Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


ldap:centos7client

CentOS 7 - OpenLDAP 2.4 consumer (client)

This works for Centos 6 and 7!

Install packages

  • Install the requisite packages:
    # yum install sssd openldap-clients

Configure OpenLDAP client

Import CA root certificate

  • Export the CA certificate, on provider or CA server:
    # certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
  • Download the CA root certificate (ca.crt):
    # scp ldap.master.server:/tmp/ca.crt /etc/openldap/cacerts/
  • Rehash the certificate directory:
    # cacertdir_rehash /etc/openldap/cacerts/

Authconfig

  • Configure authentication:
    # authconfig \
    --disablesmartcard \
    --disablefingerprint \
    --enablesssd \
    --enablesssdauth \
    --enablelocauthorize \
    --disablemd5 \
    --passalgo=sha512 \
    --enablepamaccess \
    --enableldap \
    --enableldapauth \
    --disableldaptls \
    --ldapserver=ldaps://ldap.yourdomain.tld:636 \
    --ldapbasedn=dc=domain,dc=tld \
    --enablemkhomedir \
    --disablecachecreds \
    --disablekrb5 \
    --disablekrb5kdcdns \
    --disablekrb5realmdns \
    --krb5kdc=" #" \
    --updateall

SSSd

  • If you have disabled anonymous bind, you'll need to configure a bind user. Edit /etc/sssd/sssd.conf:
    # vim /etc/sssd/sssd.conf
    
    [domain/<domain name like 'default' or 'LDAP']
    ...
    ldap_default_bind_dn = cn=...,ou=...
    ldap_default_authtok_type = password # obfuscated_password: obfuscating the password provides no real security benefit
    ldap_default_authtok = <your bind dn password>
    ...

Prevent unauthorized console access

SSHd

  • Disable root access.
  • Configure AllowGroups.

Verify

  • Restart sssd, log in and test the connection.
    # systemctl enable sssd
    # systemctl start sssd
     Check if symlink has been created in: /etc/openldap/cacerts
    
    
    # ldapwhoami -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W
    
    # ldapsearch -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W
    
      
    # getent -s sss passwd <username>
    # getent -s sss group <groupname>
    # id -a <username>

Clear the SSSD cache

  • You can clear the cache (except sudo rules) with:
    sss_cache -E
  • If that didn't work, delete the contents of directory /var/lib/sss/db and restart sssd.
ldap/centos7client.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1