RHEL7: Configure a system to use an existing LDAP directory service for user and group information.

Share this link

Note: This is an RHCSA 7 exam objective.

LDAP Server Configuration

In order to test a LDAP client configuration, you will need to configure a LDAP directory service.
The LDAP server is called instructor.example.com in this procedure.

LDAP Client Configuration

As the authconfig-tui is deprecated, to configure the LDAP client side, there are two available options: nslcd and sssd.
In this tutorial, the nslcd option will be used, see the authconfig tutorial for the sssd option.

Install the following packages:

# yum install -y openldap-clients nss-pam-ldapd

Note: Just to mention that Sander van Vugt advises to install the Directory Client group package: # yum group install “Directory Client”

Then, type:

# authconfig --enableforcelegacy --update
# authconfig --enableldap --enableldapauth --ldapserver="instructor.example.com" \
--ldapbasedn="dc=example,dc=com" --update

Note1: According to your requirements, you can need to specify the –enablemkhomedir option after the installation of the oddjob-mkhomedir package. The option creates a local user home directory at the first connection if none exists.
Note2: Type # authconfig –help | grep ldap to remember the necessary options.

Put the LDAP server certificate into the /etc/openldap/cacerts directory:

# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \

Apply the correct SELinux context to the certificate:

# restorecon /etc/openldap/cacerts/cert.pem

Activate the TLS option:

# authconfig --enableldaptls --update

Test the configuration:

# getent passwd ldapuser02

NFS Server Configuration

To get the home directory mounted, you need to configure a NFS server.
The NFS server is called instructor.example.com in the procedure.
Note: It’s not required to have the LDAP server and the NFS server on the same machine, it’s only easier.

Automounter Client Configuration

Install the following packages:

# yum install -y autofs nfs-utils

Create a new indirect /etc/auto.guests map and paste the following line:

* -rw,nfs4 instructor.example.com:/home/guests/&

Add the following line at the beginning of the /etc/auto.master file:

/home/guests /etc/auto.guests

Start the Automounter daemon and enable it at boot:

# systemctl enable autofs && systemctl start autofs

Test the configuration:

# su - ldapuser02

Additional Resources

Ralph Nyberg offers an interesting video about configuring LDAP authentication (20min/2015).
The ForumSystems website provides a free online LDAP test server.

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 3.00 out of 5)
232 comments on “RHEL7: Configure a system to use an existing LDAP directory service for user and group information.
  1. Shikaz says:

    Although I passed the RHCSA 7, but I could not configure that time the ldap client, I did everything but that was not working, do you think it can be firewall I need to open in the client? or add a service to the firewall?

    • CertDepot says:

      No, I don’t think it is related to the firewall on the client side. It’s something else.

      • Shikaz says:

        man I found the problem, so I just wanted to share it here, I did go to /etc/nslcd.conf “client” and put ‘tls_reqcert never’ and the ldap worked on the client.

        • CertDepot says:

          Interesting. Thanks.

        • brian.mcdonald.0260 says:

          Setting tls_reqcert never means it’ll ignore any certificate errors – probably not the best practice. You can get this behavior if you don’t have a certificate/name match. Double check that that your LDAP Server in authconfig and the common name on the certificate match exactly. Since the common name needs to be a name, not an IP, this may require you to make sure the name can resolve via /etc/hosts.

  2. deepbluebg says:

    Great site, a lot to learn, and works perfectly.
    Just curious – do we have to setup directory service at the exam, or just the client-side with already existing LDAP directory ? It’s one thing to configure cert and client-side, another to remember the changes/base.ldif config 🙂

    • CertDepot says:

      You just need to set up the client side for the exam.
      But, if you want to practice at home, you need both.

      • bajeradai says:

        While I ran the command:
        # scp root@instructor.example.com:/etc/openldap/certs/cert.pem /etc/openldap/cacerts/cert.pem
        I’m getting following message even I set hostname as instructor.example.com:
        ssh: could not resolve hostname instructor.example.com : name or server not known.

        Could you please help me to figure out?

        • CertDepot says:

          You need to edit your local /etc/hosts file to add a line with the IP address and Full Qualified Domain Name of the LDAP server:
          192.168.x.y instructor.example.com
          The other option is to configure a DNS server.

          • redhat0329 says:

            Hi CertDepot,

            It is necessary that when configuring an ldap client, nfs and cifs share in the exam environment we add the ip and hostname of the server in the /etc/hosts file on the client side or is it not necessary at all? Thanks! 🙂

          • CertDepot says:

            I’m not sure if it is an absolute requirement but it is good practice to put the IP and hostname of client and server either in the /etc/hosts file or in the DNS configuration.

          • redhat0329 says:

            Thanks CertDepot!

  3. deepbluebg says:

    Just passed my RHCSA today, thank you for this great site ! And keep up the good work 😉

  4. AlexWall says:

    very helpful site indeed. just wondered – no mention of the system-config-authentication gui tool here. can be install using yum authconfig-gtk*


  5. timlee says:

    Are we required to remember the package names during installation or is it provided for the RHCSA exam?

  6. vivek says:

    “Put the LDAP server certificate into the /etc/openldap/cacerts directory when asked”

    How to do this step. Could you detail me this one please?

  7. timlee says:

    Got this error after automount, please help.

    [root@rhel7-testServer ~]# su – ldapuser02
    su: warning: cannot change directory to /home/guests/ldapuser02: No such file or directory
    mkdir: cannot create directory ‘/home/guests/ldapuser02’: Permission denied

    • timlee says:

      Will I still be able to use the “authconfig-tui” command in RHCSA exam since you mentioned that this is deprecated in another post?

      • CertDepot says:

        Deprecated doesn’t mean the command doesn’t exist anymore. The authconfig-tui command still exists and you can use it but in the next RHEL release, it could disappear.

    • CertDepot says:

      Check that the setsebool -P use_nfs_home_dirs on command has been applied on the NFS server.
      Check the semanage command has been run on the /home/guests directory and the access rights correctly set.

      • kevbuntu says:

        how do we do that? Is it on the client side?

      • kevbuntu says:

        Not sure what option of ‘semanage’ to use? Thanks

        • CertDepot says:

          From memory, the only option you really have to remember is semanage fcontext

          • kevbuntu says:

            This is what I get if I run the above: and I guess this should be run on the client machine

            semanage fcontext [-h] [-n] [-N] [-S STORE] [ –add ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) | –delete ( -t TYPE -f FTYPE | -e EQUAL ) FILE_SPEC ) | –deleteall | –extract | –list -C | –modify ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) ]

          • kevbuntu says:

            My problem was not having mounted LDAP users home directory on the client. After that the problem is over. Not quite sure if that is what semanage does? Not familiar with this command. Thanks.

          • CertDepot says:

            The semanage fcontext command applies a SELinux context to a file. Then, when a specific process tries to access the file, SELinux allows it because a preexisting rule has been specified in a policy.

  8. cj says:


    When ever I tried to login with ldapuser in automounted file system, it won’t take me to user’s home directory. Below is the message am getting.

    [root@rhelserver ~]# su – ldapuser6
    Creating home directory for ldapuser6.
    Last login: Sat Dec 12 00:13:19 EST 2015 on pts/0
    su: warning: cannot change directory to /homeldap/ldapuser6: No such file or directory

    Please find my nfs and auto mount configuration:

    [root@rhelserver ~]# cat /etc/exports
    /data *(rw,no_root_squash)
    [root@rhelserver ~]#
    [root@rhelserver ~]# showmount -e rhelserver
    Export list for rhelserver:
    /data *
    [root@rhelserver ~]#
    [root@rhelserver ~]#
    [root@rhelserver ~]# grep -v “^#” /etc/auto.master
    /misc /etc/auto.misc
    /homeldap /etc/auto.nfsserver
    /net -hosts
    [root@rhelserver ~]#
    [root@rhelserver ~]#
    [root@rhelserver ~]#
    [root@rhelserver ~]# grep -v “^#” /etc/auto.nfsserver
    * -rw,nfs4 rhelserver.ihub.ca:/data/&
    [root@rhelserver ~]#

    Could you please let me know, where I’m doing wrong. Below listed all services are running in the server


    Many Thanks

    • CertDepot says:

      Check that you created the /homeldap/ldapuser6 directory and export it from your NFS server.
      Check that the setsebool -P use_nfs_home_dirs on command has been applied on the NFS server.

  9. alamahant says:

    Also when SUing in as a remote ldapuser somehow you must be chrooted in the users home dir…This doesnt happen automatically…Any Ideas ? 🙂

  10. romio says:

    Thanks CertDepot for a great website. I have followed this line by line and was able to set up client side without a problem. The only question I have is what do you mean by
    “Put the LDAP server certificate into the /etc/openldap/cacerts directory when asked”
    will it be some kind of text that we need to put in a file and leave it in this dir /etc/openldap/cacerts?
    My client side is running well without this step. How important this step is?
    I am using Ghori’s book and unfortunately he doesn’t go over this part or LDAP in general in detail and I am using your website to prepare for this part of exam. Your reply will be much appreciated!

  11. bajeradai says:

    I really like this site.
    How would you set host name: station.domain.example.com?
    I’m really confused. My IP address is
    # hostnamectl set-hostname station.domain11.example.com OR
    # hostnamectl set-hostname station11.domain.example.com?

    • CertDepot says:

      Here is what I would suggest:
      # hostnamectl set-hostname station10.domain11.example.com

      • bajeradai says:

        Thanks for your suggestion. Why we need to put domain11? Why not
        hostnamectl set-hostname station10.domain.example.com. ? Question asks: set host name: station.domain.example.com . I think the following is also ok:
        “hostnamectl set-hostname station.domain.example.com” because question doesn’t ask where “X” is your IP address. Please specify again. Thanks for your help.

  12. bajeradai says:

    No you did not. Please answer this question. I’m still not getting right answer from anybody. How do you set the following host name:
    station.server.certdepot.com? Where, your ip is
    I’m hoping you will answer it.

    • CertDepot says:

      Hostnames are specified either locally or remotely.
      Locally, you can set up a hostname through the /etc/hosts file: station.server.certdepot.com
      Remotely, you use a DNS (Domain Name Server) server and you configure it to answer for the station.server.certdepot.com.

