RHEL7: Configure a system to use an existing LDAP directory service for user and group information.

Share this link

Note: This is an RHCSA 7 exam objective.

LDAP Server Configuration

In order to test a LDAP client configuration, you will need to configure a LDAP directory service.
The LDAP server is called instructor.example.com in this procedure.

LDAP Client Configuration

As the authconfig-tui is deprecated, to configure the LDAP client side, there are two available options: nslcd and sssd.
In this tutorial, the nslcd option will be used, see the authconfig tutorial for the sssd option.

Install the following packages:

# yum install -y openldap-clients nss-pam-ldapd

Note: Just to mention that Sander van Vugt advises to install the Directory Client group package: # yum group install “Directory Client”

Then, type:

# authconfig --enableforcelegacy --update
# authconfig --enableldap --enableldapauth --ldapserver="instructor.example.com" \
--ldapbasedn="dc=example,dc=com" --update

Note1: According to your requirements, you can need to specify the –enablemkhomedir option after the installation of the oddjob-mkhomedir package. The option creates a local user home directory at the first connection if none exists.
Note2: Type # authconfig –help | grep ldap to remember the necessary options.

Put the LDAP server certificate into the /etc/openldap/cacerts directory:

# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

Apply the correct SELinux context to the certificate:

# restorecon /etc/openldap/cacerts/cert.pem

Activate the TLS option:

# authconfig --enableldaptls --update

Test the configuration:

# getent passwd ldapuser02
ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash

NFS Server Configuration

To get the home directory mounted, you need to configure a NFS server.
The NFS server is called instructor.example.com in the procedure.
Note: It’s not required to have the LDAP server and the NFS server on the same machine, it’s only easier.

Automounter Client Configuration

Install the following packages:

# yum install -y autofs nfs-utils

Create a new indirect /etc/auto.guests map and paste the following line:

* -rw,nfs4 instructor.example.com:/home/guests/&

Add the following line at the beginning of the /etc/auto.master file:

/home/guests /etc/auto.guests

Start the Automounter daemon and enable it at boot:

# systemctl enable autofs && systemctl start autofs

Test the configuration:

# su - ldapuser02

Additional Resources

Ralph Nyberg offers an interesting video about configuring LDAP authentication (20min/2015).
The ForumSystems website provides a free online LDAP test server.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

198 Comments on "RHEL7: Configure a system to use an existing LDAP directory service for user and group information."

Notify of
Sort by:   newest | oldest
Shikaz
Member
Shikaz

Although I passed the RHCSA 7, but I could not configure that time the ldap client, I did everything but that was not working, do you think it can be firewall I need to open in the client? or add a service to the firewall?

deepbluebg
Member
deepbluebg

Great site, a lot to learn, and works perfectly.
Just curious – do we have to setup directory service at the exam, or just the client-side with already existing LDAP directory ? It’s one thing to configure cert and client-side, another to remember the changes/base.ldif config 🙂

deepbluebg
Member
deepbluebg

Just passed my RHCSA today, thank you for this great site ! And keep up the good work 😉

AlexWall
Member
AlexWall

very helpful site indeed. just wondered – no mention of the system-config-authentication gui tool here. can be install using yum authconfig-gtk*

thanks
alex

timlee
Member
timlee

Are we required to remember the package names during installation or is it provided for the RHCSA exam?

vivek
Member
vivek

“Put the LDAP server certificate into the /etc/openldap/cacerts directory when asked”

How to do this step. Could you detail me this one please?

timlee
Member
timlee

Got this error after automount, please help.

