Two available options
As the authconfig-tui command is deprecated, you should prefer to use the authconfig command.
In this case, you’ve got two options: nslcd or sssd.
The nslcd option
Install the following packages:
# yum install -y openldap-clients nss-pam-ldapd
Then, type:
# authconfig --enableforcelegacy --update # authconfig --enableldap --enableldapauth --ldapserver="instructor.example.com" --ldapbasedn="dc=example,dc=com" --update
Note: According to your requirements, you can need to specify the –enablemkhomedir option. This option creates a local user home directory at the first connection if none exists.
Put the CA certificate into the /etc/openldap/cacerts directory:
# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \ /etc/openldap/cacerts/cert.pem
Activate the TLS option:
# authconfig --enableldaptls --update
Test the configuration:
# getent passwd ldapuser02 ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash
The sssd option
Install the following package:
# yum install -y sssd
Then, type:
# authconfig --enableldap --enableldapauth \ --ldapserver="instructor.example.com" \ --ldapbasedn="dc=example,dc=com" --update
Note: According to your requirements, you can need to specify the –enablemkhomedir option. This option creates a local user home directory at the first connection if none exists.
Put the CA certificate into the /etc/openldap/cacerts directory:
# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \ /etc/openldap/cacerts/cert.pem
Activate the TLS option:
# authconfig --enableldaptls --update
Test the configuration:
# getent passwd ldapuser02 ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash
Source: Ramdev’s blog.
Additional Resources
You could be interested in reading the RedHat SSSD troubleshooting page.
Willem D’Haese wrote an article about Realmd and SSSD Active Directory Authentication.
Will I be able to install these packages “openldap-clients nss-pam-ldapd authconfig-gtk” in the exam, are these packages provided in the RHCSA exam?
I don’t know for the authconfig-gtk package because it requires a graphical interface but, concerning the two others, you will be able to install them during the exam. Also, you have to keep in mind that setting up a repository (local or remote) can be part of the exam.
You wrote “… As the authconfig-tui command is deprecated …”. authconfig-tui is available in RHEL/CentOS 7.1 and 7.2. On what version of RHEL is authconfig-tui deprecated. I was counting on it being available.
The authconfig-tui command is definitively deprecated. But this doesn’t mean you can’t use it with RHEL 7 anymore. The command is still there and you can use it.
However, all the new features (appearing in RHEL 7 included) will not be backported and this command will disappear with RHEL 8. Why would you learn a command about to disappear? I can only see an explanation: because it’s easier. I think it’s certainly possible to find a way to memorize the necessary arguments to use with the authconfig command.
Thanks for the explanation. You are right, it is easier to remember. In preparing for the exam, I’m trying to reduce the amount of facts that must be remembered. Once I am working in the field, I won’t have to memorize everything.
I will try to find a way to sum up all the LDAP client side configuration.
For the time being, I’m sticking with what is working.
I’m still open to any shortcut.
In chapter 6 of Sander’s book he uses authconfig-tui. After configuring an ipa server exactly like in appendix D of the book, I followed the steps to the letter in appendix D and the exercise in chapter 6, but no go. I could’nt authenticate with an ldap user, I kept getting user does not exist. I am running 7.2. I’m not sure that authconfig-tui is writing the correct settings to nslcd.conf. However the authconfig method works perfect, just more to remember. So much for an easier method. Has anyone else had any luck with the tui method post RHEL 7.0?
Thanks for the blog, you are awesome!
I’m having same problem in Rhel 7 and also I tried above steps with both methods but still not able to set. Everything works except this command:
# scp root@instructor.example.com:/etc/openldap/certs/cert.pem /etc/openldap/cacerts/cert.pem.
I get the message instructor.example.com is not resolved.
If anybody have ideas please share with me.
Thanks.
You need to edit your local /etc/hosts file to add a line with the IP address and Full Qualified Domain Name of the LDAP server:
192.168.x.y instructor.example.comThe other option is to configure a DNS server.
