ldap:centos7client
Table of Contents
CentOS 7 - OpenLDAP 2.4 consumer (client)
This works for Centos 6 and 7!
Install packages
- Install the requisite packages:
# yum install sssd openldap-clients
Configure OpenLDAP client
Import CA root certificate
- Export the CA certificate, on provider or CA server:
# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
- Download the CA root certificate (ca.crt):
# scp ldap.master.server:/tmp/ca.crt /etc/openldap/cacerts/
- Rehash the certificate directory:
# cacertdir_rehash /etc/openldap/cacerts/
Authconfig
- Configure authentication:
# authconfig \ --disablesmartcard \ --disablefingerprint \ --enablesssd \ --enablesssdauth \ --enablelocauthorize \ --disablemd5 \ --passalgo=sha512 \ --enablepamaccess \ --enableldap \ --enableldapauth \ --disableldaptls \ --ldapserver=ldaps://ldap.yourdomain.tld:636 \ --ldapbasedn=dc=domain,dc=tld \ --enablemkhomedir \ --disablecachecreds \ --disablekrb5 \ --disablekrb5kdcdns \ --disablekrb5realmdns \ --krb5kdc=" #" \ --updateall
SSSd
- If you have disabled anonymous bind, you'll need to configure a bind user. Edit /etc/sssd/sssd.conf:
# vim /etc/sssd/sssd.conf [domain/<domain name like 'default' or 'LDAP'] ... ldap_default_bind_dn = cn=...,ou=... ldap_default_authtok_type = password # obfuscated_password: obfuscating the password provides no real security benefit ldap_default_authtok = <your bind dn password> ...
Prevent unauthorized console access
SSHd
- Disable root access.
- Configure AllowGroups.
Verify
- Restart sssd, log in and test the connection.
# systemctl enable sssd # systemctl start sssd Check if symlink has been created in: /etc/openldap/cacerts # ldapwhoami -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W # ldapsearch -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W # getent -s sss passwd <username> # getent -s sss group <groupname> # id -a <username>
Clear the SSSD cache
- You can clear the cache (except sudo rules) with:
sss_cache -E
- If that didn't work, delete the contents of directory /var/lib/sss/db and restart sssd.
ldap/centos7client.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1