  13. bajeradai says:

    Which one method is best for exam?

  14. ivallejo says:

    When I run the command on the LDAP client, I get nothing.

    getent passwd ldapuser02

    When I run the command on the LDAP server, I get this:


    I presume that my LDAP client configuration must be wrong somehow, but can you point me in the right direction or offer any advice?

    • ivallejo says:

      Update: found out that when I disable TLS in authconfig-tui, the LDAP client can connect just fine!

      With TLS enabled, this is what’s logged in /var/log/messages on the LDAP client:

      nslcd[3564]: [3c9869] failed to bind to LDAP server ldap:// Connect error: TLS error -8172:Peer’s certificate issuer has been marked as not trusted by the user.

      • CertDepot says:

        Interesting. Thanks.

        • ivallejo says:

          I would like to figure out what’s wrong, I used SCP to copy the certificate file over. For now, I’m going to disable TLS because I’m working a deadline, but I will update when I get TLS working.

          Any advice is appreciated! It’s a little hard for me to send logs because the servers I’m working with are in a DMZ, so I’m hand typing all the output I get, but I can send any requested output or run any commands.

          Maybe it would be of value for me to nuke the LDAP server and reconfigure it from scratch.

          • CertDepot says:

            It’s clear that sometimes it’s easier to start from scratch.

          • pmm says:

            Hi, I would suggest checking the SELinux context of the certificate file. I had similar issues when I moved the certificate to /etc/opeldap/cacerts from the directory I downloaded it to.

          • CertDepot says:

            I will add an instruction for this in the tutorial. Thanks.

          • dtuser says:

            Hi! I ran into the same problem you did on CentOS 7. It seems that the command ‘authconfig –enableldaptls –update’ appends the directive ‘tls_cacertdir /path/to/certdir’ in the nslcd.conf file. For whatever reason, on my system, nslcd seems to ignore that directive, and it then generates the same error you reported. But if instead you use ‘tls_cacertfile /path/to/your/cacert’ (which is just the same cert used in this tutorial) in nslcd.conf, TLS will work fine.

          • hunter86_bg says:

            Latest update (Centos 7.3):
            I met the same issue, but rerunning authconfig-tui after that shows that something was not done properly.
            On a clean install I did the following to make it running(I’m using kerberos for auth which doesn’t matter):

            1.Pass authconfig with relevant params:
            [root@server1 ~]# authconfig –update –enableldap –ldapserver=”ipa.example5.org” –ldapbasedn=”dc=example5,dc=org” –enableldaptls –enablekrb5 –krb5kdc=”ipa.example5.org” –krb5adminserver=”ipa.example5.org” –krb5realm=”EXAMPLE5.ORG” –enablemkhomedir
            authconfig: Authentication module /lib64/security/pam_krb5.so is missing. Authentication process might not work correctly.
            2.Install the packages needed:
            [root@server1 ~]# yum install pam_krb5 nss-pam-ldapd
            3.Copy the certificate to /etc/openldap/cacerts/:
            [root@server1 cacerts]# scp ipa:/root/cert.pem /etc/openldap/cacerts/
            4.Rerun the first command (otherwise ldap fails , but kerberos runs):
            [root@server1 openldap]# authconfig –update –enableldap –ldapserver=”ipa.example5.org” –ldapbasedn=”dc=example5,dc=org” –enableldaptls –enablekrb5 –krb5kdc=”ipa.example5.org” –krb5adminserver=”ipa.example5.org” –krb5realm=”EXAMPLE5.ORG” –enablemkhomedir
            5.Enable forcelegacy mode (disable sssd):
            [root@server1 openldap]# authconfig –update –enableforcelegacy
            6.Login with ldap user:
            [root@server1 openldap]# su – jack
            Creating directory ‘/home/jack’.
            -sh-4.2$ id
            uid=912000001(jack) gid=912000001(jack) groups=912000001(jack) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

  15. Jaz says:

    Why we cannot rely on authconfig-gtk during exam? Do we get negative marking for using GUI tool

    • CertDepot says:

      During the exam, you can use GUI tool like authconfig-tui or nmtui but I don’t think you can use graphical tool like authconfig-gtk. You won’t get negative marking because you won’t be able to start this tool!

      • Jaz says:

        I was actually referring to this website: http://blog.remibergsma.com/2013/10/07/my-tips-for-the-red-hat-rhcsa-rhce-exam/

        According to this person “””I’ve heard people complaining about the GUI/TUI tools. And I agree a GUI is not something you want on a server. But hey, if ‘system-config-authentication‘ has a ready to fill-in form and makes you configure LDAP with TLS and Kerberos in 60 seconds. Why would you want to go for the manual way on the exam? Yet, some feel they are better off configuring this on the command line. There’s simply no time for that approach, nor will it bring in more points. Be smart, take the fast track.”””

        # yum install authconfig-gtk -y

        Please explain if I am missing any valid points which I must know as a candidate. Thank you

        • CertDepot says:

          Normally, you shouldn’t get access to the authconfig-gtk tool because you can’t get access to a graphical interface or it takes too much time to install it during the exam.

  16. Jaz says:

    Also, I would like to know if LDAP is still part of RHCSA objectives? and does any questions comes related to setting up ldap client side in exam? Thanks

  17. Jaz says:

    I was watching Sander van Vugt tutorial video RHCSA (RHEL7)
    This is how he started for client configuration,

    # yum install authconfig-gtk -y

    # yum install nscd nss-pam-ldapd pam_ldap -y

    He said “I would recommend to use authconfig-gtk (GUI) in exam because it’s easy to use and it’s not easy if you use text interface”

    I have couple of questions here:

    1) why he didn’t ask us to install openldap-clients as you did?
    2) why you didn’t mention to install nscd and pam_ldap?
    3) How can I setup DNS server on my local network for creating ldap server. I don’t have domain but I would like to create my own domain for internal use only. For e.g server.ldaptest.local

    Please extract confusion out of my mind. I am badly stuck in understanding ldap configuration from last few days. And I can eaisly understand if only I create my own DNS to setup ldap server on a seperate virtual machine. Thank you

    • CertDepot says:

      1) The LDAP client configuration is pretty complicated at the moment. You have two options: nslcd and sssd.
      According to the chosen option, you don’t install the same packages.
      In his last free webinar session, Sander advises to install the “Directory Client” group package and I’m thinking about changing my current tutorial. According to the packages you install, the behavior changes. Installing the “Directory Client” group package brings a lot of packages but seems to provide a predictable behavior.
      If you don’t understand how the choice of packages can change the configuration, look at the content of the /etc/pam.d directory in different scenarios.
      Sander and you are perfectly right when talking about the authconfig-tui command. Because the command is officially deprecated, I decided to remove it from my tutorial but this is a mistake. This is the quickest and easiest way to configure the LDAP client. I will reintroduce it in the coming weeks.
      2) The nscd daemon serves as a cache for accesses of the passwd, group, and hosts databases through standard libc interfaces (see nscd man page). This daemon is not required when configuring a LDAP client.
      3) You don’t need to configure a DNS server to test the LDAP configuration.
      In conclusion, I would say that Red Hat regularly improves integration with Active Directory but, as a result, configuration is not easy.

      • ronin says:

        I have Sander’s new book and the authconfig-tui method is not, in my opinion, straightforward at all. Firstly, the Directory Client group fails to install unless you mark it installed then run an update on it. After doing that and editing /etc/sysconfig/authconfig to set FORCELEGACY-yes, I ran the TUI tool. It errors on nss-pam-ldapd not being installed.

        One thing I did not do was install CentOS7 with the Server with GUI option, as the book recommends. Maybe that is the missing link for the nss-pam-ldapd will try that next

  18. Jaz says:

    Another question,
    Why didn’t you create an export file /etc/exports and insert the following lines

    /data -rw *(rw,no_root,squash)

    after creating /data directory with files in it?

    Also, I didn’t see you mentioning

    # systemctl start nfs

    Thank you

    • CertDepot says:

      The syntax you use is very unusual: /data -rw *(rw,no_root,squash).
      Normally we don’t specify twice rw, we only specify /data *(rw,no_root,squash).
      Also, if the # systemctl start nfs was not mentioned, it is because I didn’t need it.
      All the tutorials displayed on this website have been verified.
      However, next time I check it, I will keep in mind your comment.

      • Jaz says:

        Your answers are much appreciated.
        Actually, I am following your website and video tutorials by Sander van vugt at the same time and I get pretty much confused when I see different methods of approaching on the same subject.

        I have loads of questions in mind which I will ask later and I am very much hopeful that you wont mind answering them precisely. Also, please check out my other questions in different topics regarding KVM awaiting for your answers. Thank you =)

        • CertDepot says:

          Some topics like LDAP client configuration or NFS are a moving target. Not only there are differences between Sander‘s videos and my tutorials but there are certainly some differences between Sander‘s videos and his own book too! I try to keep up with all the improvements or changes happening but it’s not always easy.
          Also, don’t forget a simple rule: it’s normal to rely on several sources. This forces you to understand the complexity of some configurations.
          In the case of the LDAP client configuration, there is a legacy way to configure it through the nslcd daemon and there is a more modern approach through the SSSD daemon in relation with Active Directory. Due to regular improvements, the SSSD approach is constantly changing. At the same time, for an unknown reason the authconfig-tui command is deprecated, making everything more complicated.
          In this context, it is very difficult to provide a definitive path.
          Finally, don’t hesitate to leave a comment when you don’t understand some parts of a tutorial.

    • redsu says:

      Hi Jaz, apologise for stepping in.

      The /data -rw *(rw,no_root_squash) is for setting up the nfs on the server and not the client. You can for testing purposes use this to setup on the client if you are working on the same box.

      You do not need to re-start the nfs as the autofs is only for the client connecting to the remote nfs/ldap server.

      Hope this helps.

      • redhat0329 says:

        Hi CertDepot,

        On LDAP client configuration is it okay if i can use ip address instead of instructor.example.com while copying the certificate? please see below. The ip address is the ip of my ldap server. Thanks

        # scp root@ \

        • CertDepot says:

          Yes, you can use an ip address instead.