[root@rhel7-testServer ~]# su – ldapuser02
su: warning: cannot change directory to /home/guests/ldapuser02: No such file or directory
mkdir: cannot create directory ‘/home/guests/ldapuser02’: Permission denied

timlee
Member
timlee

Will I still be able to use the “authconfig-tui” command in RHCSA exam since you mentioned that this is deprecated in another post?

cj
Member
cj
Hi When ever I tried to login with ldapuser in automounted file system, it won’t take me to user’s home directory. Below is the message am getting. [root@rhelserver ~]# su – ldapuser6 Creating home directory for ldapuser6. Last login: Sat Dec 12 00:13:19 EST 2015 on pts/0 su: warning: cannot change directory to /homeldap/ldapuser6: No such file or directory -bash-4.2$ Please find my nfs and auto mount configuration: [root@rhelserver ~]# cat /etc/exports /data *(rw,no_root_squash) [root@rhelserver ~]# [root@rhelserver ~]# showmount -e rhelserver Export list for rhelserver: /data * [root@rhelserver ~]# [root@rhelserver ~]# [root@rhelserver ~]# grep -v “^#” /etc/auto.master /misc /etc/auto.misc /homeldap… Read more »
alamahant
Member
alamahant

Also when SUing in as a remote ldapuser somehow you must be chrooted in the users home dir…This doesnt happen automatically…Any Ideas ? 🙂

romio
Member
romio
Thanks CertDepot for a great website. I have followed this line by line and was able to set up client side without a problem. The only question I have is what do you mean by “Put the LDAP server certificate into the /etc/openldap/cacerts directory when asked” will it be some kind of text that we need to put in a file and leave it in this dir /etc/openldap/cacerts? My client side is running well without this step. How important this step is? I am using Ghori’s book and unfortunately he doesn’t go over this part or LDAP in general in… Read more »
bajeradai
Member
bajeradai

I really like this site.
How would you set host name: station.domain.example.com?
I’m really confused. My IP address is 172.24.11.10.
# hostnamectl set-hostname station.domain11.example.com OR
# hostnamectl set-hostname station11.domain.example.com?

bajeradai
Member
bajeradai

No you did not. Please answer this question. I’m still not getting right answer from anybody. How do you set the following host name:
station.server.certdepot.com? Where, your ip is 192.168.1.2.
I’m hoping you will answer it.

bajeradai
Member
bajeradai

Thanks.

bajeradai
Member
bajeradai

Which one method is best for exam?

ivallejo
Member
ivallejo

When I run the command on the LDAP client, I get nothing.

getent passwd ldapuser02

When I run the command on the LDAP server, I get this:

ldapuser02:x:1002:1002::/home/guests/ldapuser02:/bin/bash

I presume that my LDAP client configuration must be wrong somehow, but can you point me in the right direction or offer any advice?

ivallejo
Member
ivallejo

Update: found out that when I disable TLS in authconfig-tui, the LDAP client can connect just fine!

With TLS enabled, this is what’s logged in /var/log/messages on the LDAP client:

nslcd[3564]: [3c9869] failed to bind to LDAP server ldap://10.213.51.12:/ Connect error: TLS error -8172:Peer’s certificate issuer has been marked as not trusted by the user.

Jaz
Member
Jaz

Why we cannot rely on authconfig-gtk during exam? Do we get negative marking for using GUI tool

Jaz
Member
Jaz

Also, I would like to know if LDAP is still part of RHCSA objectives? and does any questions comes related to setting up ldap client side in exam? Thanks

Jaz
Member
Jaz
I was watching Sander van Vugt tutorial video RHCSA (RHEL7) This is how he started for client configuration, # yum install authconfig-gtk -y # yum install nscd nss-pam-ldapd pam_ldap -y He said “I would recommend to use authconfig-gtk (GUI) in exam because it’s easy to use and it’s not easy if you use text interface” I have couple of questions here: 1) why he didn’t ask us to install openldap-clients as you did? 2) why you didn’t mention to install nscd and pam_ldap? 3) How can I setup DNS server on my local network for creating ldap server. I don’t… Read more »
Jaz
Member
Jaz

Another question,
Why didn’t you create an export file /etc/exports and insert the following lines

/data -rw *(rw,no_root,squash)

after creating /data directory with files in it?

Also, I didn’t see you mentioning

# systemctl start nfs

Thank you

redsu
Member
redsu

Hi Jaz, apologise for stepping in.

The /data -rw *(rw,no_root_squash) is for setting up the nfs on the server and not the client. You can for testing purposes use this to setup on the client if you are working on the same box.

