I’m gonna go back probably next week and pay$400 just to look into /var/log/audit/audit.log.
If the answer is not there then to hell with the rest of the exam.
I know for that they won’t let you pass without the LDAP part.
My only hope now is that they willingly screw up another label just to make you look into the audit.log file for SELinux troubleshooting.
I’m “opinionating” at this point.
I’m seeing strange behaviour all the time while I’m preparing. I’m pretty convinced I’m hitting bugs, but this is the way. I’m not sure if they will or won’t let you pass without the ldap stuff.
I’m just suspecting that everything concerning security (selinux,firewalling,ldap) is considered more important and would decrease the score more than another task. This is pure speculation, and I have no idea how they evaluate this at all.
Security settings are important, but don’t take higher priority than services which need to be configured. Imagine yourself as a customer, who hired you to deploy the exam system. You can tune SELinux and restrict firewalld access, but if the service isn’t running or isn’t accessible, such system is basically useless. From a customer perspective, it’s much more important to get the service up and running, than to worry whether SELinux labels are correct etc. Get the idea?
Hm… Looking it at this angle – yes this is a major problem (if the service is not running at all).
Thanks for raising this. I’ll update once I pass/fail my RHCE in friday.
Oh, one more thing, I know for sure that the following packages are mandatory for autofs-LDAP stuff:
authconfig, autofs, nfs-utils, openldap, openldap-clients, nss-pam-ldapd, policycoreutils-*, setroubleshoot-server.
So make sure you have all the above packages (I checked them and during the exam they are already there!)
Then of course create the necessary files for autofs to work (/etc/auto.whatever and edit it accordingly), tell the automounter where to mount stuff as described in /etc/auto/whatever.
Then enable the necessary booleans (the one referring to use_nfs_home_dirs and autconfig_use_nsswitc one ), then apply the correct label (slapd_cert_t) on /etc/openldap/cacerts after importing the certificate into the client (I use authconfig with –ldaploadcacert= option)
Make sure you enable autofs and nslcd services, restart them eventually and … it has to work!
Theoretically it must work but my experience is very bitter: doesn’t work at the exam. It’s either something else screwed up intentionally, either … something else screwed up just like that!
1. I’ve never relabeled the “/etc/openldap/cacert” content and it always works.
2.”authconfig” is installed even in minimal install, am I wrong???
As you can see in my next post I had some issues with 7.0 and pure ldap authentication. If I choose the nss-pam-ldapd method – sometimes “nslcd” daemon refuses connection (a reboot should fix it), while the sssd -> causes the unknown group for gid xxxxxxx.
Have you tried the GUI tool? I think it was “authconfig-gtk”.
And also try the “authconfig –savebackup=” option. Sometimes I have to revert in order to make it work.
Never relabeled “/etc/openldap/cacert” and works? No way man!!!
But again, reading through your comment … I see MYSELF all the time strange behavior when I prepare for test.
I spin up same training virtual machine using same ks.cfg file
I test with it then I destroy it and I spin another one in a few minutes using exactly the same ks.cfg file and …. as you said … WEIRD behavior on the exactly same server (same packages and kernel-3.10.0-123-1.2 – which I install and make it the default one)
For example last night I was trying to replicate the error (as closer as I thought I could!) I had during the exam so I start playing turning off and on the booleans mentioned and applying a wrong label to the “/etc/openldap/cacert” directory.
Guess what!?? Going “su – ldapuser” from my client worked perfect!!!!
Readable, writable, as it supposed to, right?
But I went to /var/log/audit/audit.log and actually the errors were logged there
Keep in mind all working ( talking about autofs+ldap) with wrong label and booleans turned off while SELinux is in enforcing mode!
I guess there are bugs. Something on the SELinux side (whatever package versions are installed with Centos 7.1 I am testing with) doesn’t work right with some kernel especially with the one they force you to use during the exam.
However, as I said, during the exam you have everything you need ALREADY installed so I guess somehow they actually screw up willingly something else.
I guess I will see what exactly they are messing up, when I’m gonna throw another $400 … soon enough.
Yes I installed the GUI too just to check what and how is modified when I’ve already used the “authconfig” command.
Makes sense to check what exactly is done when using the command line vs authconfig-gtk.
But you can’t use authconfig-gtk during the exam.
I’ll try to do my best of the best next week during the exam and keep you guys posted with new stuff if any will occur
Guys, I’m not on the heights of despair anymore. I AM the despair already!
