{{tag>[security openldap centos7 client]}}
=====CentOS 7 - OpenLDAP 2.4 consumer (client)=====
This works for Centos 6 and 7!
====Install packages====
* Install the requisite packages:# yum install sssd openldap-clients
====Configure OpenLDAP client====
===Import CA root certificate===
* Export the CA certificate, **on provider or CA server**:# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
* Download the CA root certificate (ca.crt):# scp ldap.master.server:/tmp/ca.crt /etc/openldap/cacerts/
* Rehash the certificate directory:# cacertdir_rehash /etc/openldap/cacerts/
===Authconfig====
* Configure authentication:# authconfig \
--disablesmartcard \
--disablefingerprint \
--enablesssd \
--enablesssdauth \
--enablelocauthorize \
--disablemd5 \
--passalgo=sha512 \
--enablepamaccess \
--enableldap \
--enableldapauth \
--disableldaptls \
--ldapserver=ldaps://ldap.yourdomain.tld:636 \
--ldapbasedn=dc=domain,dc=tld \
--enablemkhomedir \
--disablecachecreds \
--disablekrb5 \
--disablekrb5kdcdns \
--disablekrb5realmdns \
--krb5kdc=" #" \
--updateall
===SSSd====
* If you have disabled anonymous bind, you'll need to configure a bind user. Edit /etc/sssd/sssd.conf:# vim /etc/sssd/sssd.conf
[domain/
...
===Prevent unauthorized console access===
* [[:centos_7_prevent_access|Configure the PAM access module.]]
===SSHd===
* Disable root access.
* Configure AllowGroups.
====Verify====
* Restart sssd, log in and test the connection.# systemctl enable sssd
# systemctl start sssd
Check if symlink has been created in: /etc/openldap/cacerts
# ldapwhoami -H ldaps:// -x -D "cn=Manager,dc=,dc=" -W
# ldapsearch -H ldaps:// -x -D "cn=Manager,dc=,dc=" -W
# getent -s sss passwd
# getent -s sss group
# id -a
===Clear the SSSD cache===
* You can clear the cache (except sudo rules) with:sss_cache -E
* If that didn't work, delete the contents of directory **/var/lib/sss/db** and restart sssd.