          • redhat0329 says:

            Nah….. Why I’m always getting an error after I created ldap and nfs server. But anyways CertDepot we don’t have to be worried setting up ldap, nfs and cifs server right since it is already provided on the exam? We just have to practice the client side? Thanks and looking forward to your reply.

          • CertDepot says:

            Yes, absolutely.

          • redhat0329 says:

            Thanks CertDepot.

          • redhat0329 says:

            * -rw,nfs4 instructor.example.com:/home/guests/&

            Hi CertDepot,

            What will happen if you don’t include nfs4? On Sander’s video he doesn’t include nfs4. Thanks.

          • CertDepot says:

            I don’t know. I haven’t tried!

          • redhat0329 says:

            Hi CertDepot,

            after running # authconfig –enableldaptls –update
            why did you not advise to also run #authconfig –enableldapstarttls? is it not necessary? thanks

          • CertDepot says:

            Yes, this option isn’t required in our case.

  19. redhat0329 says:

    Hi CertDepot,

    When adding the tls certificate the name must be exactly cert.pem or any name or as long as it is under the directory /etc/openldap/cacerts ?

  20. kevbuntu says:

    I have installed a couple of VMs on a virtual box to act as a client and a server. The server side seems to work fine and returns the user info on ldapsearch. I follow the client side procedure as above and when I do getent passwd ldapuser1 simply nothing happens. Could anyone tell me how to debug this, none of the steps returned with a complaint.

  21. kevbuntu says:

    I set up the server and client and even loaded up a .ldif file where I could get a user by using getent passwd “user”. So I decided to try again. Let the server and client centos 7 machine on the VM and created another VM client for Centos 7. Followed the instructions to the end of “authconfig –enableldaptls –update”. But when I do getent passwd “user” I get nothing back. No idea what I did right on the first client! I have done nothing for NFS or mounting on the client side as I am only interested to get an answer from “getent” command. Any ideas whatsoever? Thanks a lot.

    • CertDepot says:

      You can get a very different result if you don’t install exactly the same packages between two executions.

      • kevbuntu says:

        This is what I have done on the client side, do I need to do anything more? Thanks again.

        1. Packages to install:
        # yum install -y openldap-clients nss-pam-ldapd

        2. Enable the followings:

        # authconfig –enableforcelegacy –update
        # authconfig –enableldap –enableldapauth –ldapserver=“davinci.med.cornell.edu” –ldapbasedn=“dc=davinci,dc=med,dc=university,dc=edu” –enablemkhomedir –update

        3. Put the LDAP server certificate into the /etc/openldap/cacerts directory:

        # scp root@davinci.med.university.edu:/etc/openldap/certs/cert.pem /etc/openldap/cacerts/cert.pem

        4. Apply the correct SELinux context to the certificate:
        # restorecon /etc/openldap/cacerts/cert.pem

        5. Activate the TLS option:
        # authconfig –enableldaptls –update

        Just to add one extra comment, right now if I run the command “getent passwd vanessa” on client-1 I do get result back. But if I run it on the server, I get nothing back. So maybe the fault is with the server and not the client-2. I did check for ldap and sldap and they are running on the server, the machine was rebooted.

        For my ldap-client-2 I get: “ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)” if I just type ldapsearch. All the files are owned by root, but they are the client side. On the server side they are owned by ldap. The ldap-client-1 which works has all the files inside /etc/openldap owned by root as well. I do not believe there is even an ldap user on the client sides.

      • kevbuntu says:

        I found the problem in /etc/openldap/ldap.conf, my Base and URI were in double quotes, and they should not have been, so please disregard all my questions except the one that why getent passwd vanessa is returning nothing on the server side and client-2 but returns a value on client-1. But ldapsearch return correct values.

        I found the problem with getent passwd of client-2, it was a simple copy and paste, some how in my documentation there is unseen characters which get copy and pasted.

        I had to run this on the server side as well to get the getent passwd work, which I guess makes sense. So all my issues are resolved:

        # authconfig –enableforcelegacy –update
        # authconfig –enableldap –enableldapauth –ldapserver=”instructor.example.com” \
        –ldapbasedn=”dc=example,dc=com” –update

        • CertDepot says:

          Sorry for not helping you much but I was in a business trip with almost no time to set up a LDAP lab.

          • kevbuntu says:

            Hi CertDepot,

            I wonder if replication is also your forte. I am using the following to replicate the server as a master slave know as provider/consumer in the ldap world. I am using this link: http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=5

            and on section 3 where I enter:
            ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif

            I get this error:
            SASL/EXTERNAL authentication started
            SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
            SASL SSF: 0
            modifying entry “olcDatabase={2}hdb,cn=config”
            ldap_modify: Other (e.g., implementation specific) error (80)
            additional info: Error: parse_syncrepl_line: unable to parse syncrepl id “001#”

            The only part I need to enter is:
            # own domain name
            # directory manager’s password

            If you have any thoughts on that I would be most grateful. Thank you in advance.

          • kevbuntu says:

            Perhaps please ignore my replication question since I was not getting the last line I thought it might be an error, the last line being:
            modifying entry “olcDatabase={2}hdb,cn=config”

            But when I did :
            ldapsearch -x -b ‘ou=People,dc=srv,dc=world’

            I did get a whole bunch of people’s account outputted, so I think my replication is set. I guess I need to add something in the master and take it down and see the client can find it in the slave.

  22. mike92 says:

    Hello Sir,
    I did all the commands and installations, until I encounter this part upon entering the command:
    # scp root@instructor.example.com:/etc/openldap/certs/cert.pem \

    It says
    etc/openldap/cacerts/cert.pem: No such file or directory

    Did I miss something?

  23. kevbuntu says:

    Hi CertDepot,

    Every time I ask a question I end up finding an answer to it, maybe I get lucky again. I used this link below to create a LDAP replication and works mostly except when I try to use getent passwd userid. The link is:


    I can do ldapsearch from the clients and get the result even when I switch off the Master or better know as provider VM machine, but getent passwd “userid” only works if the Master is running. In the past I had to get the getent passwd working using this config:

    # authconfig –enableforcelegacy –update
    # authconfig –enableldap –enableldapauth –ldapserver=“davinci.edu” –ldapbasedn=”dc=davinci,dc=edu” –update

    So I tried doing it on the slave or consumer using the machine name which is davinci-clone instead of davinci, but no joy. Any thoughts on that?

  24. scryptkiddy says:

    I’ve been reading everyone’s comments and CertDepot’s as well. It seems “moving target” and such is the problem, but I have a different issue that no one seems to be talking about. A test LDAP server.

    I realize the ForumSystems website is listed under Additional Resources. However, it doesn’t seem to have / provide a certificate for testing LDAP authentication in the secure manner in which we have to know for RHCSA. Correct me if I’m wrong.

    So is there a free LDAP online test server that also provides a certificate for testing? If not, I have a Win 2008 R2 Server that’s running as a DC. However, I’m not much of a windows guy, so does anyone know what steps I need to take to generate a cert for my CentOS 7 machine to use for LDAP authentication testing?



  25. phil_guy412 says:

    Instead of using the SCP command to download the TLS Certificate could i just navigate into the /etc/openldap/cacert directory and use the WGET command instead?


    • CertDepot says:

      The wget command will work if you’ve got an http server delivering pages located in the /etc/openldap/cacert directory which I really doubt.

      • Lisenet says:

        I would like to clarify that during the RHCSA exam, you are given access to a VM which you need to work with (perform all exam tasks on).

        You get no SSH/SCP access to the LDAP or any other server, period. Keep in mind that wget works with FTP protocol as well.

  26. kevbuntu says:

    Hi CertDepot,

    I have managed to setup a server client openldap on centos 7 minimum and add a user ‘newuser01″ I can retrieve data using ldaps:/// but getent -s sss passwd does not work on the client. This is the authconfig files that I ran

    authconfig \
    –disablesmartcard \
    –disablefingerprint \
    –enablesssd \
    –enablesssdauth \
    –enablelocauthorize \
    –disablemd5 \
    –passalgo=sha512 \
    –enablepamaccess \
    –enableldap \
    –enableldapauth \
    –disableldaptls \
    –ldapserver=ldaps://ldap.yourdomain.tld:636 \
    –ldapbasedn=dc=domain,dc=tld \
    –enablemkhomedir \
    –disablecachecreds \
    –disablekrb5 \
    –disablekrb5kdcdns \
    –disablekrb5realmdns \
    –krb5kdc=” #” \

    and this is what is inside my /etc/sssd/sssd.conf, nsswitch is auto configured and I think I only need to maybe twick the sssd.conf file, please let me know of your opinion:


    autofs_provider = ldap
    ldap_schema = rfc2307bis
    cache_credentials = False

    id_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap

    ldap_uri = ldaps://provider.example.com
    ldap_search_base = dc=example,dc=com

    #ldap_id_use_start_tls = True
    ldap_id_use_start_tls = False

    ldap_tls_cacertdir = /etc/openldap/cacerts
    ldap_tls_cacert = /etc/openldap/cacerts/ca.crt

    #ldap_tls_cacertdir = /etc/pki/tls/certs
    #ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

    ldap_default_bind_dn = uid=newuser01,cn=users,cn=accounts,dc=example,dc=com
    ldap_default_authtok_type = password
    ldap_default_authtok = secretpassword
    ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com
    ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com

    services = nss, pam, autofs
    config_file_version = 2

    domains = default
    homedir_substring = /home







  27. smrbukhari says:

    Hello CertDepot,

    First of all really appreciate your website and the effort you put in keep it running!

    I configured LDAP client with autofs as you mentioned above but noticed that the shell prompt is different for ldapuser01(-bash-4.2$) and ldapuser02(ldapuser02@localhost~$) and wondering may be you could help me figure out why is that?