This exam grinded my nerves way too much by now so … we’ll see next week.
I second that, never had to relabel the cacerts folder nor its content. Have you tried authconfig-tui? Perhaps you need a different approach.
You can use authconfig-tui as Tomas offered. Just when you reach the warning that you need your certificate in “/etc/openldap/cacert” folder – open another terminal and download it. Then return to the first one and confirm and everything should be working as expected.
My point exactly. If I failed the exam, I would use a different approach the next time.
Thing is … /etc/openldap/cacerts does not exist until either using authconfig command either using authconfig-tui
So once I am using the authconfig with the described options, the /etc/openldap/cacerts directory will be created on my client and the certificate will be imported.
Trick is that the label of “cacerts” and it’s content will be in this case “etc_t” and I need to relabel as ldapd_cert_t (seems correct, right?).
I didn’t use yet authconfig-tui but I am assuming that in order to use it there are some preparations for the client (just assuming!).
Probably first you have to create “cacerts directory under /etc/openldap (and if you create it what label will have??)
Second you have to manually copy the cert.crt from where they say it is during the exam and then move it or copy/paste its content into a file under /etc/openldap/cacerts/
But these things won’t require to relabel cacerts and its content???
I doubt it but yet again I am assuming that this is about to be done before using authconfig-tui
I didn’t tested it yet but … why would be different using authconfig-tui from authconfig with the correct options?
I think I am using the correct options as at home actually I have a successful connection.
From what I remember the label for cacerts and its contents should be “slapd_cert_t” NOT “etc_t”.
Am I right?
You are right, the cacerts folder does not exists, but I don’t see why this is a show stopper for you. Just create it. Did you see this: https://www.lisenet.com/2016/ldap-and-kerberos-client-authentication-on-rhel-7-using-nslcd/ ?
Why not use “authconfig-gtk”? As far as I remember the VM for the RHCSA was actually a “Server with GUI”. And yes, I have never relabeled the “/etc/openldap/cacert” folder and its contents and my LDAP + kerberos and plain LDAP + LDAP auth are working.
I’d recommend you to take a break. My second attempt on RHCSA was 1 year after the first failure.
I can only offer you to do this: just start with the LDAP and if it breaks try the “authconfig –restorebackup=/folder/you/made/backup” and try again. If you feel something is wrong, ask the instructor to reset the VM and try again.
After all you can still do it in less than 1 hour. I screw up my VM 60 min before the exam end and I still passed (barely).
Do you know your RHEL version for the exam?
You can reset the VM yourself, no real need to ask the instructor to do that.
My advice, take a step back and look at the problem from another angle. Take a second look at your setup on the host pc (assumed), ie cpu, ram, network, source, do a check disk etc.
@@ hunter86_bg
I don’t remember the exam version of the OS.
I’ll let you know soon after I’ll pay them boys a new visit.
Thing is I had no problem passing 7 years ago the RHEL5 certification only at that time was NIS+autofs not LDAP+autofs.
authconfig-gtk is not available during the exam. You don’t have server with GUI.
@@ Sam: On another hand there is not much time left for this certification to be completed successfully.
I have a final day to do this and it is coming pretty fast.
It’s been more than 7 months since I am preparing for this exam and without it …well… I’ll be searching another job.
I never liked roofing jobs or digging ditches or the ones from Wally World :-)))) … but I might be searching for one soon if I don’t pass this exam.
You will be fired if you don’t pass the RHCE exam! Could you give us a little bit more information about your situation because it seems pretty strange from outside.
Strange thing. My RHCSA (Feb 2015) was Server with GUI. I was then preparing for RHEL6 exam when I was notified it will be RHEL7 instead. I’m not aware if there will be “Server with GUI” on the RHCE, but I thought it will be just like my previous experience.
An employer who seeks a job justification … unless they paid for a course and the exam – I will ditch them immediately. In my case – we don’t even use RHEL so much, but it’s worth proving your skills (of course if I pass).
@mickey
I have just tested the “x-systemd.automount option” and it’s as good as autofs. My NFS server was not up when my client went online and still I managed to enter my nfs mount point.
Here is an example from a client’s fstab (please note that systemd doesn’t need “_netdev” for cifs,nfs,nfs4 but I’ve added it just to remind me):
_netdev,x-systemd.automount,sec=krb5p
_netdev,x-systemd.automount,sec=ntlmssp,multiuser,credentials=/root/cifs
Hi guys, let me share something I found today.
I was doing a sample RHCE exam which required LDAP authentication for a specific user for ssh configuration.
After installing “nss-pam-ldapd openldap-clients” and trying to update my auth setup via authconfig – “nslcd” daemon refused to start up complaining about unknown “uid nslcd” and about unknown “gid ldap”.
To fix it, just run “yum groupinstall directory-client” .
This behaviour was observed on RHEl7.0 DVD repo , and I haven’t met this in higher versions.
Guys, what I have done regarding the demands of the exam specifically for the LDAP+TLS+automount side at home was applied also at the exam EXACTLY as I will post the steps and commands here.
So keep this in mind when you read this! EXACTLY AS DONE HOME WAS DONE DURING THE EXAM!
Here is EXACTLY what I do regarding the issue, knowing that SELinux MUST be active :
Before starting I make sure I have all necessary packages installed ( they are there but I check first anyway).
yum install autofs nfs-utils authconfig openldap openldap-clients nss-pam-ldapd policycoreutils-* setroubleshoot-server
I don’t use the sssd solution , only the ldap legacy one so I do not install any sssd- rpm packages!
Actually I think this is what they want you to use as you’ll find that during the exam ALL the above packages mentioned are already installed but no SSSD packages are installed
You have NO GUI available ( I’ve been there 3 times so there is no GUI on the server they gave me!) .
Keep this clear in mind so , here we go:
PART A) Solving the automount problem:
1. Create /etc/auto.rhome and add this in it:
* -rw,nfs,intr,soft exam.server.whatever:/rhome/&
2. Edit /etc/auto.mount and add this in it :
/rhome /etc/auto.rhome
3. getsebool -a | egrep “nfs|ldap” and I pick up the following
two to enable:
setsebool -P use_nfs_home_dirs 1
setsebool -P authconfig_nsswitch_use_ldap 1
OR you can go this way :
semanage boolean -l | egrep “nfs|ldap” to get the same result in finding the booleans you need and then , if you like this solution:
semanage boolean -m –on use_nfs_home_dirs
semanage boolean -m –on authconfig_nsswitch_use_ldap
Which ever one works for you , both get you to the same result : the booleans mentioned are turned on.
4. systemctl enable autofs; systemctl start autofs
5. sealert -a /var/log/audit/audit.log – gave me no errors here so we are good to go to the next stage
PART B) Solving the client connection using TLC given certificate
1. Because I use the authconfig command I can’t remember all options I need ( I’m pretending not to because by now I dream them ! That’s how many times I have used them in the past 4 months!)
authconfig -h | egrep “ldap|legacy|sha512″
Pick up from the listing what I need like this:
2. authconfig –enableldap –enableldapauth
–enableforcelegacy
–ldapbasedn=”dc=server,dc=whatever”
–ldapserver=ldap://exam.server.whatever
–enableldaptls
–ldaploadcacert=http://whatever_name_is/location/cert.crt
–passalgo=sha512 –update
At this point if the command with the appropriate options is typed in correctly and if the paths declared are correctly you will have on the client the /etc/openldap/cacerts directory created, and the certificate imported inside of the cacerts directory.
No sweat here using this command with all the options.
Never failed me in creating the mentioned directory and placing the certificate inside of it.
Actually you will have a file in “.pem” ( even if it is with “.crt” when they gave it to you) and a sym link created to it . I forgot the name if that sym link right now.
3. Check if things look okay inside /etc/nsswitch.conf as follows:
passwd: files ldap
shadow: files ldap
group: files ldap
services: files ldap
netgroup: files ldap
automount: files ldap
Correct if necessary and make it look as I posted above.
OBSERVATION: If you want to use the other solution (sssd) then obviously the above will replace everywhere where “ldap” is with “sss”
4. If you’re using my solution then check /etc/pam.d/system-auth and make sure you have pam_ldap.so in there BUT NOT pam_sss.so!
Check also /etc/pam.d/password-auth and make sure the same pam_ldap.so module is in there .
5. ll -Z /etc/openldap
I see “cert” directory labeled as slapd_cert_t and “cacert” directory labeled as etc_t.
So I decide to label them both with slapd_cert_t
6. semanage fcontext -a -t slapd_cert_t /etc/openldap/’cacerts(/.*)?’
restorecon -RFv /etc/openldap/cacerts
At this point funny stuff starts to happen.
