{{tag>[security openldap centos7 client]}} =====CentOS 7 - OpenLDAP 2.4 consumer (client)===== This works for Centos 6 and 7! ====Install packages==== * Install the requisite packages:# yum install sssd openldap-clients ====Configure OpenLDAP client==== ===Import CA root certificate=== * Export the CA certificate, **on provider or CA server**:# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt * Download the CA root certificate (ca.crt):# scp ldap.master.server:/tmp/ca.crt /etc/openldap/cacerts/ * Rehash the certificate directory:# cacertdir_rehash /etc/openldap/cacerts/ ===Authconfig==== * Configure authentication:

# authconfig \
--disablesmartcard \
--disablefingerprint \
--enablesssd \
--enablesssdauth \
--enablelocauthorize \
--disablemd5 \
--passalgo=sha512 \
--enablepamaccess \
--enableldap \
--enableldapauth \
--disableldaptls \
--ldapserver=ldaps://ldap.yourdomain.tld:636 \
--ldapbasedn=dc=domain,dc=tld \
--enablemkhomedir \
--disablecachecreds \
--disablekrb5 \
--disablekrb5kdcdns \
--disablekrb5realmdns \
--krb5kdc=" #" \
--updateall

===SSSd==== * If you have disabled anonymous bind, you'll need to configure a bind user. Edit /etc/sssd/sssd.conf:

# vim /etc/sssd/sssd.conf

[domain/
...

===Prevent unauthorized console access=== * [[:centos_7_prevent_access|Configure the PAM access module.]] ===SSHd=== * Disable root access. * Configure AllowGroups. ====Verify==== * Restart sssd, log in and test the connection.

# systemctl enable sssd
# systemctl start sssd
 Check if symlink has been created in: /etc/openldap/cacerts


# ldapwhoami -H ldaps:// -x -D "cn=Manager,dc=,dc=" -W

# ldapsearch -H ldaps:// -x -D "cn=Manager,dc=,dc=" -W

  
# getent -s sss passwd 
# getent -s sss group 
# id -a

===Clear the SSSD cache=== * You can clear the cache (except sudo rules) with:sss_cache -E * If that didn't work, delete the contents of directory **/var/lib/sss/db** and restart sssd.