This should work for all Centos and RHEL 7 clients. Checklist: 1. Mount home directories 2. Create fstab entry 2b. Install required packages 3. Replace /etc/openldap/ldap.conf (or copy from another configured server) 4. Replace /etc/sssd/sssd.conf (or copy from another configured server) 5. Create certs in /etc/openldap/cacerts 6. Run authconfig 7. Edit /etc/ssh/ssh_config and /etc/ssh/sshd_config (All other default values there seem to be OK) 8. Restart sssd service 9. Restart sshd service 10. Make sure sssd and sshd start always 11. Whenever possible (definitely on servers), make sure hostname is permanently set to the FQDN. This helps with certificate creation and authentication 12. Importing records 1. Mount home directories: # mount -t nfs trin.bi.up.ac.za:/home /home 2. Create fstab entry for this also: # trin.bi.up.ac.za:/home  /home  nfs4  defaults 0 0 2b. Install required packages: # yum install -y openldap-clients sssd 3. Replace /etc/openldap/ldap.conf with: (or copy from another configured server) # Location: /etc/openldap/ldap.conf # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on URI ldap://auth.bi.up.ac.za/ BASE dc=bi,dc=up,dc=ac,dc=za #################EOF 4. Replace /etc/sssd/sssd.conf with: (or copy from another configured server) # Location: /etc/sssd/sssd.conf # [domain/default]  debug_level=1  ldap_tls_reqcert = never  auth_provider = ldap  ldap_schema = rfc2307bis  krb5_realm = #  ldap_search_base = dc=bi,dc=up,dc=ac,dc=za  ldap_group_member = uniquemember  id_provider = ldap  ldap_id_use_start_tls = True  chpass_provider = ldap  ldap_uri = ldap://auth.bi.up.ac.za  cache_credentials = True  ldap_tls_cacertdir = /etc/openldap/cacerts  entry_cache_timeout = 600  ldap_network_timeout = 3  autofs_provider = ldap ####################EOF 5. Remember to create certs in /etc/openldap/cacerts like so: OpenSSL generate self-signed certificate 6. Run: # authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --ldapserver=ldap://auth.bi.up.ac.za --ldapbasedn=dc=bi,dc=up,dc=ac,dc=za --enablelocauthorize --enableldaptls --update 7. In /etc/ssh/ssh_config and /etc/ssh/sshd_config, make sure the following line is set: (all other default values there seem to be OK) PasswordAuthentication yes 8. Restart sssd service: # service sssd restart 9. Restart sshd service: # service sshd restart 10. Make sure sssd and sshd start always: Since chkconfig is deprecated :-( # systemctl enable sssd # systemctl enable sshd The /etc/openldap/ldap.conf and /etc/sssd/sssd.conf files can be copied to another server for config. Reference: (Some frameworks came from here) https://code.circayou.com/centos-7-openldap-sssd-authentication/ https://code.circayou.com/continuing-centos-7-openldap-sssd-authentication-setup/ (One of the very few places on the web that does not talk sh#t - it works) 12. Importing records: User data can be imported (on the server) like so -: Records MUST of the form (in a .ldif file) - if any additional fields are present (or missing), that record wil be skipped ***** dn: uid=johanns,ou=people,dc=bi,dc=up,dc=ac,dc=za cn: Johann Swart gidNumber: 100 givenName: Johann loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: inetOrgPerson sn: Swart uid: johanns uidNumber: 777 homeDirectory: /home/johanns userPassword:: encrypted passwd hash (crypt algorithm) here ***** Server command: ldapmodify -h localhost -c -x -W -D "cn=Administrator,dc=bi,dc=up,dc=ac,dc=za" -a -f filename.ldif Services do not need to be restarted. |
Home‎ > ‎Server config‎ > ‎