What I have noticed at this point by changing the label here:
a) In my home lab everything works just fine and the label is applied correctly just like this! NO PROBLEMS!
b) During the exam I struggled to apply the label. Meaning after I issued both commands above it won’t change the label.
So I had to stop autofs and nslcd apply again the label but … nothing.
So I reboot the exam server and check again if the label is applied…this time seems to be applied.
Okay, but why this discrepancy? Why not working same as home? Damn if i know!
Maybe because the label should be etc_t and NOT slapd_cert_t???
Let’s go further and actually complete this ( where more funny stuff appear)
5. systmctl enable nslcd
systemctl restart autofs
systemct restart nslcd
systemctl status autofs; systemctl status nslcd
6. Let’s check getent passwd ldapuser
At home: I see the output expected for ldapuser
During the exam : NOTHING. (BANG! I hate this already)
7. Let’s see if we have the exported directory mounted on the client:
su – ldapuser
At home: I have the entire directory mounted just fine I can see all the files exported I can create files and directories just fine
Also df -hTP will show the exported directory mounted via nfs4 into /rhome. COOL!! Happy-Happy, Joy-Joy!
During the exam : Error ” file or directory does not exist”
8. Let’s see if any errors were recorded somehow when both services were restarted :
systemctl status autofs
systemctl status nslcd
sealert -a /var/log/audit/audit.log
AT home : I have everything perfect! Everything is clean , not a damn error!
audit.log is clean. No error displayed with “sealert -a”, no SELinux mambo-jumbo complain.
ALL clear!!
During the exam: errors for both services autofs and nslcd after restart.
At this point during the exam I couldn’t check audit.log because time was up !
However I caught a glimpse of one error thrown while restarting autofs.
It was something like this :
“SELinux is preventing /usr/sbin/automount to getattr on file …….”
I couldn’t see the name of the file as time was up.
But if the correction of whatever error was there would be that stuff to create your module and load it up …that won’t work so I think I’m toasted !!
If the error would be something like “denied getattr scontext=etc_t ….tcontext=slapd_cert_t” on some file then definitely you’ll see the file with wrong label on it defined by the stanza scontext (source context) urging you to change it as it is defined by the tcontext stanza (target context) …or at least this is what I am assuming I have to do : replace what is declared in scontext with what is declared in tcontext
So here you have it boys!
Everything I do , exactly as I am doing it at home and during the exam …this part with LDAP+TLS+automount
So… WHERE AND WHAT AM I DOING WRONG??
You are repeating the same steps while expecting to get different results. It’s clear by now that the exam system is somewhat different compared to your home system. I have no way of knowing what’s the difference in particular, but if you tried a different approach, perhaps you would be OK. How about trying authconfig-tui during the exam, or moving from nslcd to sssd? I understand your frustration, but knowing more than one way to achieve the same goal increases your chances of passing the exam. And stop changing SELinux labels, you don’t need that to pass the exam.
You may install GUI with “yum groupinstall “GNOME Desktop”” but it will take about 10-15 minutes.
Hello mickey999,
Sorry for the difficulty you are experiencing with this section of the exam. Actually I wrote the exam yesterday and passed with 283 score. I did not have to do most of the things you highlighted.
Yes, you can use the GUI. While the VM does not boot to the GUI, because the default is multi-user.target, you can change the target/runlevel. Just run the command below:
# systemctl isolate graphical.target
-login and install the germane LDAP utilities. You do NOT need to install “GNOME Desktop” it’s just a waste of time. When you reboot and reboot the VM it loads the multi-user again.
I did not have to mess with the SELINUX fcontext. Speaking of selinux, the only thing I can think of is when you were breaking the root password, did you touch the /.autorelabel file?
Howdy!
Sure thing I did “touch /.autorelabel” after I changed the root password right at the beginning of the exam otherwise you can’t get into the system.
Thing is (maybe you noticed) if you do not complete the very first stage of the exam ( root password and network – I do it right on then one single reboot) you won’t be able to read the rest of the demands of the exam.
Once I was done with the first mandatory part I noticed it took about a minute for the system to let me in so I could read the rest of the demands of the exam.
No network = bye-bye exam.
Anyway, I’ll go again later afternoon.
We’ll see how this will work today….
So why you don’t tried “startx” command – it starts Gnome or whatever GUI
One little trick they might serve you during the exam just to piss you off (sorry if it is not related to ldap but worth noted).
