Setup LDAP and Kerberos on RHEL 7.x

Setup LDAP and Kerberos on RHEL 7.x

One of the RHCE objectives is to know how to configure a RHEL server to authenticate using LDAP or Kerberos.  The video tutorial shows all the steps to install, configure, and test authentication with LDAP and Kerberos.

I have included the steps below as well if you are unable to view the video for any reason.

Testing Connectivity

First, we want to verify we can reach our IPA server.

ping rhellab.den.therootuser.com

If you get positive results we can continue, if not, you’ll need to resolve the issue with the DNS first.

Install the required packages

yum groups install "Directory Client"

This will give you all the packages required to be able to use sssd.

Copy the certificate from the IPA server

mkdir /etc/openldap/cacerts
scp rhellab.den.therootuser.com:/etc/ipa/ca.crt /etc/openldap/cacerts

Setting up authentication

vim /etc/sysconfig/authconfig

Ensure the following are set:

USESSDAUTH=yes
USESSSD=yes
FORCELEGACY=no
authconfig-tui

Choose the following options to setup LDAP Authentication

  • Cache Information
  • Use LDAP
  • Use LDAP Authentication
  • Use TLS

For the TLS information, we want to point to our IPA server.

Server: rhellab.den.therootuser.com

Base DN: dc=den,dc=therootuser,dc=com

Verify the configuration was done properly.

cat /etc/sssd/sssd.conf
systemctl restart sssd

Testing LDAP authentication

As this will test authentication via LDAP we want to ensure you have a user setup on your IPA server to test with.

su - evanwindon

At this time auto mount is not setup, so you’ll see an error on mapping the users home volume.

We can use the id command to verify we are logged in as that user.

Setting up Kerberos Authentication

We need to go back and make some changes using authconfig-tui

Let’s install the needed packages

yum install pam_krb5 krb5-workstation
authconfig-tui

Choose Kerberos in the options to enable Kerberos authentication

When you get to the Kerberos Settings section we can choose use DNS to Resolve Hosts to Relams and Use DNS to Locate KDCs for Relams

Otherwise, if you do it manually you would type in:

Realm: DEN.THEROOTUSER.COM

KDC: rhellab.den.therootuser.com

Admin Server: rhellab.den.therootuser.com

Verifying kerberos authentication

kinit admin
kinit evanwindon
klist

If all comes back positive you have successfully setup ldap and kerberos on a RHEL server.

If you have any questions about this procedure, please feel free to contact me.

Cheers,

Ivan Windon – RHCSA

Share

Ivan Windon

Ivan Windon is a Site Reliability Engineer at IBM. Ivan is actively engaged in Cloud Technologies with AWS, Google, and Azure. Ivan has extensive experience with Linux and Windows administration, DNS, Networking, IDM, and Security. In his free time, he enjoys being with his wife and two children. The family enjoys hiking, and traveling when able. His favorite locations are Yosemite NPS, and San Francisco, California.

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: