RHEL7: Configure a system to use an existing LDAP directory service for user and group information.

Share this link

Note: This is an RHCSA 7 exam objective.

LDAP Server configuration

In order to test a LDAP client configuration, you will need to configure a LDAP directory service.
The LDAP server is called instructor.example.com in this procedure.

LDAP Client configuration

As the authconfig-tui is deprecated, to configure the LDAP client side, there are two available options: nslcd and sssd.
In this tutorial, the nslcd option will be used, see the authconfig tutorial for the sssd option.

Install the following packages:

# yum install -y openldap-clients nss-pam-ldapd

Note: Just to mention that Sander van Vugt advises to install the Directory Client group package: # yum group install “Directory Client”

Then, type:

# authconfig --enableforcelegacy --update
# authconfig --enableldap --enableldapauth --ldapserver="instructor.example.com" \
--ldapbasedn="dc=example,dc=com" --update

Note1: According to your requirements, you can need to specify the –enablemkhomedir option after the installation of the oddjob-mkhomedir package. The option creates a local user home directory at the first connection if none exists.
Note2: Type # authconfig –help | grep ldap to remember the necessary options.

Put the LDAP server certificate into the /etc/openldap/cacerts directory:

# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

Apply the correct SELinux context to the certificate:

# restorecon /etc/openldap/cacerts/cert.pem

Activate the TLS option:

# authconfig --enableldaptls --update

Test the configuration:

# getent passwd ldapuser02
ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash

NFS server configuration

To get the home directory mounted, you need to configure a NFS server.
The NFS server is called instructor.example.com in the procedure.
Note: It’s not required to have the LDAP server and the NFS server on the same machine, it’s only easier.

Automounter Client configuration

Install the following packages:

# yum install -y autofs nfs-utils

Create a new indirect /etc/auto.guests map and paste the following line:

* -rw,nfs4 instructor.example.com:/home/guests/&

Add the following line at the beginning of the /etc/auto.master file:

/home/guests /etc/auto.guests

Start the Automounter daemon and enable it at boot:

# systemctl enable autofs && systemctl start autofs

Test the configuration:

# su - ldapuser02

Additional Resources

Ralph Nyberg offers an interesting video about configuring LDAP authentication (20min/2015).
The ForumSystems website provides a free online LDAP test server.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

140 Comments on "RHEL7: Configure a system to use an existing LDAP directory service for user and group information."

Notify of
Sort by:   newest | oldest
Shikaz
Member
Shikaz

Although I passed the RHCSA 7, but I could not configure that time the ldap client, I did everything but that was not working, do you think it can be firewall I need to open in the client? or add a service to the firewall?

deepbluebg
Member
deepbluebg

Great site, a lot to learn, and works perfectly.
Just curious – do we have to setup directory service at the exam, or just the client-side with already existing LDAP directory ? It’s one thing to configure cert and client-side, another to remember the changes/base.ldif config 🙂

deepbluebg
Member
deepbluebg

Just passed my RHCSA today, thank you for this great site ! And keep up the good work 😉

AlexWall
Member
AlexWall

very helpful site indeed. just wondered – no mention of the system-config-authentication gui tool here. can be install using yum authconfig-gtk*

thanks
alex

timlee
Member
timlee

Are we required to remember the package names during installation or is it provided for the RHCSA exam?

vivek
Member
vivek

“Put the LDAP server certificate into the /etc/openldap/cacerts directory when asked”

How to do this step. Could you detail me this one please?

timlee
Member
timlee

Got this error after automount, please help.

[root@rhel7-testServer ~]# su – ldapuser02
su: warning: cannot change directory to /home/guests/ldapuser02: No such file or directory
mkdir: cannot create directory ‘/home/guests/ldapuser02’: Permission denied

timlee
Member
timlee

Will I still be able to use the “authconfig-tui” command in RHCSA exam since you mentioned that this is deprecated in another post?

cj
Member
cj
Hi When ever I tried to login with ldapuser in automounted file system, it won’t take me to user’s home directory. Below is the message am getting. [root@rhelserver ~]# su – ldapuser6 Creating home directory for ldapuser6. Last login: Sat Dec 12 00:13:19 EST 2015 on pts/0 su: warning: cannot change directory to /homeldap/ldapuser6: No such file or directory -bash-4.2$ Please find my nfs and auto mount configuration: [root@rhelserver ~]# cat /etc/exports /data *(rw,no_root_squash) [root@rhelserver ~]# [root@rhelserver ~]# showmount -e rhelserver Export list for rhelserver: /data * [root@rhelserver ~]# [root@rhelserver ~]# [root@rhelserver ~]# grep -v “^#” /etc/auto.master /misc /etc/auto.misc /homeldap… Read more »
alamahant
Member
alamahant