Configure the ntp client!
You might think smiling: “No sweat, I know it! Easy-peasy”
But when you enable the service and then you play with ntpq -p command you see that the client stops after a while, not sync’ing and so on.
Make sure chronyd is disabled and stopped.
Otherwise you go crazy.
You can remove the entire package chronyd if you want but before enabling ntp and starting it make sure chronyd is stopped and disabled!
Interesting. Thanks for this feedback.
Why should we use ntpd instead of chrony? Chrony may be configured in 1-2 steps very easily.
Howdy boys!
Crap went fine this time, I got the certification but boys … listen up: I couldn’t get chrony sync’ing with the damn server.
I’ll be damn if I know why! ha-ha-ha.
Anyway, I didn’t bother too much as I knew that without LDAP + TLS + automounter done properly I won’t pass so I concentrate on doing it correctly.
As a parenthesis here: I don’t know when the rest of you got the exam passed but if you did it in the past month (April 2017 in some remote USA facility) and claim that you did it without correctly doing the part about LDAP + TLS + automounter … well, whoever says this is a liar! Period!
I’m still thinking that I’m right about the label that is supposed to be applied on the /etc/openldap/cacerts directory but … I kinda “risked” it and I did it without changing anything.
It worked as the majority of you said!
But … wasn’t enough.
In one of my previous comments I mentioned “autofs_ldap_auth.conf” if it needs or not to be altered somehow.
An answer I got from one of you was “No”
Well, the answer is YES! Period!
Ever encountered an error saying something like “server and client need privacy (what a statement!!!!)” ?? Well, keep this in mind and keep an eye on the file I just mentioned.
I urge anyone to do as I did (if my comments were read, you might find some good info about my “struggle”) but keep in mind the following:
1. DO NOT mess around with ANY boolean or label regarding SELinux BEFORE actually configuring LDAP+TLS+Automounter!
2. Alter /etc/autofs_ldap_auth.conf properly. It is self-explanatory!
3. USE authconfig command and DO NOT waste your time, money and life trying to install GUI if it is not already installed.
NO GUI = NO authconfig-gtk. Any speculations about this is just waste of time. PERIOD! (Again!)
4. DO NOT use authconfig-tui. It is not reliable. You still need to “import” somehow the TLS certificate and if you copy/paste it, you might get the wrong label on it and you’ll have “the bitter life of Aldo Moro” with it … as I had it! (Google about Aldo Moro to understand what I wanted to say with it 🙂 🙂 )
5. Depending on the method you want to choose (ldap or sssd) there are packages installed and packages missin’) .
So, YOU decide which one to choose but check what is installed and what not.
You WILL get a good hint on what path you are “urged” to choose or … not.
I know it’s hilarious for y’all readers telling you about chrony and not being able to sync the client with the NTP server when I just posted a few days ago a comment about it.
Thing is … after placing there the name of the server supposing to be my NTP server, restarting chronyd the command “chronyc tracking” gave me clearly: not synchronized.
T’hell with it! Not worth wasting time with it.
Now, thax y’all for your comments/indications but you’ll get there if you really struggle to get there.
It ain’t easy even if it looks easy.
In the end I need to tell you: someone needs to open the Victory Champagne for today, am I right ?? 🙂 🙂
Nice talking to y’all, folkes!
Congrats on passing the exam! Great achievement, I’m glad you finally nailed it.
One thing though, about your statement saying that authconfig-tui is not reliable. I would disagree – I used authconfig-tui during the exam, and I didn’t lose a single point. There are a couple of extra steps required to get it configured, but it does work 100%. Unless you refer to lack of experience using the tool, then I’m not sure on what’s unreliable about it.
Congratulations!
Congratulations,
Hello there!
Passed my RHCSA today with very nice scores. Acording to my result I failed only in AUTOMOUNT task. I revised this task and returned to it after completenig all other tasks and spent my rest 20-25 minutes of exam on automount, but no luck!!! Got “permission denied” error, although ldap task was OK and I was able to make “getent passwd ldapuser”. At the home lab I could figure out with automount/ldap tasks in 5 minutes even with closed eyes without any errors of “getent psswd ldapuser” and “su – ldapuser”. At the task there was a term with NFS version, other than NFS4. Besides, I suspect, that the syntax of auto.guests may be different and depends on NFS/autofs installed version. Recently I found another syntax of it: “* –fstype=rw,nfs4 server:/home/user” instead of “* -rw,nfs4 server:/home/user” presented on certdepot site. May be it was a gotcha. So pay more attention to this task. Try both ways and other NFS versions. Have a luck!!!