    I do notice ownership is still root for /home/guests/ldapuser01:

    drwx——. ldapuser02 ldapuser02 system_u:object_r:nfs_t:s0 /home/guests/ldapuser02
    drwxr-xr-x. root root system_u:object_r:nfs_t:s0 /home/guests/ldapuser01
    uid=1002(ldapuser02) gid=1002(ldapuser02) groups=1002(ldapuser02) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    [\u@\h \W]\$ (this is output of echo $PS1, it shows \s-\v\$ for ldapuser01)

    • CertDepot says:

      You should figure out why the /home/guests/ldapuser01 directory is owned by root.
      You should also check the content of the same directory, searching for .* files (ls -a).

      • smrbukhari says:

        Thank you CertDepot for pointing me in the right direction. This is resolved by doing the following:

        1) chown -R ldapuser01:ldapuser01 /home/guests/ldapuser01 (as root)
        2) cp -r /home/guests/ldapuser02/. /home/guests/ldapuser01/ (to copy .bash related files)

        I’m assuming the most important one missing was .bash_profile that was not found for ldapuser01 for some reason.

  28. lakhilove says:

    I have one issue, to download the cert if link is (I got troubled) when downloading certificate from


    I tried every think: wget, ftp (with anonomyous/password), sftp, scp root@, scp ldapuser1@… but wget couldn’t find the file, other thinks (ftp,scp etc) I was stuck with password

    Any help will be appreciated, I couldn’t finish LDAP Client question

  29. Ahmad says:

    Hi ,

    while configuring autofs to automount the home directories of the LDAP server, do we need to do the following actions :

    1-vim /etc/sysconfig/autofs
    and then un-comment the below line :

    2-Do we have to install nfs-utils

    3-what is the meaning of & and * on the below line:

    * -rw,nfs4 instructor.example.com:/home/guests/&

    4-Do we have to add nfs4 in the same above line ?

    5-How to test the configuration (df -hT in the client and see if there is anything mounted when we cd to the home directory of the user or the shared point)

    Thanks a lot for your help and I do apologies for my many questions, but your site is surely the best and very trustful.

    • CertDepot says:

      1- No.
      2- Yes.
      3- */& mean whatever the information passed to autofs, append it to the specified path (instructor.example.com:/home/guests/).
      4- Yes, I think so.
      5- This should be fine.

  30. Ahmad says:

    Hi Certdepot ,

    When configuring LDAP and autofs, in the exam:

    Do we need to add the below lines into /etc/pam.d/sshd

    auth sufficient pam_ldap.so
    auth sufficient pam_permit.so

    Many thanks for your help again.

  31. ylemouel says:

    Do we also need to know how to join an Active Directory and IPA server?

  32. thegeekaid says:

    Hi CertDepot, great step by step guide, it works like a charm, one question though, about the SELinux restorecon step, what is the fcontext suppose to became? Because mine did not change at all.

  33. scruff says:

    Stucked on
    getent passwd ldapuser02

    There is nothing in result. Is there any Ideas?

  34. shiko says:

    Please I need to know what is the context type that should apply with semanage fcontext on the /home/guests directory

  35. scruff says:

    Hi there!
    What kind of answer should I get for “su – ldapuser02” command. Currently I got : /home/ldapuser02 cannot be find (something like this). Any ideas, gentlemen?

    • Lisenet says:

      Does the home directory exists? If it doesn’t, then you know why you get the warning – it’s expected.

      • scruff says:

        The directory /home/guests/ldapuser02 does not exists. I’m trying to manually create directory, but I gave an error: Permission denied. Hope for your answer…

      • scruff says:

        I’m figured out with “permissions” error. Now it seems that I’m able to login under ldapuser02 – I have clean bash session “-bash-4.2$”. Does this means that LDAP topic correctly solved?

        • Lisenet says:

          If you are able to log into the system with an LDAP user, then you know the LDAP auth works. I think that’s all there is to it from a client’s perspective.

          • scruff says:

            I read all LDAP previous topics, and found that bug “cannot change directory to /home/guests/ldapuser02 no such file or directory” is unsolved yet. Although the directory /home/guests/ldapuser02 exists in my lab and the owner is ldapuser02 the bug is still there. Did somebody solve this issue?

          • Sam says:

            Check or disable the selinux settings for testing.
            I suspect your problem is with the NFS setting. Check the services on both vm’s and the firewall settings! And also take note of the version of the os your are using.

          • scruff says:

            SElinux and firewall should not be disabled during exam. But for test purposes I disabled both with no luck. “–enablemkhomedir” key is enough to resolve “permission” issues

          • Sam says:

            You are perfectly right. Unless asked under no circumstances are the SElinux and firewall to be disabled during the exam.

            This should only be done for testing conditions only, and even then in a safe working environment (off network or behind a SECURE firewall).

          • Lisenet says:

            That’s not a bug, it’s misconfiguration on your servers.

            I have it all working, therefore I’m 100% confident it’s something at your end. Feel free to take a look at my config: https://www.lisenet.com/2016/freeipa-server-on-rhel-7-centos-7/

          • scruff says:

            Thank you, Lisenet. I appreciate your help.

          • scruff says:

            Just watched the video from Ralph Nyberg. He advised to put “–enablemkhomedir” into authconfig. So I summarized bunch of arguments into one set: authconfig –enableforcelegacy –enableldap –enableldapauth –ldapserver=”instructor.example.com”
            –ldapbasedn=”dc=example,dc=com” –enableldaptls –enablemkhomedir –update. Have no idea how I missed it)))))

          • scruff says:

            Another issue which caused the “cannot create directory /home/guests/ldapuser02 no such file or directory” problem is the string MASTER_MAP_NAME=”yes” in /etc/sysconfig/autofs config file which is missing by default. Dear Certdepot, would you be so kind to put it into the tutorial?

          • CertDepot says:

            I need to rebuild all the environment to test this. This will take some time.

  36. peter.parker.1912 says:

    Would it be a problem if we –enablelts when we are enabling everything else and adding the ldapserver and basedn?

  37. ispada says:

    When I set this * -rw,nfs4 instructor.example.com:/home/guests/& on my /etc/auto.guests didn’t work. I had to change it to * -fstype=nfs4,rw instructor.example.com:/home/guests/&

    Could you please confirm?

  38. benny says:

    Hi, can I use realmd to configure instead of using authconfig?

  39. benny says:


    I managed to do the ldap client SSO, but wondering the section about “Automounter Client Configuration”. Actually, what does this section do?

  40. blahblah says:

    So does the forumsys LDAP server work with nslcd? I tried to setup an LDAP server on a raspberry pi but it was hell and I didn’t manage to figure it out.

    • CertDepot says:

      I have no idea. However, setting up an LDAP server is already not an easy task on a normal server. On a raspberry PI ths could create additional difficulties.

  41. blahblah says:

    The authconfig -h | grep ldap is an extremely useful tip, thanks.

    To neaten/shorted things, I want to add that it’s possible to do this, for the cacert part, on RHEL 7.3:
    authconfig --ldaploadcacert="file:///cert.pem" --enableldaptls --update
    It adds it to the correct place, and changes the SElinux permissions to be correct – running restorecon doesn’t change a thing

    I’ve gone over this a few times now, using LVM snapshots to rollback and repeat, as I usually do.

  42. shireeshk says:

    scp root@instructor.example.com:/etc/openldap/certs/cert.pem

    Do we get ldap server root credentials for the above step during exam?

    can someone point how do we get the cert.pem file?

  43. mickey999 says:

    Howdy, everyone!

    I’m happy ! I lost my minds with this exam so …I’m happy! Failed it 3 times by now but …here’s what I did in the past 4 months regarding this…

    The article posted here is very useful indeed.
    It’s been a while since I’ve been reading this very good article plus everyone’s posts and comments plus the article about the automount on this website. However I failed my RHCSA7 exam …yeah . Not once but three times now.

    Following the indications on this website I managed at home to replicate as close to the exam as possible my testing environment.
    The LDAP server part is awesome!

    During the exam I have noticed the testing RHEL7 server provided has a very old kernel and of course very old packages regarding what you need in order to successfully fulfill the LDAP + automount + SELinux part.

    Of course SELinux was enabled on server side and client side as supposed to at home and during the exam for sure was on my machine.

    I wonder , those who passed the exam what RHEL7 machine were provided with????

    I tested with the kernel provided by Michael Jang’s book Kernel 3.10.0-123 and the client fails to change into ldapuser’s home directory. However “getent passwd ldapuser01” gets me the right response.

    I also tested with a higher version of the kernel something like 223 and 514 and if you setup the client – server exactly as it is described here IT JUST WORKS! No doubt about it!

    Of course , works if on the client side the necessary booleans are enabled : authlogin_nsswitch_use_ldap and eventually use_nfs_home_dirs…Am I missing any ?

    Also make sure on the client the fcontext for cacerts directory and it’s contents ( the cert.pem and it’s symlink ) is slapd_cert_t ( if i remember correctly )

    Beside this selinux label and the boolean mentioned above what else should be “correctly labeled” and what other darn boolean should be turned to “on”???

    The error during the exam was as much as I can remember: “SELinux prevents /usr/sbin/automount getattr to file”

    I couldn’t see the “file” SELinux was referring to!
    That’s why I was thinking maybe that old kernel version plus the old packages provided on the repo during the exam are not working right.

    Or maybe my brain is old and I should start searching for some other job ???

    Any ideas, guys? I am out of options here.

    I know, I know you gonna say “look at sealert -a /var/log/audit/audit.log”.

    At home with the old kernel version mentioned but I guess newer RPM packages ( for autofs, selinux,etc) my error for ldapuser is : “Can’t change home directory . Directory does not exist

    During the exam with the same old kernel but who knows …maybe also older RPM’s for autofs and selinux the error was:
    “SELinux prevents /usr/sbin/automount getattr to file”

    I know that all works smooth if you do exactly as this article says regarding ldap server-client and if you have only
    authlogin_nsswitch_use_ldap turned on and the correct label applied for cacerts directory on client.

    Am I missing some other label or boolean here???

    Oh, one more thing, the command I used at home and during the exam was this one:

    authconfig –enableldap –enableldapauth –enableforcelegacy –ldapserver=ldap://whatever_the_exam_wanted –ldapbasedn=”dc=,dc=,dc=” –enableldaptls –ldaploadcacert=http://whatever_was_the_name –update

    The certificate is imported nice , no errors at home and during the exam, but you need to do the fcontext trick for cacerts directory

    Call me crazy guys but I also had time to use the other method during the exam .

