FreeKB - LDAP Configure a Red Hat Linux system to use LDAP authentication
LDAP - Configure a Red Hat Linux system to use LDAP authentication

This assumes you've created a user in LDAP. Let's say you've created user JohnDoe in example.com.

Install the following packages on Red Hat distribution, such as Red Hat, CentOS, or Fedora, that you want to configure to use LDAP authentication.

yum install openldap-clients
yum install nss-pam-ldapd

 

Use the authconfig command to configure your system to use your LDAP server. In this example, LDAP (non-secure is being used), not LDAPS (secured).

authconfig --enableldap --enableldapauth --ldapserver="ldap.example.com" --ldapbasedn="dc=example,dc=com" --update

 

To reduce complexity, disable SSS as an authentication mechanism.

authconfig --disablesssd --update

 

The above commands would have updated /etc/nslcd.conf to have the following.

uri ldap://example.com/
base dc=example,dc=com

 

Ensure the changes have been properly set.

authconfig --test | grep -i ldap

nss_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldap.example.com"
 LDAP base DN = "dc=example,dc=com"

pam_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldap.example.com"
 LDAP base DN = "dc=example,dc=com"
 LDAP schema = "rfc2307"

 

Ensure LDAP port 389 is open in iptables or firewalld

The ldapsearch command can be used to query your LDAP database. 

Update /etc/nssswitch.conf to use ldap.

passwd: files ldap
group:  files ldap
shadow: files ldap

 

The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to restart and enable Name Service LDAP Client Daemon (nslcd).

systemctl enable nslcd
systemctl restart nslcd
systemctl status nslcd

 

If your system is using init, use the chkconfig and service commands to restart and enable Name Service LDAP Client Daemon (nslcd).

chkconfig nslcd on
service nslcd restart
service nslcd status

 

The getent command can be used to see that you are able to get an LDAP user, but the user is not in the local /etc/passwd or /etc/shadow files.

getent passwd JohnDoe

JohnDoe:x:1001:1001:JohnDoe:/home/JohnDoe:/bin/bash

getent shadow JohnDoe

JohnDoe:*::0:99999:7:::0

 

You should also be able to authenticate on the client using your LDAP user.

su - JohnDoe

 


Mount home directory

When switching to JohnDoe on a client PC, the client PC will not have a home directory for John Doe, such as /home/JohnDoe. To resolve this, share /home/JohnDoe on the LDAP server using AutoFS.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 9eb20 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |