Professional Documents
Culture Documents
First let us install all the required openldap client and dependent packages
Since we plan to use authconfig to configure ldap client for our RHEL/CentOS 7 Linux node, we
only install SSSD and authconfig packages. oddjob-mkhomedir is required to be able to create active
directory user's home directory automatically.
On RHEL system you must have an active subscription to RHN or you can configure a local
offline repository using which "yum" package manager can install the provided rpm and it's
dependencies.
[root@ldap-client ~]# yum install authconfig authconfig-gtk openldap-clients sssd oddjob-
mkhomedir.x86_64 -y
If you wish to configure LDAP client using nslcd, then you must install nss-pam-ldapd, pam_ldap.
We will only use SSSD hence will not cover this part in our tutorial
1
2
Use the following information to complete the fields in the ensuing LDAP
Settings screen:
Server: ldap://10.0.2.20/
Base DN: dc=example,dc=com
Here 10.0.2.20 is the IP address of my ldap-server, replace it with your server details
When we click OK, this will automatically change a series of files that otherwise
would have to be changed by hand. For example, it will add the following lines to
the /etc/openldap/ldap.conf file:
URI ldap://10.0.2.20/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
Here comment out TLS_CACERTDIR and add TLS_REQCERT never
You can also configure ldap on the client using authconfig as shown below
[root@ldap-client ~]# authconfig --enableldap --enableldapauth --ldapserver=10.0.2.20 --
ldapbasedn="dc=example,dc=com" --enableldaptls --update
If you have already configured your client using authconfig-tui, you can skip the configuration
using authconfig.
Configure OpenLDAP
Next configure your openldap client to communicate with the ldap server and the communication
method. Add the below content in /etc/openldap/ldap.conf
BASE dc=example,dc=com
URI ldap://10.0.2.20
TLS_CACERTDIR /etc/openldap/cacerts
NOTE:
If you get "Could not start TLS encryption. TLS: hostname does not match CN in peer certificate" error
in /var/log/messages after restarting sssd then it means your client's hostname is not configured to
2
3
use the CA certificate. In such case you must have a proper certificate generated for this client of
use SAN certificate on the ldap server. Alternatively you can disable TLS check
using TLS_REQCERT never in /etc/openldap/ldap.conf and also ldap_id_use_start_tls =
False in /etc/sssd/sssd.conf. But this will disable the TLS communication hence making the system
insecure.
NOTE:
In RHEL/CentOS 6/7, sshd pam configuration file (/etc/pam.d/sshd) uses /etc/pam.d/password-
auth file instead of /etc/pam.d/system-auth. Hence, it also required to append the above line
in /etc/pam.d/password-auth file, in order to create home directories while logging via ssh.
Instead of manual editing, the authconfig command can be used:
[root@ldap-client ~]# authconfig --enablemkhomedir --updateall
Also restart sssd.service
[root@ldap-client ~]# systemctl restart sssd.service
3
4
gidNumber: 1001
homeDirectory: /home/testuser1
sn: testuser1
mail: testuser1@example.com
NOTE:
Here I have already created an encrypted password for testuser1 using slappasswd on ldap-
server node. My password for testuser1 is test
4
5
# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: example
# users, example.com
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users
# search result
search: 2
result: 0 Success
5
6
# numResponses: 6
# numEntries: 5
Configure multi-master replication OpenLDAP [Step-by-Step]