    The one where you install sssd stuff.
    I tested also by using it the similar way the “authconfig” command but first disabling ldapauth and ldapforcelagecy stuff
    Then activating the necessary ones for sssd

    If you switch from ldap with nslcd service enabled to ldap with sssd service enabled be very careful first the service you choose to be enabled while the other one should be disabled, then configure /etc/nsswitch.conf with this :

    passwd: files sss ldap
    shadow: files sss ldap
    group: files sss ldap

    services: files sss ldap
    netgroup: files sss ldap
    automount: files sss ldap

    Then be ready to manually switch (edit) in between using pam_ldap.so and pam_sss.so in /etc/pam.d/system-auth and in /etc/pam.d/password-auth

    It works at home just fine with a higher version of the operating system , higher versions of RPM packages and of course higher kernel versions.
    But 3.10.0-123 ….no way ! Didn’t work for me at all!

    So, boys, if you have any ideas/indications/directions please let me know ’cause this really gives me nightmares already!

    Oh, one more personal observation ( don;t want to offend anyone, just correct me if I am wrong!) : I don’t think that during the exam doing everything minus the part regarding ldap + automount will pass you.
    I just don’t think so as I had same bitter experience with RHEL5 certification.
    I passed that one but ONLY because I solved ( at that time!) the automount + NIS stuff !

    • CertDepot says:

      Thanks for the feedback. The LDAP stuff is one of the most difficult tasks in the RHCSA exam because there are so many possible combinations between the client and the server configurations. The client and server LDAP tutorials have been tested many times with success but I’m sure there are certainly improvements to be found at least on the client side (the most critical!).

    • Lisenet says:

      I know what you’re talking about, and yes, sealert is the answer.

  44. mickey999 says:

    Update of what I have managed to do at home :

    I tried to replicate as closer as I could my problem encountered at the exam described in my preview post so for that first I had to modify a little bit the LDAP server part ( took me 5 minutes tops to do it thanks again for the notes in the article about configuring an LDAP server!)

    So instead of exporting /home/guests I made my LDAP server export /rhost.
    Very easy to do if someone reads carefully the last part in your article regarding how to configure the LDAP server.

    Then I have downloaded the infamous kernel-3.10.0-123 from the DVD that comes with Michael Jang’s book.

    My lab uses an older Centos 7 DVD ISO that comes with a a kernel like 3.10.0-325 or something similar.

    So , using my kickstart file that gives me Centos 7 machines very stripped off of unnecessary stuff , I created fast a testing server on which I installed the infamous kernel 3.10.0-123

    1. Made sure the following RPM’s were installed first on my client machine : openldap, openldap-clients, nss-pam-ldapd, autofs, authconfig, nfs-utils, policycoreutils-*, setroubleshoot-server

    2. Turned on the boolean regarding the use of nsswitch and the one regarding the use of nfs home directories

    3. Used this command with the following options ( no more no less!) :

    authconfig –enableldap –enableldapauth –enableforcelegacy –ldapserver=ldap://name_of_my_LDAP_server:389 –ldapbasedn=”dc=example,dc=com” –enableldaptls –ldaploadcacert=http://my_http_server/cert.crt –update

    4. Once the certificate imported into my client I had to apply the fcontext on /etc/openldap/cacerts and it’s contents

    semanage fcontext -a -t slapd_cert_t /etc/openldap’/cacerts(/.*)?’

    restorecon -RF -v /etc/openldap/cacerts

    5. Created and edited /etc/auto.rhost :
    * -rw,nfs,intr,soft my_server_here:/rhost/&

    6. Added into /etc/auto.home:
    /rhost /etc/auto.rhost

    7. systemctl enable nslcd ( authconfig already started it,right?)

    systemctl enable autofs
    systemctl start autofs

    I have checked immediately the status of both mentioned services and they started smooth and clean

    I have checked /etc/openldap/ldap.conf, /etc/nsswitch.conf and all seemed fine for this TLS stuff connection

    getent passwd ldapuser – got the correct response – at this point I was surprised because I am using the kernel I thought has problems. Hope kicked in! Yeah! During the exam I had no response from this command which of course lead to “User does not exist”

    Final test : su – ldapuser : BANG! SUCCESS! I am in as ldapuser
    browsing the directories exported along with this my very own home directory

    Still I can’t believe this is happening nice and clean so I do :

    sealert -a /var/log/audit/audit.log – ZERO ALERTS!

    Thrilling experience at home but desolating looking forward to the exam.

    Why this works at home and at the exam I can’t connect this client to the LDAP server??

    What am I doing wrong actually???
    Ideas, eh ? Boys??? ..HELP!!!

    • hunter86_bg says:

      Are you sure that the packages used during the exam are the same version like the packages at home ?

      • mickey999 says:

        Well… I don’t know. I can’t remember the version of the packages used by the machine served me at the exam.
        At one point I was suspecting that the kernel version and SELinux packages were not working together as they were supposed to.
        Later I managed (at home) to use the same kernels they served me at the exam (3.10.0-123 and and … without doing absolutely nothing different from what I was doing at the exam it just worked!
        So, at this point I’m gonna go back probably next week and pay$400 just to look into /var/log/audit/audit.log.
        If the answer is not there then to hell with the rest of the exam.
        I know for that they won’t let you pass without the LDAP part.
        My only hope now is that they willingly screw up another label just to make you look into the audit.log file for SELinux troubleshooting.
        I’m “opinionating” at this point.

        • hunter86_bg says:

          I’m seeing strange behaviour all the time while I’m preparing. I’m pretty convinced I’m hitting bugs, but this is the way. I’m not sure if they will or won’t let you pass without the ldap stuff.
          I’m just suspecting that everything concerning security (selinux,firewalling,ldap) is considered more important and would decrease the score more than another task. This is pure speculation, and I have no idea how they evaluate this at all.

          • Lisenet says:

            Security settings are important, but don’t take higher priority than services which need to be configured. Imagine yourself as a customer, who hired you to deploy the exam system. You can tune SELinux and restrict firewalld access, but if the service isn’t running or isn’t accessible, such system is basically useless. From a customer perspective, it’s much more important to get the service up and running, than to worry whether SELinux labels are correct etc. Get the idea?

          • hunter86_bg says:

            Hm… Looking it at this angle – yes this is a major problem (if the service is not running at all).
            Thanks for raising this. I’ll update once I pass/fail my RHCE in friday.

      • mickey999 says:

        Oh, one more thing, I know for sure that the following packages are mandatory for autofs-LDAP stuff:
        authconfig, autofs, nfs-utils, openldap, openldap-clients, nss-pam-ldapd, policycoreutils-*, setroubleshoot-server.
        So make sure you have all the above packages (I checked them and during the exam they are already there!)

        Then of course create the necessary files for autofs to work (/etc/auto.whatever and edit it accordingly), tell the automounter where to mount stuff as described in /etc/auto/whatever.

        Then enable the necessary booleans (the one referring to use_nfs_home_dirs and autconfig_use_nsswitc one ), then apply the correct label (slapd_cert_t) on /etc/openldap/cacerts after importing the certificate into the client (I use authconfig with –ldaploadcacert= option)
        Make sure you enable autofs and nslcd services, restart them eventually and … it has to work!
        Theoretically it must work but my experience is very bitter: doesn’t work at the exam. It’s either something else screwed up intentionally, either … something else screwed up just like that!

        • hunter86_bg says:

          1. I’ve never relabeled the “/etc/openldap/cacert” content and it always works.
          2.”authconfig” is installed even in minimal install, am I wrong???

          As you can see in my next post I had some issues with 7.0 and pure ldap authentication. If I choose the nss-pam-ldapd method – sometimes “nslcd” daemon refuses connection (a reboot should fix it), while the sssd -> causes the unknown group for gid xxxxxxx.
          Have you tried the GUI tool? I think it was “authconfig-gtk”.
          And also try the “authconfig –savebackup=” option. Sometimes I have to revert in order to make it work.

          • mickey999 says:

            Never relabeled “/etc/openldap/cacert” and works? No way man!!!
            But again, reading through your comment … I see MYSELF all the time strange behavior when I prepare for test.
            I spin up same training virtual machine using same ks.cfg file

            I test with it then I destroy it and I spin another one in a few minutes using exactly the same ks.cfg file and …. as you said … WEIRD behavior on the exactly same server (same packages and kernel-3.10.0-123-1.2 – which I install and make it the default one)

            For example last night I was trying to replicate the error (as closer as I thought I could!) I had during the exam so I start playing turning off and on the booleans mentioned and applying a wrong label to the “/etc/openldap/cacert” directory.

            Guess what!?? Going “su – ldapuser” from my client worked perfect!!!!
            Readable, writable, as it supposed to, right?

            But I went to /var/log/audit/audit.log and actually the errors were logged there
            Keep in mind all working ( talking about autofs+ldap) with wrong label and booleans turned off while SELinux is in enforcing mode!

            I guess there are bugs. Something on the SELinux side (whatever package versions are installed with Centos 7.1 I am testing with) doesn’t work right with some kernel especially with the one they force you to use during the exam.
            However, as I said, during the exam you have everything you need ALREADY installed so I guess somehow they actually screw up willingly something else.

            I guess I will see what exactly they are messing up, when I’m gonna throw another $400 … soon enough.

            Yes I installed the GUI too just to check what and how is modified when I’ve already used the “authconfig” command.
            Makes sense to check what exactly is done when using the command line vs authconfig-gtk.
            But you can’t use authconfig-gtk during the exam.

            I’ll try to do my best of the best next week during the exam and keep you guys posted with new stuff if any will occur

            Guys, I’m not on the heights of despair anymore. I AM the despair already!
            This exam grinded my nerves way too much by now so … we’ll see next week.

          • Lisenet says:

            I second that, never had to relabel the cacerts folder nor its content. Have you tried authconfig-tui? Perhaps you need a different approach.

          • hunter86_bg says:

            You can use authconfig-tui as Tomas offered. Just when you reach the warning that you need your certificate in “/etc/openldap/cacert” folder – open another terminal and download it. Then return to the first one and confirm and everything should be working as expected.