Congratulations!
if anyone is using Red Hat RHCSA RHCE 7 Cert Guide book please check getent passwd lara and fix the:
* -rw,sync labipa:/home/ldap/&
to:
* -rw,sync,nfs4 labipa:/home/&
and enable logging for autofs on centos7 /etc/sysconfig/autofs add: LOGGING=”debug”
According to what getent passwd “username” will return, put the home directory path without the username and with & at the end:
* -rw,sync,nfs4 labipa:/home/&
LIKE:
# cat auto.homes
* -rw,sync,nfs4 labipa:/home/&
# getent passwd lara
lara:*:304600003:304600003:lara jones:/home/lara:/bin/sh
And on journalctl -f -u autofs make sure to see it mounted and without issues.
I scratched the head sometimes to figure this one out.
Tim,
Interesting. Thanks.
also if you are NOT using sssd for ldap make sure to edit the /etc/nsswitch.conf to have:
#automount: files ldap sssd
automount: files ldap
otherwise the autofs will complain about it and the restart for the service and login can be a long waiting pain.
Tim,
Ok, thanks.
Sander says, auto.master file solution still works
but is deprecated and he prefers to create a master map entry in /etc/auto.master.d. On RHEL 7, the auto.master file is considered a part of the RPM, and it might be overwritten while updating RPMs on your server. For that reason, the approach described in Exercise 23.3 is preferred, as in that exercise; the system-managed part of the configuration is clearly distinguished from the usermanaged part of the configuration.
Interesting, thanks.
But Sander also uses the auto.master file way in his 2017 videos which is what I prefer. My question, is this a safe method even though its deprecated. Gem of a site btw
It is a safe method (I used it myself).
Thanks!
Hi CertDepot, first: # getent passwd ldapuser02 doesn’t work with me.
second: I configure ldap on server1 and configure client authentication on server2, everything works good but, if I log in server2 as ordinary user and try su ldapuser1, it gives me su: Authentication failure. I need to know why? but with root privilege working fine…
Hi CertDepot,
authconfig-tui is available in exam?? Yes or No?
Thanks,
Bryan
Yes, it should be.
Amazing!! Last one thing, in ethernet name, are we going to create new ethernet name or, we can use the default ethernet example: the default ethernet is ifcfg-enp0s3? This shit is always bothering me if in the exam they’ll asking to create new ethernet name. Please help.
I don’t think anybody will ask you to change the default interface name. You will have to deal with the name provided.
Hello CertDepot, preparing also for the RHCSA exam, I would like to ask if anyone has ever tried to create an automount point to a different location on client side? I made numerous attemps but none of them worked. All the examples (including CertDepot’s) define the directory name of the client to be the same as the nfs server. What I want for example is:
auto.master :
/customhomedir /etc/ldap.file
ldap.file :
* -rw,sync server:/home/ldap/&
There shouldn’t be anything preventing you from doing that.
I’m using Sander Van Vugt’s IPA server in order to provide nfs services, but the automount of home directories only works in such a way:
auto.master:
/home/ldap /etc/ldap.file
ldap.file:
* -rw,sync server:/home/ldap/&
if I modify the auto.master to
/home/guests or
/customdir or
/home/guests2 or anything else but no /home/ldap it doesn’t work and I can’t understand why this is happening.
Try changing user’s home directory on the FreeIPA server to whatever you want it to automount and see if that makes a difference.
It works! Thanks a lot!
Issue:
When launching the command : getent passwd ldapuser02
Nothing is getting displayed in shell.
Error is /var/log/messages
Apr 14 20:45:57 localhost nslcd[1271]: [48eaa1] failed to bind to LDAP server ldaps://ldap.example.com: Can’t contact LDAP server
Apr 14 20:45:57 localhost nslcd[1271]: [48eaa1] no available LDAP server found: Can’t contact LDAP server
Can someone help please.
LDAP server has been successfully configured using the tutorial below:
https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/
You seem to be using LDAPS. Make sure that the LDAPS port 636 is open. If it is, then the next step is to check whether there are any TLS/SSL certificate issues. You’re most likely using a self-signed certificate. Try switching to LDAP and see if the error still occurs.
Installing the package “krb5-workstation” solved the issue.
