Home‎ > ‎Server config‎ > ‎

RHEL/Centos 7 LDAP client config with TLS and self signed certs

This should work for all Centos and RHEL 7 clients.

Checklist:
1. Mount home directories
2. Create fstab entry
2b. Install required packages
3. Replace /etc/openldap/ldap.conf (or copy from another configured server)
4. Replace /etc/sssd/sssd.conf (or copy from another configured server)
5. Create certs in /etc/openldap/cacerts
6. Run authconfig
7. Edit /etc/ssh/ssh_config and /etc/ssh/sshd_config (All other default values there seem to be OK)
8. Restart sssd service
9. Restart sshd service
10. Make sure sssd and sshd start always
11. Whenever possible (definitely on servers), make sure hostname is permanently set to the FQDN. This helps with certificate creation and authentication
12. Importing records

1. Mount home directories:

# mount -t nfs trin.bi.up.ac.za:/home /home

2. Create fstab entry for this also:

# trin.bi.up.ac.za:/home    /home    nfs4    defaults 0 0

2b. Install required packages:

# yum install -y openldap-clients sssd


3. Replace /etc/openldap/ldap.conf with: (or copy from another configured server)

# Location: /etc/openldap/ldap.conf

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE dc=example,dc=com

#URI ldap://ldap.example.com ldap://ldap-master.example.com:666


#SIZELIMIT 12

#TIMELIMIT 15

#DEREF never


TLS_CACERTDIR /etc/openldap/cacerts


# Turning this off breaks GSSAPI used with krb5 when rdns = false

SASL_NOCANON on

URI ldap://auth.bi.up.ac.za/

BASE dc=bi,dc=up,dc=ac,dc=za


#################EOF


4. Replace /etc/sssd/sssd.conf with: (or copy from another configured server)

# Location: /etc/sssd/sssd.conf

#

[domain/default]

 debug_level=1

 ldap_tls_reqcert = never

 auth_provider = ldap

 ldap_schema = rfc2307bis

 krb5_realm = #

 ldap_search_base = dc=bi,dc=up,dc=ac,dc=za

 ldap_group_member = uniquemember

 id_provider = ldap

 ldap_id_use_start_tls = True

 chpass_provider = ldap

 ldap_uri = ldap://auth.bi.up.ac.za

 cache_credentials = True

 ldap_tls_cacertdir = /etc/openldap/cacerts

 entry_cache_timeout = 600

 ldap_network_timeout = 3

 autofs_provider = ldap


####################EOF


5. Remember to create certs in /etc/openldap/cacerts like so:

OpenSSL generate self-signed certificate


6. Run:

# authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --ldapserver=ldap://auth.bi.up.ac.za --ldapbasedn=dc=bi,dc=up,dc=ac,dc=za --enablelocauthorize --enableldaptls --update


7. In /etc/ssh/ssh_config and /etc/ssh/sshd_config, make sure the following line is set: (all other default values there seem to be OK)

PasswordAuthentication yes


8. Restart sssd service:

# service sssd restart

9. Restart sshd service:

# service sshd restart


10. Make sure sssd and sshd start always:

Since chkconfig is deprecated :-( 

# systemctl enable sssd

# systemctl enable sshd


The /etc/openldap/ldap.conf and /etc/sssd/sssd.conf files can be copied to another server for config.


Reference: (Some frameworks came from here)

https://code.circayou.com/centos-7-openldap-sssd-authentication/

https://code.circayou.com/continuing-centos-7-openldap-sssd-authentication-setup/

(One of the very few places on the web that does not talk sh#t - it works)


12. Importing records:

User data can be imported (on the server) like so -:

Records MUST of the form (in a .ldif file) - if any additional fields are present (or missing), that record wil be skipped

*****

dn: uid=johanns,ou=people,dc=bi,dc=up,dc=ac,dc=za

cn: Johann Swart

gidNumber: 100

givenName: Johann

loginShell: /bin/bash

objectClass: top

objectClass: posixAccount

objectClass: inetOrgPerson

sn: Swart

uid: johanns

uidNumber: 777

homeDirectory: /home/johanns

userPassword:: encrypted passwd hash (crypt algorithm) here

*****

Server command:

ldapmodify -h localhost -c -x -W -D "cn=Administrator,dc=bi,dc=up,dc=ac,dc=za" -a -f filename.ldif

Services do not need to be restarted.