You do not need to re-start the nfs as the autofs is only for the client connecting to the remote nfs/ldap server.

Hope this helps.

redhat0329
Member
redhat0329

Hi CertDepot,

On LDAP client configuration is it okay if i can use ip address instead of instructor.example.com while copying the certificate? please see below. The ip address is the ip of my ldap server. Thanks

# scp root@192.168.199.136:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

redhat0329
Member
redhat0329

Hi CertDepot,

When adding the tls certificate the name must be exactly cert.pem or any name or as long as it is under the directory /etc/openldap/cacerts ?

kevbuntu
Member
kevbuntu

I have installed a couple of VMs on a virtual box to act as a client and a server. The server side seems to work fine and returns the user info on ldapsearch. I follow the client side procedure as above and when I do getent passwd ldapuser1 simply nothing happens. Could anyone tell me how to debug this, none of the steps returned with a complaint.

kevbuntu
Member
kevbuntu

It was the firewall setting, I did not implement it because I thought being on virtual machine it is not set. My bad

kevbuntu
Member
kevbuntu

This problem is resolved, it was due to firewall, and I commented it here but my comment is gone

kevbuntu
Member
kevbuntu
I set up the server and client and even loaded up a .ldif file where I could get a user by using getent passwd “user”. So I decided to try again. Let the server and client centos 7 machine on the VM and created another VM client for Centos 7. Followed the instructions to the end of “authconfig –enableldaptls –update”. But when I do getent passwd “user” I get nothing back. No idea what I did right on the first client! I have done nothing for NFS or mounting on the client side as I am only interested to get… Read more »
mike92
Member
mike92

Hello Sir,
I did all the commands and installations, until I encounter this part upon entering the command:
# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

It says
etc/openldap/cacerts/cert.pem: No such file or directory

Did I miss something?

kevbuntu
Member
kevbuntu
Hi CertDepot, Every time I ask a question I end up finding an answer to it, maybe I get lucky again. I used this link below to create a LDAP replication and works mostly except when I try to use getent passwd userid. The link is: http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=5 I can do ldapsearch from the clients and get the result even when I switch off the Master or better know as provider VM machine, but getent passwd “userid” only works if the Master is running. In the past I had to get the getent passwd working using this config: # authconfig –enableforcelegacy… Read more »
scryptkiddy
Member
scryptkiddy
I’ve been reading everyone’s comments and CertDepot’s as well. It seems “moving target” and such is the problem, but I have a different issue that no one seems to be talking about. A test LDAP server. I realize the ForumSystems website is listed under Additional Resources. However, it doesn’t seem to have / provide a certificate for testing LDAP authentication in the secure manner in which we have to know for RHCSA. Correct me if I’m wrong. So is there a free LDAP online test server that also provides a certificate for testing? If not, I have a Win 2008… Read more »
phil_guy412
Member
phil_guy412

Instead of using the SCP command to download the TLS Certificate could i just navigate into the /etc/openldap/cacert directory and use the WGET command instead?

Such as wget TLS_CERTIFICATE_URL_LINK

kevbuntu
Member
kevbuntu
Hi CertDepot, I have managed to setup a server client openldap on centos 7 minimum and add a user ‘newuser01″ I can retrieve data using ldaps:/// but getent -s sss passwd does not work on the client. This is the authconfig files that I ran authconfig \ –disablesmartcard \ –disablefingerprint \ –enablesssd \ –enablesssdauth \ –enablelocauthorize \ –disablemd5 \ –passalgo=sha512 \ –enablepamaccess \ –enableldap \ –enableldapauth \ –disableldaptls \ –ldapserver=ldaps://ldap.yourdomain.tld:636 \ –ldapbasedn=dc=domain,dc=tld \ –enablemkhomedir \ –disablecachecreds \ –disablekrb5 \ –disablekrb5kdcdns \ –disablekrb5realmdns \ –krb5kdc=” #” \ –updateall and this is what is inside my /etc/sssd/sssd.conf, nsswitch is auto configured and… Read more »
smrbukhari
Member
smrbukhari

Hello CertDepot,

First of all really appreciate your website and the effort you put in keep it running!