I have a problem I cannot solve. Authconfig well configured, automount ok BUT I cannot obtain home dirs creation, so it works only if on my nfs share I have already created the home directories. Oddjobd installed and authconfig –enablemkhomedire –update passed. Looks like oddjobd makes nothing. Service is started. Any idea?
Is this objective still relevant? I can’t find anything LDAP related in official objectives:
https://www.redhat.com/en/services/training/ex200-red-hat-certified-system-administrator-rhcsa-exam
Yes, it is still relevant.
“Configure a system to use an existing authentication service for user and group information” relates to LDAP in some extent.
Hello,
I have stumbled across this site while studying for RHCSA exam. I have a question. Red Hat’s site says:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/authconfig-install
“Important
To configure Identity Management systems, Red Hat recommends using the ipa-client-install utility or the realmd system instead of authconfig. The authconfig utilities are limited and substantially less flexible. For more information, see Section 2.1, “Identity Management Tools for System Authentication”. ”
Would I be able to use this method (ipa-client-install) on the exam? Does anyone have any experience with this method?
To use ipa-client-install, you need to know the Kerberos admin password, otherwise you cannot join the domain.
If you get the password during the exam then you are free to use it, but otherwise you need to know another way of getting this to work.
vi /etc/nslcd.conf
tls_reqcert allow // cannot getent after reboot without this
Very informative page, however: why scp certificate? why not using authconfig –ldaploadcacert –update?
Thanks for your help.
You need to get the certificate one way or another.
Concerning the authconfig command, RedHat writes it’s deprecated in its official documentation but you can perfectly use it and it’s pretty convenient.
Hi Certdepot,
I have followed the all step provided by you to configure LDAP server and Client.
I am not getting any output while typing the below command on LDAP client.
getent passwd ldapuser02
While checking the log on LDAP server following information showing.
Sep 4 05:15:11 instructor slapd[1746]: conn=1088 op=126 SRCH base=”dc=example,dc=com” scope=2 deref=0 filter=”(&(objectClass=posixAccount)(uid=ldapuser02))”
Sep 4 05:15:11 instructor slapd[1746]: conn=1088 op=126 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Sep 4 05:15:11 instructor slapd[1746]: conn=1088 op=126 SEARCH RESULT tag=101 err=0 nentries=0 text=
Please help me on this.
The tutorial has been tested with 7.0, 7.1 and 7.2 (RHEL/CentOS).
If you get prepared for the RHCSA exam, you should use one of these minor versions (preferably 7.0 or 7.1).
This tutorial has been used and tested by hundreds of people for 4 years with success and almost no correction.
I don’t see any particular reason to test it again with a more recent OS version.
Thanks you very much for your assistance.
I will try to configure the same in RHEL 7.2. I have two questions, please assist on this.
May I used the fdisk command to create partition during RHCSA exam for LVM and Disk related activities. Will there be any impact on my marks, if I use the fdisk command.
Will it be fine to do the practice on CentOS 7.2 and go for RHCSA and RHCE exams.
Thanks for your support.
The use of the fdisk command is perfectly fine. At the end of the day, it’s the result of the command execution that counts, not what command you use.
Concerning the minor version to use, I advise you to use RHEL/CentOS 7.0 or 7.1 because they are the versions that are mainly seen during the RHCSA exam.
Concerning the RHCE exam, the choice is even stricter, use only the RHEL/CentOS 7.0: RedHat recently advertised that the exam uses this version and only this version.
Hi Certdepot,
I followed the instruction given you on the LDAP client tutorial and setup the ldap server and ldap client on CentOS Linux release 7.2.1511 (Core).
However while on ldap client running below command was not giving any output.