Also when SUing in as a remote ldapuser somehow you must be chrooted in the users home dir…This doesnt happen automatically…Any Ideas ? 🙂

romio
Member
romio
Thanks CertDepot for a great website. I have followed this line by line and was able to set up client side without a problem. The only question I have is what do you mean by “Put the LDAP server certificate into the /etc/openldap/cacerts directory when asked” will it be some kind of text that we need to put in a file and leave it in this dir /etc/openldap/cacerts? My client side is running well without this step. How important this step is? I am using Ghori’s book and unfortunately he doesn’t go over this part or LDAP in general in… Read more »
bajeradai
Member
bajeradai

I really like this site.
How would you set host name: station.domain.example.com?
I’m really confused. My IP address is 172.24.11.10.
# hostnamectl set-hostname station.domain11.example.com OR
# hostnamectl set-hostname station11.domain.example.com?

bajeradai
Member
bajeradai

No you did not. Please answer this question. I’m still not getting right answer from anybody. How do you set the following host name:
station.server.certdepot.com? Where, your ip is 192.168.1.2.
I’m hoping you will answer it.

bajeradai
Member
bajeradai

Thanks.

bajeradai
Member
bajeradai

Which one method is best for exam?

ivallejo
Member
ivallejo

When I run the command on the LDAP client, I get nothing.

getent passwd ldapuser02

When I run the command on the LDAP server, I get this:

ldapuser02:x:1002:1002::/home/guests/ldapuser02:/bin/bash

I presume that my LDAP client configuration must be wrong somehow, but can you point me in the right direction or offer any advice?

ivallejo
Member
ivallejo

Update: found out that when I disable TLS in authconfig-tui, the LDAP client can connect just fine!

With TLS enabled, this is what’s logged in /var/log/messages on the LDAP client:

nslcd[3564]: [3c9869] failed to bind to LDAP server ldap://10.213.51.12:/ Connect error: TLS error -8172:Peer’s certificate issuer has been marked as not trusted by the user.

Jaz
Member
Jaz

Why we cannot rely on authconfig-gtk during exam? Do we get negative marking for using GUI tool

Jaz
Member
Jaz

Also, I would like to know if LDAP is still part of RHCSA objectives? and does any questions comes related to setting up ldap client side in exam? Thanks

Jaz
Member
Jaz
I was watching Sander van Vugt tutorial video RHCSA (RHEL7) This is how he started for client configuration, # yum install authconfig-gtk -y # yum install nscd nss-pam-ldapd pam_ldap -y He said “I would recommend to use authconfig-gtk (GUI) in exam because it’s easy to use and it’s not easy if you use text interface” I have couple of questions here: 1) why he didn’t ask us to install openldap-clients as you did? 2) why you didn’t mention to install nscd and pam_ldap? 3) How can I setup DNS server on my local network for creating ldap server. I don’t… Read more »
Jaz
Member
Jaz

Another question,
Why didn’t you create an export file /etc/exports and insert the following lines

/data -rw *(rw,no_root,squash)

after creating /data directory with files in it?

Also, I didn’t see you mentioning

# systemctl start nfs

Thank you

redsu
Member
redsu

Hi Jaz, apologise for stepping in.

The /data -rw *(rw,no_root_squash) is for setting up the nfs on the server and not the client. You can for testing purposes use this to setup on the client if you are working on the same box.

You do not need to re-start the nfs as the autofs is only for the client connecting to the remote nfs/ldap server.

Hope this helps.

redhat0329
Member
redhat0329

Hi CertDepot,

On LDAP client configuration is it okay if i can use ip address instead of instructor.example.com while copying the certificate? please see below. The ip address is the ip of my ldap server. Thanks

# scp root@192.168.199.136:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

redhat0329
Member
redhat0329

Hi CertDepot,

When adding the tls certificate the name must be exactly cert.pem or any name or as long as it is under the directory /etc/openldap/cacerts ?

kevbuntu
Member
kevbuntu

I have installed a couple of VMs on a virtual box to act as a client and a server. The server side seems to work fine and returns the user info on ldapsearch. I follow the client side procedure as above and when I do getent passwd ldapuser1 simply nothing happens. Could anyone tell me how to debug this, none of the steps returned with a complaint.