          • Lisenet says:

            My point exactly. If I failed the exam, I would use a different approach the next time.

          • mickey999 says:

            Thing is … /etc/openldap/cacerts does not exist until either using authconfig command either using authconfig-tui

            So once I am using the authconfig with the described options, the /etc/openldap/cacerts directory will be created on my client and the certificate will be imported.
            Trick is that the label of “cacerts” and it’s content will be in this case “etc_t” and I need to relabel as ldapd_cert_t (seems correct, right?).

            I didn’t use yet authconfig-tui but I am assuming that in order to use it there are some preparations for the client (just assuming!).

            Probably first you have to create “cacerts directory under /etc/openldap (and if you create it what label will have??)

            Second you have to manually copy the cert.crt from where they say it is during the exam and then move it or copy/paste its content into a file under /etc/openldap/cacerts/

            But these things won’t require to relabel cacerts and its content???

            I doubt it but yet again I am assuming that this is about to be done before using authconfig-tui
            I didn’t tested it yet but … why would be different using authconfig-tui from authconfig with the correct options?

            I think I am using the correct options as at home actually I have a successful connection.

            From what I remember the label for cacerts and its contents should be “slapd_cert_t” NOT “etc_t”.
            Am I right?

          • Lisenet says:

            You are right, the cacerts folder does not exists, but I don’t see why this is a show stopper for you. Just create it. Did you see this: https://www.lisenet.com/2016/ldap-and-kerberos-client-authentication-on-rhel-7-using-nslcd/ ?

          • hunter86_bg says:

            Why not use “authconfig-gtk”? As far as I remember the VM for the RHCSA was actually a “Server with GUI”. And yes, I have never relabeled the “/etc/openldap/cacert” folder and its contents and my LDAP + kerberos and plain LDAP + LDAP auth are working.
            I’d recommend you to take a break. My second attempt on RHCSA was 1 year after the first failure.

            I can only offer you to do this: just start with the LDAP and if it breaks try the “authconfig –restorebackup=/folder/you/made/backup” and try again. If you feel something is wrong, ask the instructor to reset the VM and try again.

            After all you can still do it in less than 1 hour. I screw up my VM 60 min before the exam end and I still passed (barely).

            Do you know your RHEL version for the exam?

          • Lisenet says:

            You can reset the VM yourself, no real need to ask the instructor to do that.

          • Sam says:

            My advice, take a step back and look at the problem from another angle. Take a second look at your setup on the host pc (assumed), ie cpu, ram, network, source, do a check disk etc.

          • mickey999 says:

            @@ hunter86_bg

            I don’t remember the exam version of the OS.
            I’ll let you know soon after I’ll pay them boys a new visit.

            Thing is I had no problem passing 7 years ago the RHEL5 certification only at that time was NIS+autofs not LDAP+autofs.

            authconfig-gtk is not available during the exam. You don’t have server with GUI.

            @@ Sam: On another hand there is not much time left for this certification to be completed successfully.

            I have a final day to do this and it is coming pretty fast.
            It’s been more than 7 months since I am preparing for this exam and without it …well… I’ll be searching another job.

            I never liked roofing jobs or digging ditches or the ones from Wally World :-)))) … but I might be searching for one soon if I don’t pass this exam.

          • CertDepot says:

            You will be fired if you don’t pass the RHCE exam! Could you give us a little bit more information about your situation because it seems pretty strange from outside.

          • hunter86_bg says:

            Strange thing. My RHCSA (Feb 2015) was Server with GUI. I was then preparing for RHEL6 exam when I was notified it will be RHEL7 instead. I’m not aware if there will be “Server with GUI” on the RHCE, but I thought it will be just like my previous experience.

            An employer who seeks a job justification … unless they paid for a course and the exam – I will ditch them immediately. In my case – we don’t even use RHEL so much, but it’s worth proving your skills (of course if I pass).

          • hunter86_bg says:

            I have just tested the “x-systemd.automount option” and it’s as good as autofs. My NFS server was not up when my client went online and still I managed to enter my nfs mount point.

            Here is an example from a client’s fstab (please note that systemd doesn’t need “_netdev” for cifs,nfs,nfs4 but I’ve added it just to remind me):


  45. hunter86_bg says:

    Hi guys, let me share something I found today.

    I was doing a sample RHCE exam which required LDAP authentication for a specific user for ssh configuration.
    After installing “nss-pam-ldapd openldap-clients” and trying to update my auth setup via authconfig – “nslcd” daemon refused to start up complaining about unknown “uid nslcd” and about unknown “gid ldap”.
    To fix it, just run “yum groupinstall directory-client” .
    This behaviour was observed on RHEl7.0 DVD repo , and I haven’t met this in higher versions.

  46. mickey999 says:

    Guys, what I have done regarding the demands of the exam specifically for the LDAP+TLS+automount side at home was applied also at the exam EXACTLY as I will post the steps and commands here.
    So keep this in mind when you read this! EXACTLY AS DONE HOME WAS DONE DURING THE EXAM!

    Here is EXACTLY what I do regarding the issue, knowing that SELinux MUST be active :

    Before starting I make sure I have all necessary packages installed ( they are there but I check first anyway).
    yum install autofs nfs-utils authconfig openldap openldap-clients nss-pam-ldapd policycoreutils-* setroubleshoot-server

    I don’t use the sssd solution , only the ldap legacy one so I do not install any sssd- rpm packages!

    Actually I think this is what they want you to use as you’ll find that during the exam ALL the above packages mentioned are already installed but no SSSD packages are installed

    You have NO GUI available ( I’ve been there 3 times so there is no GUI on the server they gave me!) .
    Keep this clear in mind so , here we go:

    PART A) Solving the automount problem:

    1. Create /etc/auto.rhome and add this in it:

    * -rw,nfs,intr,soft exam.server.whatever:/rhome/&

    2. Edit /etc/auto.mount and add this in it :

    /rhome /etc/auto.rhome

    3. getsebool -a | egrep “nfs|ldap” and I pick up the following
    two to enable:

    setsebool -P use_nfs_home_dirs 1
    setsebool -P authconfig_nsswitch_use_ldap 1

    OR you can go this way :

    semanage boolean -l | egrep “nfs|ldap” to get the same result in finding the booleans you need and then , if you like this solution:

    semanage boolean -m –on use_nfs_home_dirs
    semanage boolean -m –on authconfig_nsswitch_use_ldap

    Which ever one works for you , both get you to the same result : the booleans mentioned are turned on.

    4. systemctl enable autofs; systemctl start autofs

    5. sealert -a /var/log/audit/audit.log – gave me no errors here so we are good to go to the next stage

    PART B) Solving the client connection using TLC given certificate

    1. Because I use the authconfig command I can’t remember all options I need ( I’m pretending not to because by now I dream them ! That’s how many times I have used them in the past 4 months!)

    authconfig -h | egrep “ldap|legacy|sha512″

    Pick up from the listing what I need like this:

    2. authconfig –enableldap –enableldapauth
    –passalgo=sha512 –update

    At this point if the command with the appropriate options is typed in correctly and if the paths declared are correctly you will have on the client the /etc/openldap/cacerts directory created, and the certificate imported inside of the cacerts directory.

    No sweat here using this command with all the options.
    Never failed me in creating the mentioned directory and placing the certificate inside of it.

    Actually you will have a file in “.pem” ( even if it is with “.crt” when they gave it to you) and a sym link created to it . I forgot the name if that sym link right now.

    3. Check if things look okay inside /etc/nsswitch.conf as follows:

    passwd: files ldap
    shadow: files ldap
    group: files ldap
    services: files ldap

    netgroup: files ldap

    automount: files ldap

    Correct if necessary and make it look as I posted above.

    OBSERVATION: If you want to use the other solution (sssd) then obviously the above will replace everywhere where “ldap” is with “sss”

    4. If you’re using my solution then check /etc/pam.d/system-auth and make sure you have pam_ldap.so in there BUT NOT pam_sss.so!
    Check also /etc/pam.d/password-auth and make sure the same pam_ldap.so module is in there .

    5. ll -Z /etc/openldap

    I see “cert” directory labeled as slapd_cert_t and “cacert” directory labeled as etc_t.
    So I decide to label them both with slapd_cert_t

    6. semanage fcontext -a -t slapd_cert_t /etc/openldap/’cacerts(/.*)?’
    restorecon -RFv /etc/openldap/cacerts

    At this point funny stuff starts to happen.

    What I have noticed at this point by changing the label here:

    a) In my home lab everything works just fine and the label is applied correctly just like this! NO PROBLEMS!

    b) During the exam I struggled to apply the label. Meaning after I issued both commands above it won’t change the label.
    So I had to stop autofs and nslcd apply again the label but … nothing.
    So I reboot the exam server and check again if the label is applied…this time seems to be applied.
    Okay, but why this discrepancy? Why not working same as home? Damn if i know!
    Maybe because the label should be etc_t and NOT slapd_cert_t???

    Let’s go further and actually complete this ( where more funny stuff appear)

    5. systmctl enable nslcd
    systemctl restart autofs
    systemct restart nslcd
    systemctl status autofs; systemctl status nslcd

    6. Let’s check getent passwd ldapuser
    At home: I see the output expected for ldapuser
    During the exam : NOTHING. (BANG! I hate this already)

    7. Let’s see if we have the exported directory mounted on the client:

    su – ldapuser

    At home: I have the entire directory mounted just fine I can see all the files exported I can create files and directories just fine
    Also df -hTP will show the exported directory mounted via nfs4 into /rhome. COOL!! Happy-Happy, Joy-Joy!

    During the exam : Error ” file or directory does not exist”

    8. Let’s see if any errors were recorded somehow when both services were restarted :

    systemctl status autofs
    systemctl status nslcd
    sealert -a /var/log/audit/audit.log

    AT home : I have everything perfect! Everything is clean , not a damn error!
    audit.log is clean. No error displayed with “sealert -a”, no SELinux mambo-jumbo complain.
    ALL clear!!

    During the exam: errors for both services autofs and nslcd after restart.
    At this point during the exam I couldn’t check audit.log because time was up !