Figured I’d add this because I’ve had significant complications with this as I follow along in van Vugt’s book. The server I have is configured according to Appendix D in his book and the following works for me,
Using SSSD and authconfig,
Install package sssd
echo “ip-of-server instructor.example.com instructor” >> /etc/hosts
authconfig –enableldap –enableldapauth –ldapserver=instructor.example.com –ldapbasedn=dc=instructor,dc=com
–enablemkhomedir –update
Using SSSD and authconfig-gtk,
yum install -y sssd authconfig-gtk
echo “ip-of-server instructor.example.com instructor” >> /etc/hosts
scp instructor:/etc/ipa/ca.crt /etc/openldap/cacerts
Run authconfig-gtk, User Account Database: LDAP, check “Use TLS to encrypt connections”
systemctl restart sssd
Thanks.
Hi CertDepot,
Can we use the systemctl isolate graphical.target to change over to graphical user mode from non-graphical mode and configure using command system-config-authentication
Can this be done in exam
It could be but it’s not sure. You can’t suppose that a GUI will be available.
Thanks, it’s working.
Thanks for this nice tutorial, I don’t see any difference in all the three methods that you have described for ldap authentication. Would you be kind enough to briefly write any differences?
There are differences in which files are written into and which daemons are started but I’m not able at this time to describe all of them: it’s a difficult work to do because it depends on the version of RHEL 7 (7.0, 7.1, 7.2) and the level of patches applied for each of the packages involved (pam, sssd, etc). This is the reason why Sander van Vugt advises to install the package group called Directory Client and to keep the same minor version when preparing the exam without any patch.
what about the lines below ? it worked for me with the additional settings added to /etc/sssd/sssd.conf (there is no tls for this free online ldap server, but that would be quite trivial to configure on the client)
11 yum install sssd sssd-client
12 authconfig –enableldap –enableldapauth –ldapserver=”ldap.forumsys.com” –ldapbasedn=”dc=example,dc=com” –update
13 authconfig –enablesssd –update
#it seems to be working also with anonymous bind
#ldap_default_bind_dn = cn=read-only-admin,dc=example,dc=com
#ldap_default_authtok = password
ldap_tls_reqcert = never
#testing:
getent passwd tesla (the only posixuser defined in ldap)
ssh tesla@localhost
Interesting. I could not get the sssd method to work, but the nslcd method worked first try no issues. Other than a package difference on install and the:
# authconfig –enableforcelegacy –update
command, they are pretty much the same. The sssd option kept giving me the user not found error.
So a few questions:
1) Should I be concerned, or just use the nslcd method if asked to do so on the exam?
2) While not listed, I tried to reapply the seLinux context to the downloaded cert.pem file on the client. It was the same before and after anyway. Did I do something incorrect, or is the seLinux context not going to be an issue anyway?
3) I tested having the ldap server ip and hostname in the /etc/hosts and with it commented out. The test I used (su – ldapuser02) worked in either case. Is that normal and/or should the ldapserver ip/hostname be in the /etc/hosts file normally?
Thanks!
SK
Did I ask a stupid question that was already answered, or did I stump everyone. =)
When you talk about “the LDAP server certificate”, do you mean a CA ldap certificate? I am having problems with the cert when I start SSSD. Should I: 1)generate a CA cert from the server 2) generate a normal cert for the ldap server 3)Sign the ldap cert with the CA 4)transfer the new signed cert to the client? I am working with RHEL 7.
Do what in the tutorial: create a self-signed certificate. There is no need of a CA cert here.
Following the sander’s video tutorial, I have been practising ldap client configuration using authconfig-gtk. But as you replied in another comment that since its a graphical interface, it may not be available in the exam. I am curious to know is there any restriction on using graphical environment on the rhcsa exam?
As I’m sure the Command Line Interface will be available during the exam ;), I advise to use it. However, the graphical environment is perhaps available but I can’t give you any additional information on this point.
Independently of whether a GUI is available on the exam or not, you can always install it yourself if you believe it’s reasonable. There are no restrictions in terms of using a GUI. If it’s pre-installed – use it, if it’s not installed, then install and use it.
So as far as exam is concerned, we will be given the ldap server name and url of the ca certificate as provided info, rest of the settings we have to figure out. Am I correct?
Yes, I think you are correct.
