RHEL7: Configure a system to use an existing LDAP directory service for user and group information.

Share this link

Note: This is an RHCSA 7 exam objective.

LDAP Server Configuration

In order to test a LDAP client configuration, you will need to configure a LDAP directory service.
The LDAP server is called instructor.example.com in this procedure.

LDAP Client Configuration

As the authconfig-tui is deprecated, to configure the LDAP client side, there are two available options: nslcd and sssd.
In this tutorial, the nslcd option will be used, see the authconfig tutorial for the sssd option.

Install the following packages:

# yum install -y openldap-clients nss-pam-ldapd

Note: Just to mention that Sander van Vugt advises to install the Directory Client group package: # yum group install “Directory Client”

Then, type:

# authconfig --enableforcelegacy --update
# authconfig --enableldap --enableldapauth --ldapserver="instructor.example.com" \
--ldapbasedn="dc=example,dc=com" --update

Note1: According to your requirements, you can need to specify the –enablemkhomedir option after the installation of the oddjob-mkhomedir package. The option creates a local user home directory at the first connection if none exists.
Note2: Type # authconfig –help | grep ldap to remember the necessary options.

Put the LDAP server certificate into the /etc/openldap/cacerts directory:

# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
/etc/openldap/cacerts/cert.pem

Apply the correct SELinux context to the certificate:

# restorecon /etc/openldap/cacerts/cert.pem

Activate the TLS option:

# authconfig --enableldaptls --update

Test the configuration:

# getent passwd ldapuser02
ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash

NFS Server Configuration

To get the home directory mounted, you need to configure a NFS server.
The NFS server is called instructor.example.com in the procedure.
Note: It’s not required to have the LDAP server and the NFS server on the same machine, it’s only easier.

Automounter Client Configuration

Install the following packages:

# yum install -y autofs nfs-utils

Create a new indirect /etc/auto.guests map and paste the following line:

* -rw,nfs4 instructor.example.com:/home/guests/&

Add the following line at the beginning of the /etc/auto.master file:

/home/guests /etc/auto.guests

Start the Automounter daemon and enable it at boot:

# systemctl enable autofs && systemctl start autofs

Test the configuration:

# su - ldapuser02

Additional Resources

Ralph Nyberg offers an interesting video about configuring LDAP authentication (20min/2015).
The ForumSystems website provides a free online LDAP test server.

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 2.67 out of 5)
Loading...

Leave a Reply

213 Comments on "RHEL7: Configure a system to use an existing LDAP directory service for user and group information."

  Subscribe  
newest oldest
Notify of
RedHatter
Member
RedHatter

Sander says, auto.master file solution still works
but is deprecated and he prefers to create a master map entry in /etc/auto.master.d. On RHEL 7, the auto.master file is considered a part of the RPM, and it might be overwritten while updating RPMs on your server. For that reason, the approach described in Exercise 23.3 is preferred, as in that exercise; the system-managed part of the configuration is clearly distinguished from the usermanaged part of the configuration.

RedHatter
Member
RedHatter

But Sander also uses the auto.master file way in his 2017 videos which is what I prefer. My question, is this a safe method even though its deprecated. Gem of a site btw

Lisenet
Member

It is a safe method (I used it myself).

RedHatter
Member
RedHatter

Thanks!

Moayd Suliman
Member
Moayd Suliman

Hi CertDepot, first: # getent passwd ldapuser02 doesn’t work with me.
second: I configure ldap on server1 and configure client authentication on server2, everything works good but, if I log in server2 as ordinary user and try su ldapuser1, it gives me su: Authentication failure. I need to know why? but with root privilege working fine…

Ph.linux
Member
Ph.linux

Hi CertDepot,

authconfig-tui is available in exam?? Yes or No?

Thanks,
Bryan

xar
Member
xar

Hello CertDepot, preparing also for the RHCSA exam, I would like to ask if anyone has ever tried to create an automount point to a different location on client side? I made numerous attemps but none of them worked. All the examples (including CertDepot’s) define the directory name of the client to be the same as the nfs server. What I want for example is:

auto.master :
/customhomedir /etc/ldap.file

ldap.file :
* -rw,sync server:/home/ldap/&

Upcoming Events (CET)

  1. Mar
    25
    Sun

    1. 9:30 am - View Details
      CentOS: Dojo, Singapore.

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create two new user accounts "steve" and "oliver".
Create a group "team". Create a directory "shared".
All files put into the "shared" directory by "steve" or "oliver" should belong to the "team" group and be only visible by them.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a default secure MariaDB database called maria and create a table named people with two columns respectively name varchar(20) and age int(10) unsigned.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...