    However I caught a glimpse of one error thrown while restarting autofs.

    It was something like this :

    “SELinux is preventing /usr/sbin/automount to getattr on file …….”

    I couldn’t see the name of the file as time was up.

    But if the correction of whatever error was there would be that stuff to create your module and load it up …that won’t work so I think I’m toasted !!

    If the error would be something like “denied getattr scontext=etc_t ….tcontext=slapd_cert_t” on some file then definitely you’ll see the file with wrong label on it defined by the stanza scontext (source context) urging you to change it as it is defined by the tcontext stanza (target context) …or at least this is what I am assuming I have to do : replace what is declared in scontext with what is declared in tcontext

    So here you have it boys!
    Everything I do , exactly as I am doing it at home and during the exam …this part with LDAP+TLS+automount


    • Lisenet says:

      You are repeating the same steps while expecting to get different results. It’s clear by now that the exam system is somewhat different compared to your home system. I have no way of knowing what’s the difference in particular, but if you tried a different approach, perhaps you would be OK. How about trying authconfig-tui during the exam, or moving from nslcd to sssd? I understand your frustration, but knowing more than one way to achieve the same goal increases your chances of passing the exam. And stop changing SELinux labels, you don’t need that to pass the exam.

    • scruff says:

      You may install GUI with “yum groupinstall “GNOME Desktop”” but it will take about 10-15 minutes.

    • Krypton says:

      Hello mickey999,

      Sorry for the difficulty you are experiencing with this section of the exam. Actually I wrote the exam yesterday and passed with 283 score. I did not have to do most of the things you highlighted.

      Yes, you can use the GUI. While the VM does not boot to the GUI, because the default is multi-user.target, you can change the target/runlevel. Just run the command below:

      # systemctl isolate graphical.target

      -login and install the germane LDAP utilities. You do NOT need to install “GNOME Desktop” it’s just a waste of time. When you reboot and reboot the VM it loads the multi-user again.

      I did not have to mess with the SELINUX fcontext. Speaking of selinux, the only thing I can think of is when you were breaking the root password, did you touch the /.autorelabel file?

      • mickey999 says:

        Sure thing I did “touch /.autorelabel” after I changed the root password right at the beginning of the exam otherwise you can’t get into the system.

        Thing is (maybe you noticed) if you do not complete the very first stage of the exam ( root password and network – I do it right on then one single reboot) you won’t be able to read the rest of the demands of the exam.

        Once I was done with the first mandatory part I noticed it took about a minute for the system to let me in so I could read the rest of the demands of the exam.

        No network = bye-bye exam.

        Anyway, I’ll go again later afternoon.
        We’ll see how this will work today….

      • scruff says:

        So why you don’t tried “startx” command – it starts Gnome or whatever GUI

  47. mickey999 says:

    One little trick they might serve you during the exam just to piss you off (sorry if it is not related to ldap but worth noted).

    Configure the ntp client!

    You might think smiling: “No sweat, I know it! Easy-peasy”
    But when you enable the service and then you play with ntpq -p command you see that the client stops after a while, not sync’ing and so on.

    Make sure chronyd is disabled and stopped.
    Otherwise you go crazy.

    You can remove the entire package chronyd if you want but before enabling ntp and starting it make sure chronyd is stopped and disabled!

  48. mickey999 says:

    Howdy boys!
    Crap went fine this time, I got the certification but boys … listen up: I couldn’t get chrony sync’ing with the damn server.
    I’ll be damn if I know why! ha-ha-ha.

    Anyway, I didn’t bother too much as I knew that without LDAP + TLS + automounter done properly I won’t pass so I concentrate on doing it correctly.

    As a parenthesis here: I don’t know when the rest of you got the exam passed but if you did it in the past month (April 2017 in some remote USA facility) and claim that you did it without correctly doing the part about LDAP + TLS + automounter … well, whoever says this is a liar! Period!

    I’m still thinking that I’m right about the label that is supposed to be applied on the /etc/openldap/cacerts directory but … I kinda “risked” it and I did it without changing anything.
    It worked as the majority of you said!
    But … wasn’t enough.

    In one of my previous comments I mentioned “autofs_ldap_auth.conf” if it needs or not to be altered somehow.
    An answer I got from one of you was “No”
    Well, the answer is YES! Period!

    Ever encountered an error saying something like “server and client need privacy (what a statement!!!!)” ?? Well, keep this in mind and keep an eye on the file I just mentioned.

    I urge anyone to do as I did (if my comments were read, you might find some good info about my “struggle”) but keep in mind the following:

    1. DO NOT mess around with ANY boolean or label regarding SELinux BEFORE actually configuring LDAP+TLS+Automounter!

    2. Alter /etc/autofs_ldap_auth.conf properly. It is self-explanatory!

    3. USE authconfig command and DO NOT waste your time, money and life trying to install GUI if it is not already installed.
    NO GUI = NO authconfig-gtk. Any speculations about this is just waste of time. PERIOD! (Again!)

    4. DO NOT use authconfig-tui. It is not reliable. You still need to “import” somehow the TLS certificate and if you copy/paste it, you might get the wrong label on it and you’ll have “the bitter life of Aldo Moro” with it … as I had it! (Google about Aldo Moro to understand what I wanted to say with it 🙂 🙂 )

    5. Depending on the method you want to choose (ldap or sssd) there are packages installed and packages missin’) .
    So, YOU decide which one to choose but check what is installed and what not.
    You WILL get a good hint on what path you are “urged” to choose or … not.

    I know it’s hilarious for y’all readers telling you about chrony and not being able to sync the client with the NTP server when I just posted a few days ago a comment about it.

    Thing is … after placing there the name of the server supposing to be my NTP server, restarting chronyd the command “chronyc tracking” gave me clearly: not synchronized.
    T’hell with it! Not worth wasting time with it.

    Now, thax y’all for your comments/indications but you’ll get there if you really struggle to get there.

    It ain’t easy even if it looks easy.

    In the end I need to tell you: someone needs to open the Victory Champagne for today, am I right ?? 🙂 🙂

    Nice talking to y’all, folkes!

    • Lisenet says:

      Congrats on passing the exam! Great achievement, I’m glad you finally nailed it.

      One thing though, about your statement saying that authconfig-tui is not reliable. I would disagree – I used authconfig-tui during the exam, and I didn’t lose a single point. There are a couple of extra steps required to get it configured, but it does work 100%. Unless you refer to lack of experience using the tool, then I’m not sure on what’s unreliable about it.

    • CertDepot says:


    • Sam says:


  49. scruff says:

    Hello there!
    Passed my RHCSA today with very nice scores. Acording to my result I failed only in AUTOMOUNT task. I revised this task and returned to it after completenig all other tasks and spent my rest 20-25 minutes of exam on automount, but no luck!!! Got “permission denied” error, although ldap task was OK and I was able to make “getent passwd ldapuser”. At the home lab I could figure out with automount/ldap tasks in 5 minutes even with closed eyes without any errors of “getent psswd ldapuser” and “su – ldapuser”. At the task there was a term with NFS version, other than NFS4. Besides, I suspect, that the syntax of auto.guests may be different and depends on NFS/autofs installed version. Recently I found another syntax of it: “* –fstype=rw,nfs4 server:/home/user” instead of “* -rw,nfs4 server:/home/user” presented on certdepot site. May be it was a gotcha. So pay more attention to this task. Try both ways and other NFS versions. Have a luck!!!

    • CertDepot says:


      • aliaj00 says:

        if anyone is using Red Hat RHCSA RHCE 7 Cert Guide book please check getent passwd lara and fix the:
        * -rw,sync labipa:/home/ldap/&
        * -rw,sync,nfs4 labipa:/home/&

        and enable logging for autofs on centos7 /etc/sysconfig/autofs add: LOGGING=”debug”

        According to what getent passwd “username” will return, put the home directory path without the username and with & at the end:
        * -rw,sync,nfs4 labipa:/home/&

        # cat auto.homes
        * -rw,sync,nfs4 labipa:/home/&

        # getent passwd lara
        lara:*:304600003:304600003:lara jones:/home/lara:/bin/sh

        And on journalctl -f -u autofs make sure to see it mounted and without issues.

        I scratched the head sometimes to figure this one out.


        • CertDepot says:

          Interesting. Thanks.

          • aliaj00 says:

            also if you are NOT using sssd for ldap make sure to edit the /etc/nsswitch.conf to have:

            #automount: files ldap sssd

            automount: files ldap

            otherwise the autofs will complain about it and the restart for the service and login can be a long waiting pain.


          • CertDepot says:

            Ok, thanks.

  50. RedHatter says:

    Sander says, auto.master file solution still works
    but is deprecated and he prefers to create a master map entry in /etc/auto.master.d. On RHEL 7, the auto.master file is considered a part of the RPM, and it might be overwritten while updating RPMs on your server. For that reason, the approach described in Exercise 23.3 is preferred, as in that exercise; the system-managed part of the configuration is clearly distinguished from the usermanaged part of the configuration.

  51. RedHatter says:

    But Sander also uses the auto.master file way in his 2017 videos which is what I prefer. My question, is this a safe method even though its deprecated. Gem of a site btw

  52. Moayd Suliman says:

    Hi CertDepot, first: # getent passwd ldapuser02 doesn’t work with me.
    second: I configure ldap on server1 and configure client authentication on server2, everything works good but, if I log in server2 as ordinary user and try su ldapuser1, it gives me su: Authentication failure. I need to know why? but with root privilege working fine…

  53. Ph.linux says:

    Hi CertDepot,

    authconfig-tui is available in exam?? Yes or No?


  54. xar says:

    Hello CertDepot, preparing also for the RHCSA exam, I would like to ask if anyone has ever tried to create an automount point to a different location on client side? I made numerous attemps but none of them worked. All the examples (including CertDepot’s) define the directory name of the client to be the same as the nfs server. What I want for example is:

    auto.master :
    /customhomedir /etc/ldap.file

    ldap.file :
    * -rw,sync server:/home/ldap/&

    • CertDepot says:

      There shouldn’t be anything preventing you from doing that.

