Thursday 11 December 2014

Making an LDAP client for user authentication - CentOS 6 and 5

Install the software: 
yum install nss-pam-ldapd nscd pam_krb5 

-bash-3.2# authconfig --enablecache --enableshadow --passalgo=sha512 --disablenis --enableldap --ldapserver="ldap://YOUR_LDAP_SERVER" --ldapbasedn="dc=YOUR_DC1,dc=YOUR_DC2,dc=YOUR_DC3" --enablekrb5 --krb5kdc=YOUR_KERBEROS_DOMAIN --krb5adminserver=YOUR_KERBEROS_SERVER --krb5realm=YOUR_KERBEROS_REALM --enablelocauthorize --disablekrb5kdcdns --disablekrb5realmdns --disablewinbind --disablewins --disablesmartcard --enablemkhomedir --update
Then edit/create the nslcd.conf file: 
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

uid nslcd
gid ldap

# The location at which the LDAP server(s) should be reachable.
uri ldap://YOUR_LDAP_SERVER/

# The search base that will be used for all queries.
base dc=YOUR_DC1,dc=YOUR_DC2,dc=YOUR_DC3

# The DN to bind with for normal lookups.
binddn uid=YOUR_ADMIN,ou=YOUR_OU,dc=YOUR_DC1,dc=YOUR_DC2,dc=YOUR_DC3

# The password
bindpw SECRETPASSWORDHERE

ssl no
tls_cacertdir /etc/openldap/cacerts

map passwd homeDirectory "/home/$uid"
Then check /etc/nsswitch.conf file, making sure the following entries are present: 
passwd:     files ldap
shadow:     files ldap
group:      files ldap
Restart nslcd: 
/etc/init.d/nslcd restart
nslcd is not available on CentOS 5, so we use sssd instead. 
yum install sssd
yum remove nscd
Edit the sssd.conf file to: 
[sssd]
domains = ADS.BRIS.AC.UK
services = nss,pam
config_file_version = 2
 
[nss]
filter_groups = root
filter_users = root
override_homedir = /home/%u
 
# A domain with identities provided by LDAP and authentication by Kerberos
[domain/YOUR_KERBEROS_DOMAIN]
enumerate = false
 
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
 
ldap_uri = ldap://YOUR_LDAP_SERVER/
ldap_search_base = dc=YOUR_DC1,dc=YOUR_DC2,dc=YOUR_DC3
#tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/cacerts
ldap_default_bind_dn = uid=YOUR_ADMIN,ou=YOUR_OU,dc=YOUR_DC1,dc=YOUR_DC2,dc=YOUR_DC3
ldap_default_authtok_type = password
ldap_default_authtok = SECRETPASSWORDHERE
 
krb5_server = YOUR_KERBEROS_SERVER
krb5_realm = YOUR_KERBEROS_REALM
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
Run this authconfig command: 
-bash-3.2$ authconfig --enablesssdauth --enablesssd --disableldap --update
Then check /etc/nsswitch.conf file, making sure the following entries are present: 
passwd:     files sss
shadow:     files sss
group:      files sss
Restart sssd: Restart nslcd: 
/etc/init.d/sssd restart
Make sure it starts up at boot time: 
-bash-3.2# chkconfig --list
iscsi           0:off   1:off   2:off   3:on    4:on    5:on    6:off
iscsid          0:off   1:off   2:off   3:on    4:on    5:on    6:off
lvm2-monitor    0:off   1:on    2:on    3:on    4:on    5:on    6:off
mcstrans        0:off   1:off   2:on    3:on    4:on    5:on    6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
multipathd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
netplugd        0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
puppet          0:off   1:off   2:off   3:off   4:off   5:off   6:off
rawdevices      0:off   1:off   2:off   3:on    4:on    5:on    6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
rsyslog         0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
sssd            0:off   1:off   2:off   3:on    4:on    5:on    6:off
-bash-3.2# chkconfig sssd on
-bash-3.2# chkconfig --list
iscsi           0:off   1:off   2:off   3:on    4:on    5:on    6:off
iscsid          0:off   1:off   2:off   3:on    4:on    5:on    6:off
lvm2-monitor    0:off   1:on    2:on    3:on    4:on    5:on    6:off
mcstrans        0:off   1:off   2:on    3:on    4:on    5:on    6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
multipathd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
netplugd        0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
puppet          0:off   1:off   2:off   3:off   4:off   5:off   6:off
rawdevices      0:off   1:off   2:off   3:on    4:on    5:on    6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
rsyslog         0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
sssd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
Posted by at No comments:
Subscribe to: Posts (Atom)