I configured LDAP client with autofs as you mentioned above but noticed that the shell prompt is different for ldapuser01(-bash-4.2$) and ldapuser02(ldapuser02@localhost~$) and wondering may be you could help me figure out why is that?

I do notice ownership is still root for /home/guests/ldapuser01:

drwx——. ldapuser02 ldapuser02 system_u:object_r:nfs_t:s0 /home/guests/ldapuser02
drwxr-xr-x. root root system_u:object_r:nfs_t:s0 /home/guests/ldapuser01
uid=1002(ldapuser02) gid=1002(ldapuser02) groups=1002(ldapuser02) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[\u@\h \W]\$ (this is output of echo $PS1, it shows \s-\v\$ for ldapuser01)

lakhilove
Member
lakhilove

I have one issue, to download the cert if link is (I got troubled) when downloading certificate from

ftp://server1.example.com/openldap/cert.crt

I tried every think: wget, ftp (with anonomyous/password), sftp, scp root@, scp ldapuser1@… but wget couldn’t find the file, other thinks (ftp,scp etc) I was stuck with password

Any help will be appreciated, I couldn’t finish LDAP Client question

thegeekaid
Member
thegeekaid

Seem permission issue or Maybe its selinux issue, set it to permissive and see if its work,

Ahmad
Member
Ahmad
Hi , while configuring autofs to automount the home directories of the LDAP server, do we need to do the following actions : 1-vim /etc/sysconfig/autofs and then un-comment the below line : MASTER_MAP_NAME 2-Do we have to install nfs-utils 3-what is the meaning of & and * on the below line: * -rw,nfs4 instructor.example.com:/home/guests/& 4-Do we have to add nfs4 in the same above line ? 5-How to test the configuration (df -hT in the client and see if there is anything mounted when we cd to the home directory of the user or the shared point) Thanks a lot… Read more »
Ahmad
Member
Ahmad

Hi Certdepot ,

When configuring LDAP and autofs, in the exam:

Do we need to add the below lines into /etc/pam.d/sshd

auth sufficient pam_ldap.so
auth sufficient pam_permit.so

Many thanks for your help again.

ylemouel
Member
ylemouel

Hello,
Do we also need to know how to join an Active Directory and IPA server?

thegeekaid
Member
thegeekaid

Hi CertDepot, great step by step guide, it works like a charm, one question though, about the SELinux restorecon step, what is the fcontext suppose to became? Because mine did not change at all.

scruff
Member
scruff

Hi,
Stucked on
getent passwd ldapuser02

There is nothing in result. Is there any Ideas?

shiko
Member
shiko

Please I need to know what is the context type that should apply with semanage fcontext on the /home/guests directory

Lisenet
Member

I have the following if it helps:

# ls -dZ /home/guests/
drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/guests/

scruff
Member
scruff

Hi there!
What kind of answer should I get for “su – ldapuser02” command. Currently I got : /home/ldapuser02 cannot be find (something like this). Any ideas, gentlemen?

Lisenet
Member

Does the home directory exists? If it doesn’t, then you know why you get the warning – it’s expected.

scruff
Member
scruff

The directory /home/guests/ldapuser02 does not exists. I’m trying to manually create directory, but I gave an error: Permission denied. Hope for your answer…

scruff
Member
scruff

I’m figured out with “permissions” error. Now it seems that I’m able to login under ldapuser02 – I have clean bash session “-bash-4.2$”. Does this means that LDAP topic correctly solved?

Lisenet
Member

If you are able to log into the system with an LDAP user, then you know the LDAP auth works. I think that’s all there is to it from a client’s perspective.

scruff
Member
scruff

I read all LDAP previous topics, and found that bug “cannot change directory to /home/guests/ldapuser02 no such file or directory” is unsolved yet. Although the directory /home/guests/ldapuser02 exists in my lab and the owner is ldapuser02 the bug is still there. Did somebody solve this issue?