kevbuntu
Member
kevbuntu

It was the firewall setting, I did not implement it because I thought being on virtual machine it is not set. My bad

kevbuntu
Member
kevbuntu

This problem is resolved, it was due to firewall, and I commented it here but my comment is gone

kevbuntu
Member
kevbuntu
I set up the server and client and even loaded up a .ldif file where I could get a user by using getent passwd “user”. So I decided to try again. Let the server and client centos 7 machine on the VM and created another VM client for Centos 7. Followed the instructions to the end of “authconfig –enableldaptls –update”. But when I do getent passwd “user” I get nothing back. No idea what I did right on the first client! I have done nothing for NFS or mounting on the client side as I am only interested to get… Read more »
mike92
Member
mike92

Hello Sir,
I did all the commands and installations, until I encounter this part upon entering the command:
# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

It says
etc/openldap/cacerts/cert.pem: No such file or directory

Did I miss something?

kevbuntu
Member
kevbuntu
Hi CertDepot, Every time I ask a question I end up finding an answer to it, maybe I get lucky again. I used this link below to create a LDAP replication and works mostly except when I try to use getent passwd userid. The link is: http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=5 I can do ldapsearch from the clients and get the result even when I switch off the Master or better know as provider VM machine, but getent passwd “userid” only works if the Master is running. In the past I had to get the getent passwd working using this config: # authconfig –enableforcelegacy… Read more »
scryptkiddy
Member
scryptkiddy
I’ve been reading everyone’s comments and CertDepot’s as well. It seems “moving target” and such is the problem, but I have a different issue that no one seems to be talking about. A test LDAP server. I realize the ForumSystems website is listed under Additional Resources. However, it doesn’t seem to have / provide a certificate for testing LDAP authentication in the secure manner in which we have to know for RHCSA. Correct me if I’m wrong. So is there a free LDAP online test server that also provides a certificate for testing? If not, I have a Win 2008… Read more »
phil_guy412
Member
phil_guy412

Instead of using the SCP command to download the TLS Certificate could i just navigate into the /etc/openldap/cacert directory and use the WGET command instead?

Such as wget TLS_CERTIFICATE_URL_LINK

kevbuntu
Member
kevbuntu
Hi CertDepot, I have managed to setup a server client openldap on centos 7 minimum and add a user ‘newuser01″ I can retrieve data using ldaps:/// but getent -s sss passwd does not work on the client. This is the authconfig files that I ran authconfig \ –disablesmartcard \ –disablefingerprint \ –enablesssd \ –enablesssdauth \ –enablelocauthorize \ –disablemd5 \ –passalgo=sha512 \ –enablepamaccess \ –enableldap \ –enableldapauth \ –disableldaptls \ –ldapserver=ldaps://ldap.yourdomain.tld:636 \ –ldapbasedn=dc=domain,dc=tld \ –enablemkhomedir \ –disablecachecreds \ –disablekrb5 \ –disablekrb5kdcdns \ –disablekrb5realmdns \ –krb5kdc=” #” \ –updateall and this is what is inside my /etc/sssd/sssd.conf, nsswitch is auto configured and… Read more »
smrbukhari
Member
smrbukhari

Hello CertDepot,

First of all really appreciate your website and the effort you put in keep it running!

I configured LDAP client with autofs as you mentioned above but noticed that the shell prompt is different for ldapuser01(-bash-4.2$) and ldapuser02(ldapuser02@localhost~$) and wondering may be you could help me figure out why is that?

I do notice ownership is still root for /home/guests/ldapuser01:

drwx——. ldapuser02 ldapuser02 system_u:object_r:nfs_t:s0 /home/guests/ldapuser02
drwxr-xr-x. root root system_u:object_r:nfs_t:s0 /home/guests/ldapuser01
uid=1002(ldapuser02) gid=1002(ldapuser02) groups=1002(ldapuser02) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[\u@\h \W]\$ (this is output of echo $PS1, it shows \s-\v\$ for ldapuser01)

lakhilove
Member
lakhilove

I have one issue, to download the cert if link is (I got troubled) when downloading certificate from

ftp://server1.example.com/openldap/cert.crt

I tried every think: wget, ftp (with anonomyous/password), sftp, scp root@, scp ldapuser1@… but wget couldn’t find the file, other thinks (ftp,scp etc) I was stuck with password

Any help will be appreciated, I couldn’t finish LDAP Client question

thegeekaid
Member
thegeekaid

Seem permission issue or Maybe its selinux issue, set it to permissive and see if its work,

Ahmad
Member
Ahmad
Hi , while configuring autofs to automount the home directories of the LDAP server, do we need to do the following actions : 1-vim /etc/sysconfig/autofs and then un-comment the below line : MASTER_MAP_NAME 2-Do we have to install nfs-utils 3-what is the meaning of & and * on the below line: * -rw,nfs4 instructor.example.com:/home/guests/& 4-Do we have to add nfs4 in the same above line ? 5-How to test the configuration (df -hT in the client and see if there is anything mounted when we cd to the home directory of the user or the shared point) Thanks a lot… Read more »
Ahmad
Member
Ahmad

Hi Certdepot ,

When configuring LDAP and autofs, in the exam:

Do we need to add the below lines into /etc/pam.d/sshd

auth sufficient pam_ldap.so
auth sufficient pam_permit.so

Many thanks for your help again.

ylemouel
Member
ylemouel

Hello,
Do we also need to know how to join an Active Directory and IPA server?

thegeekaid
Member
thegeekaid

Hi CertDepot, great step by step guide, it works like a charm, one question though, about the SELinux restorecon step, what is the fcontext suppose to became? Because mine did not change at all.

scruff
Member
scruff

Hi,
Stucked on
getent passwd ldapuser02

There is nothing in result. Is there any Ideas?

shiko
Member
shiko

Please I need to know what is the context type that should apply with semanage fcontext on the /home/guests directory

Lisenet
Member

I have the following if it helps:

# ls -dZ /home/guests/
drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/guests/

scruff
Member
scruff

Hi there!
What kind of answer should I get for “su – ldapuser02” command. Currently I got : /home/ldapuser02 cannot be find (something like this). Any ideas, gentlemen?

Lisenet
Member

Does the home directory exists? If it doesn’t, then you know why you get the warning – it’s expected.

scruff
Member
scruff

The directory /home/guests/ldapuser02 does not exists. I’m trying to manually create directory, but I gave an error: Permission denied. Hope for your answer…

scruff
Member
scruff

I’m figured out with “permissions” error. Now it seems that I’m able to login under ldapuser02 – I have clean bash session “-bash-4.2$”. Does this means that LDAP topic correctly solved?

Lisenet
Member

If you are able to log into the system with an LDAP user, then you know the LDAP auth works. I think that’s all there is to it from a client’s perspective.

scruff
Member
scruff

I read all LDAP previous topics, and found that bug “cannot change directory to /home/guests/ldapuser02 no such file or directory” is unsolved yet. Although the directory /home/guests/ldapuser02 exists in my lab and the owner is ldapuser02 the bug is still there. Did somebody solve this issue?

Sam
Member
Sam

Check or disable the selinux settings for testing.
I suspect your problem is with the NFS setting. Check the services on both vm’s and the firewall settings! And also take note of the version of the os your are using.

scruff
Member
scruff

SElinux and firewall should not be disabled during exam. But for test purposes I disabled both with no luck. “–enablemkhomedir” key is enough to resolve “permission” issues

Sam
Member
Sam

You are perfectly right. Unless asked under no circumstances are the SElinux and firewall to be disabled during the exam.

This should only be done for testing conditions only, and even then in a safe working environment (off network or behind a SECURE firewall).

Lisenet
Member

That’s not a bug, it’s misconfiguration on your servers.

I have it all working, therefore I’m 100% confident it’s something at your end. Feel free to take a look at my config: https://www.lisenet.com/2016/freeipa-server-on-rhel-7-centos-7/

Lisenet
Member
scruff
Member
scruff

Thank you, Lisenet. I appreciate your help.

scruff
Member
scruff

Just watched the video from Ralph Nyberg. He advised to put “–enablemkhomedir” into authconfig. So I summarized bunch of arguments into one set: authconfig –enableforcelegacy –enableldap –enableldapauth –ldapserver=”instructor.example.com”
–ldapbasedn=”dc=example,dc=com” –enableldaptls –enablemkhomedir –update. Have no idea how I missed it)))))

scruff
Member
scruff

Another issue which caused the “cannot create directory /home/guests/ldapuser02 no such file or directory” problem is the string MASTER_MAP_NAME=”yes” in /etc/sysconfig/autofs config file which is missing by default. Dear Certdepot, would you be so kind to put it into the tutorial?

peter.parker.1912
Member
peter.parker.1912

Would it be a problem if we –enablelts when we are enabling everything else and adding the ldapserver and basedn?

wpDiscuz

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a user account named "tony" with password “redhat” and belonging to a secondary group called “team”.

RHCE7: Task of the day

Allowed time: 8 minutes.
Set up an iScsi target based on a block backstore of 100MB called lv_iscsi with basic authentication, ext4 filesystem and standard firewall configuration.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments