Install the software:
yum install nss-pam-ldapd nscd pam_krb5
-bash-3.2# authconfig --enablecache --enableshadow --passalgo=sha512 --disablenis --enableldap --ldapserver="ldap://YOUR_LDAP_SERVER" --ldapbasedn="dc=YOUR_DC1,dc=YOUR_DC2,dc=YOUR_DC3" --enablekrb5 --krb5kdc=YOUR_KERBEROS_DOMAIN --krb5adminserver=YOUR_KERBEROS_SERVER --krb5realm=YOUR_KERBEROS_REALM --enablelocauthorize --disablekrb5kdcdns --disablekrb5realmdns --disablewinbind --disablewins --disablesmartcard --enablemkhomedir --update
Then edit/create the nslcd.conf file:
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
uid nslcd
gid ldap
# The location at which the LDAP server(s) should be reachable.
uri ldap://YOUR_LDAP_SERVER/
# The search base that will be used for all queries.
base dc=YOUR_DC1,dc=YOUR_DC2,dc=YOUR_DC3
# The DN to bind with for normal lookups.
binddn uid=YOUR_ADMIN,ou=YOUR_OU,dc=YOUR_DC1,dc=YOUR_DC2,dc=YOUR_DC3
# The password
bindpw SECRETPASSWORDHERE
ssl no
tls_cacertdir /etc/openldap/cacerts
map passwd homeDirectory "/home/$uid"
Then check /etc/nsswitch.conf file, making sure the following entries are present:
passwd: files ldap
shadow: files ldap
group: files ldap
Restart nslcd:
/etc/init.d/nslcd restart
nslcd is not available on CentOS 5, so we use sssd instead.
yum install sssd
yum remove nscd
Edit the sssd.conf file to:
[sssd]
domains = ADS.BRIS.AC.UK
services = nss,pam
config_file_version = 2
[nss]
filter_groups = root
filter_users = root
override_homedir = /home/%u
# A domain with identities provided by LDAP and authentication by Kerberos
[domain/YOUR_KERBEROS_DOMAIN]
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://YOUR_LDAP_SERVER/
ldap_search_base = dc=YOUR_DC1,dc=YOUR_DC2,dc=YOUR_DC3
#tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/cacerts
ldap_default_bind_dn = uid=YOUR_ADMIN,ou=YOUR_OU,dc=YOUR_DC1,dc=YOUR_DC2,dc=YOUR_DC3
ldap_default_authtok_type = password
ldap_default_authtok = SECRETPASSWORDHERE
krb5_server = YOUR_KERBEROS_SERVER
krb5_realm = YOUR_KERBEROS_REALM
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
Run this authconfig command:
-bash-3.2$ authconfig --enablesssdauth --enablesssd --disableldap --update
Then check /etc/nsswitch.conf file, making sure the following entries are present:
passwd: files sss
shadow: files sss
group: files sss
Restart sssd:
Restart nslcd:
/etc/init.d/sssd restart
Make sure it starts up at boot time:
-bash-3.2# chkconfig --list
iscsi 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
mcstrans 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off
multipathd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
puppet 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
-bash-3.2# chkconfig sssd on
-bash-3.2# chkconfig --list
iscsi 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
mcstrans 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off
multipathd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
puppet 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off