Sam
Member
Sam

Check or disable the selinux settings for testing.
I suspect your problem is with the NFS setting. Check the services on both vm’s and the firewall settings! And also take note of the version of the os your are using.

scruff
Member
scruff

SElinux and firewall should not be disabled during exam. But for test purposes I disabled both with no luck. “–enablemkhomedir” key is enough to resolve “permission” issues

Sam
Member
Sam

You are perfectly right. Unless asked under no circumstances are the SElinux and firewall to be disabled during the exam.

This should only be done for testing conditions only, and even then in a safe working environment (off network or behind a SECURE firewall).

Lisenet
Member

That’s not a bug, it’s misconfiguration on your servers.

I have it all working, therefore I’m 100% confident it’s something at your end. Feel free to take a look at my config: https://www.lisenet.com/2016/freeipa-server-on-rhel-7-centos-7/

Lisenet
Member
scruff
Member
scruff

Thank you, Lisenet. I appreciate your help.

scruff
Member
scruff

Just watched the video from Ralph Nyberg. He advised to put “–enablemkhomedir” into authconfig. So I summarized bunch of arguments into one set: authconfig –enableforcelegacy –enableldap –enableldapauth –ldapserver=”instructor.example.com”
–ldapbasedn=”dc=example,dc=com” –enableldaptls –enablemkhomedir –update. Have no idea how I missed it)))))

scruff
Member
scruff

Another issue which caused the “cannot create directory /home/guests/ldapuser02 no such file or directory” problem is the string MASTER_MAP_NAME=”yes” in /etc/sysconfig/autofs config file which is missing by default. Dear Certdepot, would you be so kind to put it into the tutorial?

peter.parker.1912
Member
peter.parker.1912

Would it be a problem if we –enablelts when we are enabling everything else and adding the ldapserver and basedn?

ispada
Member
ispada

When I set this * -rw,nfs4 instructor.example.com:/home/guests/& on my /etc/auto.guests didn’t work. I had to change it to * -fstype=nfs4,rw instructor.example.com:/home/guests/&

Could you please confirm?

benny
Member
benny

Hi, can I use realmd to configure instead of using authconfig?

benny
Member
benny

Hi,

I managed to do the ldap client SSO, but wondering the section about “Automounter Client Configuration”. Actually, what does this section do?

hallo
Member
hallo

So does the forumsys LDAP server work with nslcd? I tried to setup an LDAP server on a raspberry pi but it was hell and I didn’t manage to figure it out.

hallo
Member
hallo

The authconfig -h | grep ldap is an extremely useful tip, thanks.

To neaten/shorted things, I want to add that it’s possible to do this, for the cacert part, on RHEL 7.3:
authconfig --ldaploadcacert="file:///cert.pem" --enableldaptls --update
It adds it to the correct place, and changes the SElinux permissions to be correct – running restorecon doesn’t change a thing

I’ve gone over this a few times now, using LVM snapshots to rollback and repeat, as I usually do.

shireeshk
Member
shireeshk

scp root@instructor.example.com:/etc/openldap/certs/cert.pem
/etc/openldap/cacerts/cert.pem

Do we get ldap server root credentials for the above step during exam?

can someone point how do we get the cert.pem file?

Lisenet
Member

As CertDepot said, you won’t get root credentials, but a way for retrieving the certificate will be provided.

mickey999
Member
mickey999
Howdy, everyone! I’m happy ! I lost my minds with this exam so …I’m happy! Failed it 3 times by now but …here’s what I did in the past 4 months regarding this… The article posted here is very useful indeed. It’s been a while since I’ve been reading this very good article plus everyone’s posts and comments plus the article about the automount on this website. However I failed my RHCSA7 exam …yeah . Not once but three times now. Following the indications on this website I managed at home to replicate as close to the exam as possible… Read more »
Lisenet
Member

I know what you’re talking about, and yes, sealert is the answer.

mickey999
Member
mickey999
Update of what I have managed to do at home : I tried to replicate as closer as I could my problem encountered at the exam described in my preview post so for that first I had to modify a little bit the LDAP server part ( took me 5 minutes tops to do it thanks again for the notes in the article about configuring an LDAP server!) So instead of exporting /home/guests I made my LDAP server export /rhost. Very easy to do if someone reads carefully the last part in your article regarding how to configure the LDAP… Read more »
hunter86_bg
Member