      • xar says:

        I’m using Sander Van Vugt’s IPA server in order to provide nfs services, but the automount of home directories only works in such a way:

        /home/ldap /etc/ldap.file

        * -rw,sync server:/home/ldap/&

        if I modify the auto.master to
        /home/guests or
        /customdir or
        /home/guests2 or anything else but no /home/ldap it doesn’t work and I can’t understand why this is happening.

  55. Sameer says:

    When launching the command : getent passwd ldapuser02
    Nothing is getting displayed in shell.

    Error is /var/log/messages
    Apr 14 20:45:57 localhost nslcd[1271]: [48eaa1] failed to bind to LDAP server ldaps://ldap.example.com: Can’t contact LDAP server
    Apr 14 20:45:57 localhost nslcd[1271]: [48eaa1] no available LDAP server found: Can’t contact LDAP server

    Can someone help please.

    LDAP server has been successfully configured using the tutorial below:

    • Lisenet says:

      You seem to be using LDAPS. Make sure that the LDAPS port 636 is open. If it is, then the next step is to check whether there are any TLS/SSL certificate issues. You’re most likely using a self-signed certificate. Try switching to LDAP and see if the error still occurs.

  56. ercole1977 says:

    I have a problem I cannot solve. Authconfig well configured, automount ok BUT I cannot obtain home dirs creation, so it works only if on my nfs share I have already created the home directories. Oddjobd installed and authconfig –enablemkhomedire –update passed. Looks like oddjobd makes nothing. Service is started. Any idea?

  57. Zorbeg says:

    Is this objective still relevant? I can’t find anything LDAP related in official objectives:

    • CertDepot says:

      Yes, it is still relevant.
      “Configure a system to use an existing authentication service for user and group information” relates to LDAP in some extent.

  58. encript says:


    I have stumbled across this site while studying for RHCSA exam. I have a question. Red Hat’s site says:


    To configure Identity Management systems, Red Hat recommends using the ipa-client-install utility or the realmd system instead of authconfig. The authconfig utilities are limited and substantially less flexible. For more information, see Section 2.1, “Identity Management Tools for System Authentication”. ”

    Would I be able to use this method (ipa-client-install) on the exam? Does anyone have any experience with this method?

    • Lisenet says:

      To use ipa-client-install, you need to know the Kerberos admin password, otherwise you cannot join the domain.

      If you get the password during the exam then you are free to use it, but otherwise you need to know another way of getting this to work.

  59. rayl says:

    vi /etc/nslcd.conf
    tls_reqcert allow // cannot getent after reboot without this

  60. tadas says:

    Very informative page, however: why scp certificate? why not using authconfig –ldaploadcacert –update?
    Thanks for your help.

    • CertDepot says:

      You need to get the certificate one way or another.
      Concerning the authconfig command, RedHat writes it’s deprecated in its official documentation but you can perfectly use it and it’s pretty convenient.

  61. vijaykumarmaua says:

    Hi Certdepot,

    I have followed the all step provided by you to configure LDAP server and Client.

    I am not getting any output while typing the below command on LDAP client.

    getent passwd ldapuser02

    While checking the log on LDAP server following information showing.

    Sep 4 05:15:11 instructor slapd[1746]: conn=1088 op=126 SRCH base=”dc=example,dc=com” scope=2 deref=0 filter=”(&(objectClass=posixAccount)(uid=ldapuser02))”
    Sep 4 05:15:11 instructor slapd[1746]: conn=1088 op=126 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
    Sep 4 05:15:11 instructor slapd[1746]: conn=1088 op=126 SEARCH RESULT tag=101 err=0 nentries=0 text=

    Please help me on this.

    • CertDepot says:

      The tutorial has been tested with 7.0, 7.1 and 7.2 (RHEL/CentOS).
      If you get prepared for the RHCSA exam, you should use one of these minor versions (preferably 7.0 or 7.1).
      This tutorial has been used and tested by hundreds of people for 4 years with success and almost no correction.
      I don’t see any particular reason to test it again with a more recent OS version.

      • vijaykumarmaua says:

        Thanks you very much for your assistance.

        I will try to configure the same in RHEL 7.2. I have two questions, please assist on this.

        May I used the fdisk command to create partition during RHCSA exam for LVM and Disk related activities. Will there be any impact on my marks, if I use the fdisk command.

        Will it be fine to do the practice on CentOS 7.2 and go for RHCSA and RHCE exams.

        Thanks for your support.

        • CertDepot says:

          The use of the fdisk command is perfectly fine. At the end of the day, it’s the result of the command execution that counts, not what command you use.
          Concerning the minor version to use, I advise you to use RHEL/CentOS 7.0 or 7.1 because they are the versions that are mainly seen during the RHCSA exam.
          Concerning the RHCE exam, the choice is even stricter, use only the RHEL/CentOS 7.0: RedHat recently advertised that the exam uses this version and only this version.

          • vijaykumarmaua says:

            Hi Certdepot,

            I followed the instruction given you on the LDAP client tutorial and setup the ldap server and ldap client on CentOS Linux release 7.2.1511 (Core).

            However while on ldap client running below command was not giving any output.

            getent passwd ldapuser02

            Error was showing ldapserver:

            Sep 5 08:32:32 instructor slapd[21417]: conn=1063 fd=21 closed
            Sep 5 08:32:33 instructor slapd[21417]: conn=1064 fd=21 ACCEPT from IP= (IP=
            Sep 5 08:32:33 instructor slapd[21417]: conn=1064 op=0 EXT oid=
            Sep 5 08:32:33 instructor slapd[21417]: conn=1064 op=0 STARTTLS
            Sep 5 08:32:33 instructor slapd[21417]: conn=1064 op=0 RESULT oid= err=52 text=Could not initialize TLS
            Sep 5 08:32:33 instructor slapd[21417]: conn=1064 op=1 UNBIND
            Sep 5 08:32:33 instructor slapd[21417]: conn=1064 fd=21 closed

            Error was showing on ldapclient:

            Sep 5 11:28:31 localhost nslcd[1043]: [7b23c6] ldap_start_tls_s() failed (uri=ldap://instructor.example.com/): Can’t contact LDAP server: Transport endpoint is not connected
            Sep 5 11:28:31 localhost nslcd[1043]: [7b23c6] failed to bind to LDAP server ldap://instructor.example.com/: Can’t contact LDAP server: Transport endpoint is not connected
            Sep 5 11:28:31 localhost nslcd[1043]: [7b23c6] no available LDAP server found, sleeping 1 seconds

            As soon as I completely disabled the SELinux on ldapclient server, the issue got resolved and getent passwd ldapuser02 was giving below output.


            Please find the below official document where it is mention, they resolved the issue by disabling the SELinux.


            I am very concerned how I will solve this question in RHCSA exam, please help me on this.

          • Lisenet says:

            The error message suggest that you have problems with TLS. Have you configured the certificate?

            The Red Hat article that you referenced uses LDAPS. Your logs suggest that you use LDAP. Try switching from LDAP to LDAPS and see if you get different results with SSL.

            Rather than disabling SELinux, set it to permissive mode and track the problem down so that you know how to solve it. Use sealert.

          • vijaykumarmaua says:

            Hi Certdepot/

            I again followed the step given by you to configure ldap server and ldap clinet, while running the below command on ldap client.

            getent passwd ldapuser01

            The below error was coming.

            Sep 18 08:00:01 server3 nslcd[1817]: [9cf92e] ldap_start_tls_s() failed (uri=ldap://instructor.example.com/): Connect error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)
            Sep 18 08:00:01 server3 nslcd[1817]: [9cf92e] failed to bind to LDAP server ldap://instructor.example.com/: Connect error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)
            Sep 18 08:00:01 server3 nslcd[1817]: [9cf92e] no available LDAP server found: Connect error
            Sep 18 08:00:01 server3 nslcd[1817]: [9cf92e] no available LDAP server found: Server is unavailable

            To resolve this issue, I configured OpenLDAP with SSL on CentOS 7 / RHEL 7 using the step by step instruction given at below link.


            I am not understanding why, I am not able to configure ldap client using your method and the step given at above link is very vas.

            There step is very big gen at https://www.itzgeek.com/how-tos/linux/centos-how-tos/configure-openldap-with-ssl-on-centos-7-rhel-7.html

            Please help me on this.

          • vijaykumarmaua says:

            Hi Certdepot,

            I will request you to please bear with me, I can see the different between the ldap client configuration of your method and the method given at below link.


            The above link method for ldap client configuration.

            authconfig –enableldap –enableldapauth –ldapserver=ldaps://instructor.example.com –ldapbasedn=”dc=example,dc=com” –enablemkhomedir –disableldaptls –update

            vi /etc/nslcd.conf

            tls_reqcert allow

            systemctl restart nslcd

            2.Your method for ldap client configuration.

            authconfig –enableldap –enableldapauth –ldapserver=”instructor.example.com” –ldapbasedn=”dc=example,dc=com” –update


            As soon as i am adding the below changes in your command and /etc/nslcd.conf file

            –ldapserver=”ldaps://instructor.example.com” and –enablemkhomedir –disableldaptls

            Adding below line in /etc/nslcd.conf

            tls_reqcert allow

            I can see the details of getent passwd ldapuser02 command, the SELinux is in enforcing mode on LDAP client.


            As per the instruction given at following link https://www.itzgeek.com/how-tos/linux/centos-how-tos/configure-openldap-with-ssl-on-centos-7-rhel-7.html, below changes has been made to LDAP server.

            1.Self-Signed Certificate
            2.Custom CA-Signed Certificate
            3.Configure OpenLDAP to listen over SSL

            vi /etc/sysconfig/slapd

            SLAPD_URLS=”ldapi:/// ldap:/// ldaps:///”

            systemctl restart slapd

            My concern is here, if I receive such error in exam, I will not getting access of LDAP server to make the above changed in LDAP server.

            Kindly help me on this.

Leave a Reply

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create an EXT4 file system mounted by UUID in /etc/fstab under /vol based on a logical volume of 28 logical extents.

RHCE7: Task of the day

Allowed time: 10 minutes.
Configure a httpd server that executes a Perl script in the /var/www/cgi-bin directory displaying "Hello!".

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...