Setup LDAP and Kerberos on RHEL 7.x
One of the RHCE objectives is to know how to configure a RHEL server to authenticate using LDAP or Kerberos. The video tutorial shows all the steps to install, configure, and test authentication with LDAP and Kerberos.
I have included the steps below as well if you are unable to view the video for any reason.
Testing Connectivity
First, we want to verify we can reach our IPA server.
ping rhellab.den.therootuser.com
If you get positive results we can continue, if not, you’ll need to resolve the issue with the DNS first.
Install the required packages
yum groups install "Directory Client"
This will give you all the packages required to be able to use sssd.
Copy the certificate from the IPA server
mkdir /etc/openldap/cacerts scp rhellab.den.therootuser.com:/etc/ipa/ca.crt /etc/openldap/cacerts
Setting up authentication
vim /etc/sysconfig/authconfig
Ensure the following are set:
USESSDAUTH=yes USESSSD=yes FORCELEGACY=no
authconfig-tui
Choose the following options to setup LDAP Authentication
- Cache Information
- Use LDAP
- Use LDAP Authentication
- Use TLS
For the TLS information, we want to point to our IPA server.
Server: rhellab.den.therootuser.com
Base DN: dc=den,dc=therootuser,dc=com
Verify the configuration was done properly.
cat /etc/sssd/sssd.conf systemctl restart sssd
Testing LDAP authentication
As this will test authentication via LDAP we want to ensure you have a user setup on your IPA server to test with.
su - evanwindon
At this time auto mount is not setup, so you’ll see an error on mapping the users home volume.
We can use the id command to verify we are logged in as that user.
Setting up Kerberos Authentication
We need to go back and make some changes using authconfig-tui
Let’s install the needed packages
yum install pam_krb5 krb5-workstation authconfig-tui
Choose Kerberos in the options to enable Kerberos authentication
When you get to the Kerberos Settings section we can choose use DNS to Resolve Hosts to Relams and Use DNS to Locate KDCs for Relams
Otherwise, if you do it manually you would type in:
Realm: DEN.THEROOTUSER.COM
KDC: rhellab.den.therootuser.com
Admin Server: rhellab.den.therootuser.com
Verifying kerberos authentication
kinit admin kinit evanwindon klist
If all comes back positive you have successfully setup ldap and kerberos on a RHEL server.
If you have any questions about this procedure, please feel free to contact me.
Cheers,
Ivan Windon – RHCSA