Are you sure that the packages used during the exam are the same version like the packages at home ?

mickey999
Member
mickey999
Well… I don’t know. I can’t remember the version of the packages used by the machine served me at the exam. At one point I was suspecting that the kernel version and SELinux packages were not working together as they were supposed to. Later I managed (at home) to use the same kernels they served me at the exam (3.10.0-123 and 3.10.0.123-1.2.) and … without doing absolutely nothing different from what I was doing at the exam it just worked! So, at this point I’m gonna go back probably next week and pay$400 just to look into /var/log/audit/audit.log. If the… Read more »
hunter86_bg
Member

I’m seeing strange behaviour all the time while I’m preparing. I’m pretty convinced I’m hitting bugs, but this is the way. I’m not sure if they will or won’t let you pass without the ldap stuff.
I’m just suspecting that everything concerning security (selinux,firewalling,ldap) is considered more important and would decrease the score more than another task. This is pure speculation, and I have no idea how they evaluate this at all.

Lisenet
Member

Security settings are important, but don’t take higher priority than services which need to be configured. Imagine yourself as a customer, who hired you to deploy the exam system. You can tune SELinux and restrict firewalld access, but if the service isn’t running or isn’t accessible, such system is basically useless. From a customer perspective, it’s much more important to get the service up and running, than to worry whether SELinux labels are correct etc. Get the idea?

hunter86_bg
Member

Hm… Looking it at this angle – yes this is a major problem (if the service is not running at all).
Thanks for raising this. I’ll update once I pass/fail my RHCE in friday.

mickey999
Member
mickey999
Oh, one more thing, I know for sure that the following packages are mandatory for autofs-LDAP stuff: authconfig, autofs, nfs-utils, openldap, openldap-clients, nss-pam-ldapd, policycoreutils-*, setroubleshoot-server. So make sure you have all the above packages (I checked them and during the exam they are already there!) Then of course create the necessary files for autofs to work (/etc/auto.whatever and edit it accordingly), tell the automounter where to mount stuff as described in /etc/auto/whatever. Then enable the necessary booleans (the one referring to use_nfs_home_dirs and autconfig_use_nsswitc one ), then apply the correct label (slapd_cert_t) on /etc/openldap/cacerts after importing the certificate into the… Read more »
hunter86_bg
Member

1. I’ve never relabeled the “/etc/openldap/cacert” content and it always works.
2.”authconfig” is installed even in minimal install, am I wrong???

As you can see in my next post I had some issues with 7.0 and pure ldap authentication. If I choose the nss-pam-ldapd method – sometimes “nslcd” daemon refuses connection (a reboot should fix it), while the sssd -> causes the unknown group for gid xxxxxxx.
Have you tried the GUI tool? I think it was “authconfig-gtk”.
And also try the “authconfig –savebackup=” option. Sometimes I have to revert in order to make it work.

mickey999
Member
mickey999
Never relabeled “/etc/openldap/cacert” and works? No way man!!! But again, reading through your comment … I see MYSELF all the time strange behavior when I prepare for test. I spin up same training virtual machine using same ks.cfg file I test with it then I destroy it and I spin another one in a few minutes using exactly the same ks.cfg file and …. as you said … WEIRD behavior on the exactly same server (same packages and kernel-3.10.0-123-1.2 – which I install and make it the default one) For example last night I was trying to replicate the error… Read more »
Lisenet
Member

I second that, never had to relabel the cacerts folder nor its content. Have you tried authconfig-tui? Perhaps you need a different approach.

hunter86_bg
Member

You can use authconfig-tui as Tomas offered. Just when you reach the warning that you need your certificate in “/etc/openldap/cacert” folder – open another terminal and download it. Then return to the first one and confirm and everything should be working as expected.

Lisenet
Member

My point exactly. If I failed the exam, I would use a different approach the next time.

mickey999
Member
mickey999
Thing is … /etc/openldap/cacerts does not exist until either using authconfig command either using authconfig-tui So once I am using the authconfig with the described options, the /etc/openldap/cacerts directory will be created on my client and the certificate will be imported. Trick is that the label of “cacerts” and it’s content will be in this case “etc_t” and I need to relabel as ldapd_cert_t (seems correct, right?). I didn’t use yet authconfig-tui but I am assuming that in order to use it there are some preparations for the client (just assuming!). Probably first you have to create “cacerts directory under… Read more »
Lisenet
Member

You are right, the cacerts folder does not exists, but I don’t see why this is a show stopper for you. Just create it. Did you see this: https://www.lisenet.com/2016/ldap-and-kerberos-client-authentication-on-rhel-7-using-nslcd/ ?

hunter86_bg
Member
Why not use “authconfig-gtk”? As far as I remember the VM for the RHCSA was actually a “Server with GUI”. And yes, I have never relabeled the “/etc/openldap/cacert” folder and its contents and my LDAP + kerberos and plain LDAP + LDAP auth are working. I’d recommend you to take a break. My second attempt on RHCSA was 1 year after the first failure. I can only offer you to do this: just start with the LDAP and if it breaks try the “authconfig –restorebackup=/folder/you/made/backup” and try again. If you feel something is wrong, ask the instructor to reset the… Read more »
Lisenet
Member

You can reset the VM yourself, no real need to ask the instructor to do that.

Sam
Member
Sam

My advice, take a step back and look at the problem from another angle. Take a second look at your setup on the host pc (assumed), ie cpu, ram, network, source, do a check disk etc.

mickey999
Member
mickey999
@@ hunter86_bg I don’t remember the exam version of the OS. I’ll let you know soon after I’ll pay them boys a new visit. Thing is I had no problem passing 7 years ago the RHEL5 certification only at that time was NIS+autofs not LDAP+autofs. authconfig-gtk is not available during the exam. You don’t have server with GUI. @@ Sam: On another hand there is not much time left for this certification to be completed successfully. I have a final day to do this and it is coming pretty fast. It’s been more than 7 months since I am preparing… Read more »
hunter86_bg
Member

Strange thing. My RHCSA (Feb 2015) was Server with GUI. I was then preparing for RHEL6 exam when I was notified it will be RHEL7 instead. I’m not aware if there will be “Server with GUI” on the RHCE, but I thought it will be just like my previous experience.

An employer who seeks a job justification … unless they paid for a course and the exam – I will ditch them immediately. In my case – we don’t even use RHEL so much, but it’s worth proving your skills (of course if I pass).

hunter86_bg
Member

@mickey
I have just tested the “x-systemd.automount option” and it’s as good as autofs. My NFS server was not up when my client went online and still I managed to enter my nfs mount point.

Here is an example from a client’s fstab (please note that systemd doesn’t need “_netdev” for cifs,nfs,nfs4 but I’ve added it just to remind me):

_netdev,x-systemd.automount,sec=krb5p
_netdev,x-systemd.automount,sec=ntlmssp,multiuser,credentials=/root/cifs

hunter86_bg
Member

Hi guys, let me share something I found today.

I was doing a sample RHCE exam which required LDAP authentication for a specific user for ssh configuration.
After installing “nss-pam-ldapd openldap-clients” and trying to update my auth setup via authconfig – “nslcd” daemon refused to start up complaining about unknown “uid nslcd” and about unknown “gid ldap”.
To fix it, just run “yum groupinstall directory-client” .
This behaviour was observed on RHEl7.0 DVD repo , and I haven’t met this in higher versions.

mickey999
Member
mickey999
Guys, what I have done regarding the demands of the exam specifically for the LDAP+TLS+automount side at home was applied also at the exam EXACTLY as I will post the steps and commands here. So keep this in mind when you read this! EXACTLY AS DONE HOME WAS DONE DURING THE EXAM! Here is EXACTLY what I do regarding the issue, knowing that SELinux MUST be active : Before starting I make sure I have all necessary packages installed ( they are there but I check first anyway). yum install autofs nfs-utils authconfig openldap openldap-clients nss-pam-ldapd policycoreutils-* setroubleshoot-server I don’t… Read more »
Lisenet
Member

You are repeating the same steps while expecting to get different results. It’s clear by now that the exam system is somewhat different compared to your home system. I have no way of knowing what’s the difference in particular, but if you tried a different approach, perhaps you would be OK. How about trying authconfig-tui during the exam, or moving from nslcd to sssd? I understand your frustration, but knowing more than one way to achieve the same goal increases your chances of passing the exam. And stop changing SELinux labels, you don’t need that to pass the exam.

scruff
Member
scruff

You may install GUI with “yum groupinstall “GNOME Desktop”” but it will take about 10-15 minutes.

Krypton
Member
Krypton
Hello mickey999, Sorry for the difficulty you are experiencing with this section of the exam. Actually I wrote the exam yesterday and passed with 283 score. I did not have to do most of the things you highlighted. Yes, you can use the GUI. While the VM does not boot to the GUI, because the default is multi-user.target, you can change the target/runlevel. Just run the command below: # systemctl isolate graphical.target -login and install the germane LDAP utilities. You do NOT need to install “GNOME Desktop” it’s just a waste of time. When you reboot and reboot the VM… Read more »
mickey999
Member
mickey999
Howdy! Sure thing I did “touch /.autorelabel” after I changed the root password right at the beginning of the exam otherwise you can’t get into the system. Thing is (maybe you noticed) if you do not complete the very first stage of the exam ( root password and network – I do it right on then one single reboot) you won’t be able to read the rest of the demands of the exam. Once I was done with the first mandatory part I noticed it took about a minute for the system to let me in so I could read… Read more »
scruff
Member
scruff

So why you don’t tried “startx” command – it starts Gnome or whatever GUI

mickey999
Member
mickey999

One little trick they might serve you during the exam just to piss you off (sorry if it is not related to ldap but worth noted).

Configure the ntp client!

You might think smiling: “No sweat, I know it! Easy-peasy”
But when you enable the service and then you play with ntpq -p command you see that the client stops after a while, not sync’ing and so on.

Make sure chronyd is disabled and stopped.
Otherwise you go crazy.

You can remove the entire package chronyd if you want but before enabling ntp and starting it make sure chronyd is stopped and disabled!

scruff
Member
scruff

Why should we use ntpd instead of chrony? Chrony may be configured in 1-2 steps very easily.

mickey999
Member
mickey999
Howdy boys! Crap went fine this time, I got the certification but boys … listen up: I couldn’t get chrony sync’ing with the damn server. I’ll be damn if I know why! ha-ha-ha. Anyway, I didn’t bother too much as I knew that without LDAP + TLS + automounter done properly I won’t pass so I concentrate on doing it correctly. As a parenthesis here: I don’t know when the rest of you got the exam passed but if you did it in the past month (April 2017 in some remote USA facility) and claim that you did it without… Read more »
Lisenet
Member

Congrats on passing the exam! Great achievement, I’m glad you finally nailed it.

One thing though, about your statement saying that authconfig-tui is not reliable. I would disagree – I used authconfig-tui during the exam, and I didn’t lose a single point. There are a couple of extra steps required to get it configured, but it does work 100%. Unless you refer to lack of experience using the tool, then I’m not sure on what’s unreliable about it.

Sam
Member
Sam

Congratulations,

scruff
Member
scruff
Hello there! Passed my RHCSA today with very nice scores. Acording to my result I failed only in AUTOMOUNT task. I revised this task and returned to it after completenig all other tasks and spent my rest 20-25 minutes of exam on automount, but no luck!!! Got “permission denied” error, although ldap task was OK and I was able to make “getent passwd ldapuser”. At the home lab I could figure out with automount/ldap tasks in 5 minutes even with closed eyes without any errors of “getent psswd ldapuser” and “su – ldapuser”. At the task there was a term… Read more »
wpDiscuz

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a new user account called "bob" with password "redhat" and set expiration in one week.

RHCE7: Task of the day

Allowed time: 5 minutes.
Set up time synchronization with default configuration.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...