For those getting “User does not exist”:
authconfig --enablerfc2307bis --update
since RHEL 7.2 something has changed and causes the error due to an incorrect ldap_schema setting.Source: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html#idp37833632
yum install sssd
authconfig –enablesssd –enablesssdauth –update
authconfig –enablerfc2307bis –update
authconfig –enableldap –enableldapauth –ldapserver=ldap.example.com –ldapbasedn=dc=example,dc=com –ldaploadcacert=ftp://ldap.example.com/pub/cacert.p12 –enableldaptls –update
Btw –ldaploadcacert saves you some time instead of copying and creating the /etc/openldap/cacerts dir… 😉
And with a self-signed cert don’t forget to add
ldap_tls_reqcert = never
to /etc/sssd/sssd.conf and restart the sssd.service.On the exam just remember: authconfig –help | egrep “sssd|ldap|rfc”
Thanks a lot for this. I will add a link in the tutorial to the SSSD troubleshooting page that you mentioned.
Thank you, this site helped me a lot in preparation for the ex200 exam, which I passed with 300/300 in Paris, next week hoping to pass the ex300 exam in Amsterdam.
Congratulations and I wish you all the best for this new exam.
To remember the different options, I found this tip helping. Just type authconfig | grep ldap. It’ll show all the required ldap options. Helps a lot to remember.
Interesting tip. Thanks.
^^ VERY helpful tip. I remember it as 1 4 2 – as in, to setup with
nslcd
, it’s 1 argument (--enableforcelegacy
) plus--update
, then 4 arguments plus--update
, then 2 arguments plus--update
I also tried doing some weird things, to emulate what happens, for example, if you
yum install sssd nss-pam-ldapd openldap-clients
all together, then do/don’t run--enableforcelegacy
. Or if you accidentally install these things after runningauthconfig
commands, then rebooting, then running theauthconfig
commands again. Generally, it seems the LDAP client software is pretty robust, and always lets you login toldapuser02
, as long as the correct sequence of install *then*authconfig
are run last. Also, I was only testing the LDAP side with these strange combinations, not in combination withautofs
, though I can’t see why there’d be a problem withautofs
, as long as you *can* login to an LDAP user andwhoami
shows an LDAP usernamecan we change/modify ldap accounts such as change password gid and so on?
if yes, How?
Nobody will ask you to change/modify a ldap account. It’s not an exam objective.
Thanks for this, just working on a way of remembering it.
Hi there, please advise if you can, Redhat recommends to use ipa-client-install instead of authconfig (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-install.html), is LDAP a part of identity management system? I didn’t have any luck with authconfig to configure the client but using api-client-install was very quick and easy, first you install “Directory Client” (#yum -y group install “Directory Client”), which installs both sssd and ipa-client, then run api-client-install –mkhomedir.
Basically my question is can I use api-client-install instead of authconfig? Thank you
This question was already asked at least one year and half ago. And, as before, I don’t have the answer.
The secure way is to use the authconfig or authconfig-tui commands, even though the latter has been deprecated.
Using the api-client-install command may work but it’s your call.
Hi Certdepot, do you have a ldapserver configuration here? I need to setup ldapserver in rhel7 to test my ldapserver client.
Thanks
Here it is: http://www.pmsas.pr.gov.br/wp-content/?id=certdepot-EX200&exam=rhel7-configure-ldap-directory-service-user-connection/
Also to some people here. same with my toughts. I think authconfig-tui is easy? right? you will just type the address and you are good? Can somebody please tell me how do you test if your ldap client is working?
Thank you
Here it is: http://www.pmsas.pr.gov.br/wp-content/?id=certdepot-EX200&exam=rhel7-configure-system-use-existing-ldap-directory-service-user-group-information/
The easiest way to test if your LDAP client is working is to try to log into the system with some LDAP user.
I’m sorry, can you tell me the differences between nslcd option and sssd option? I see the two configurations are the same.
not getting output of command : getent passwd ldapuser02
Hi all, is the installation of openldap and openldap-clients necessary if I use sssd?
Yes, it is necessary. SSSD doesn’t replace openldap packages.
Just a little input…”Put the LDAP server certificate into the /etc/openldap/cacerts directory:” should say Put the CA certificate into the /etc/openldap/cacerts directory:
Done. Thanks.