getent passwd ldapuser02
Error was showing ldapserver:
Sep 5 08:32:32 instructor slapd[21417]: conn=1063 fd=21 closed
Sep 5 08:32:33 instructor slapd[21417]: conn=1064 fd=21 ACCEPT from IP=172.16.50.192:47267 (IP=0.0.0.0:389)
Sep 5 08:32:33 instructor slapd[21417]: conn=1064 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Sep 5 08:32:33 instructor slapd[21417]: conn=1064 op=0 STARTTLS
Sep 5 08:32:33 instructor slapd[21417]: conn=1064 op=0 RESULT oid= err=52 text=Could not initialize TLS
Sep 5 08:32:33 instructor slapd[21417]: conn=1064 op=1 UNBIND
Sep 5 08:32:33 instructor slapd[21417]: conn=1064 fd=21 closed
Error was showing on ldapclient:
Sep 5 11:28:31 localhost nslcd[1043]: [7b23c6] ldap_start_tls_s() failed (uri=ldap://instructor.example.com/): Can’t contact LDAP server: Transport endpoint is not connected
Sep 5 11:28:31 localhost nslcd[1043]: [7b23c6] failed to bind to LDAP server ldap://instructor.example.com/: Can’t contact LDAP server: Transport endpoint is not connected
Sep 5 11:28:31 localhost nslcd[1043]: [7b23c6] no available LDAP server found, sleeping 1 seconds
As soon as I completely disabled the SELinux on ldapclient server, the issue got resolved and getent passwd ldapuser02 was giving below output.
ldapuser02:x:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash
Please find the below official document where it is mention, they resolved the issue by disabling the SELinux.
https://access.redhat.com/solutions/105573
I am very concerned how I will solve this question in RHCSA exam, please help me on this.
The error message suggest that you have problems with TLS. Have you configured the certificate?
The Red Hat article that you referenced uses LDAPS. Your logs suggest that you use LDAP. Try switching from LDAP to LDAPS and see if you get different results with SSL.
Rather than disabling SELinux, set it to permissive mode and track the problem down so that you know how to solve it. Use sealert.
Hi Certdepot/
I again followed the step given by you to configure ldap server and ldap clinet, while running the below command on ldap client.
getent passwd ldapuser01
The below error was coming.
Sep 18 08:00:01 server3 nslcd[1817]: [9cf92e] ldap_start_tls_s() failed (uri=ldap://instructor.example.com/): Connect error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)
Sep 18 08:00:01 server3 nslcd[1817]: [9cf92e] failed to bind to LDAP server ldap://instructor.example.com/: Connect error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)
Sep 18 08:00:01 server3 nslcd[1817]: [9cf92e] no available LDAP server found: Connect error
Sep 18 08:00:01 server3 nslcd[1817]: [9cf92e] no available LDAP server found: Server is unavailable
To resolve this issue, I configured OpenLDAP with SSL on CentOS 7 / RHEL 7 using the step by step instruction given at below link.
https://www.itzgeek.com/how-tos/linux/centos-how-tos/configure-openldap-with-ssl-on-centos-7-rhel-7.html
I am not understanding why, I am not able to configure ldap client using your method and the step given at above link is very vas.
There step is very big gen at https://www.itzgeek.com/how-tos/linux/centos-how-tos/configure-openldap-with-ssl-on-centos-7-rhel-7.html
Please help me on this.
Hi Certdepot,
I will request you to please bear with me, I can see the different between the ldap client configuration of your method and the method given at below link.
https://www.itzgeek.com/how-tos/linux/centos-how-tos/configure-openldap-with-ssl-on-centos-7-rhel-7.html
The above link method for ldap client configuration.
authconfig –enableldap –enableldapauth –ldapserver=ldaps://instructor.example.com –ldapbasedn=”dc=example,dc=com” –enablemkhomedir –disableldaptls –update
vi /etc/nslcd.conf
tls_reqcert allow
systemctl restart nslcd
2.Your method for ldap client configuration.
authconfig –enableldap –enableldapauth –ldapserver=”instructor.example.com” –ldapbasedn=”dc=example,dc=com” –update
Conclusion:
As soon as i am adding the below changes in your command and /etc/nslcd.conf file
–ldapserver=”ldaps://instructor.example.com” and –enablemkhomedir –disableldaptls
Adding below line in /etc/nslcd.conf
tls_reqcert allow
I can see the details of getent passwd ldapuser02 command, the SELinux is in enforcing mode on LDAP client.
ldapuser02:x:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash
As per the instruction given at following link https://www.itzgeek.com/how-tos/linux/centos-how-tos/configure-openldap-with-ssl-on-centos-7-rhel-7.html, below changes has been made to LDAP server.
1.Self-Signed Certificate
2.Custom CA-Signed Certificate
3.Configure OpenLDAP to listen over SSL
vi /etc/sysconfig/slapd
SLAPD_URLS=”ldapi:/// ldap:/// ldaps:///”
systemctl restart slapd
My concern is here, if I receive such error in exam, I will not getting access of LDAP server to make the above changed in LDAP server.
Kindly help me on this.