22Aug

Ldap client configuration in two steps – Redhat 6

22 Aug 2016 TMS

On RHEL 6 LDAP client configuration involves editing multiple files such pam, nssswitch, authconfig etc. But “authconfig” command made it easier for us. I walk you through how it can be done in two steps.

Step1

Install client packages. openldap-clients pam_ldap nss-pam-ldapd

Step2

This can be done in two ways.  First one is suitable for manual installation. Second one is for script lovers.

Method1

#authconfig-tui

Follow on screen window. Choose authentication type and enter LDAP URI. Check ldap client – server connection status.

#getent passwd ldapuser1

If there is no output something wrong. If your ldap server is old version then it may not support “sssd” daemon. Authconfig by default configure “sssd” daemon to work. In such case I prefer you to go with second method.

Method2

Use authconfig command with necessary options in CLI. All the options support enable and disable feature. Call the appropriate one by prefix enable or disable.

Backup auth configuration files

Take the backup of all related configuration files.

#authconfig --savebackup /root/auth_bkp4

Restore configuration

If require, configuration can be restored from backup.

 #authconfig --restorebackup /root/auth_bkp4

Dry-run configuration changes

Test the resultant system state in dry-run mode without applying any changes.

#authconfig --enableshadow --enableldap --enableldapauth --enableshadow --enablecache --disablekrb5 --ldapbasedn "dc=sunt,dc=com" --ldapserver "ldap://rhel4.sunt.com/, ldap://rhel6.sunt.com" --test

–test = implies do not apply any changes in system. Instead print the changes in screen.

Update configuration files

This configures ldap authentication without Kerberos support.

#authconfig --enableshadow --enableldap --enableldapauth --enableshadow --enablecache --disablekrb5--ldapbasedn "dc=sunt,dc=com" --ldapserver "ldap://rhel4.sunt.com/, ldap://rhel6.sunt.com" --update

This command will update all configuration files and start the sssd daemon.

Enable legacy mode

For old legacy ldap server support add “enableforcelegacy” option.

#authconfig --enableshadow --enableldap --enableldapauth --enableshadow --enablecache --disablekrb5 --enableforcelegacy --ldapbasedn "dc=sunt,dc=com" --ldapserver "ldap://rhel4.sunt.com/, ldap://rhel6.sunt.com" --update

enableforcelegacy – never use SSSD implicitly even for supported configuration. When configured with legacy mode the “sssd” daemon stopped and “nslcd” daemon started.

Enable home directory creation

This command additionally configures PAM to create home directory when user login first time.

#authconfig --enableldap --enableldapauth --enableshadow --enablecache --disablekrb5 --enablemkhomedir --ldapbasedn "dc=sunt,dc=com" --ldapserver "ldap://rhel4.sunt.com/, ldap://rhel6.sunt.com" --enableshadow --update

— enablemkhomedir – configure PAM and starts “oddjobd” daemon.

Configure LDAP client with SSL/TLS

Step1

Use this syntax when  LDAP server URI start with “ldaps” and accessible through default port 636. The “–enableldattls” option enables TLS/SSL communication.

--ldapserver "ldaps://rhel4.sunt.com/, ldaps://rhel6.sunt.com" --enableldaptls

If LDAP server listens to different port then default 636, specify port like this.

--ldapserver "ldaps://rhel4.sunt.com:10080" --enableldaptls

LDAP server listens to non-encrypted ldap port 389.  Use this option to enforce clients to issue “starttls” during client-server initial hand-shake.

--enableldapstarttls --ldapserver “ldap://rhel4.sunt.com,  ldap://rhel6.sunt.com”
Step2

The server certificate file must be copied to client. It can be downloaded through “authconfig” command using “–ldaploadcacert”

#authconfig --enableshadow --enableldap --enableldapauth --enableshadow --enablecache --disablekrb5 --enableforcelegacy --ldapbasedn "dc=sunt,dc=com" --ldapserver "ldaps://rhel4.sunt.com/, ldaps://rhel6.sunt.com" --enableldaptls  --ldaploadcacert http://reposerver.sunt.com/ldapcert.pem --update

If the certificate not stored centrally, copy the certificate to client manually. Change the permission to 600.

#scp root@rhel4:/etc/openldap/cacerts/ldapcert.pem /etc/openldap/cacerts/
#chmod 600 /etc/openldap/cacerts/ldapcert.pem

The final and most important is certificate location should be updated in ldap.conf.

#echo “TLS_CACERT /etc/openldap/cacerts/ldapscert.pem” >> /etc/openldap/ldap.conf

At last /etc/openldap/ldap.conf file will look like this.

TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://rhel4.sunt.com/  ldaps://rhel6.sunt.com
BASE dc=sunt,dc=com
TLS_CACERT /etc/openldap/cacerts/ldapscert.pem

Daemon to be started

When use authconfig command necessary daemons will be enabled and started automatically. Still if you face trouble connecting to LDAP server ensure below service are running.

#service sssd start
#service oddjobd start

In legacy mode “sssd” should be in stopped state.

#service sssd stop
#service nslcd start
#service nscd start
#service oddjobd start

To know more about supported options see this. Even man page may not have all such option.

#authconfig --help

Do you have anything to say? Please post here.

2 thoughts on “Ldap client configuration in two steps – Redhat 6

  1. Pingback: LDAP TLS negotiation failure error - Technical Admin Blog
  2. Pingback: LDAP TLS negotiation failure error - Technical Admin Blog

Leave a Reply

Your email address will not be published. Required fields are marked *