3.4.3 About LDAP Authentication

LDAP allows systems to access centrally stored information over a network. LDAP servers store the information in directory-based database that is optimized for searching. Directory entries are arranged in a hierarchical tree-like structure that can store a variety of information such as names, addresses, phone numbers, authentication data, network services, printers, and many other types of data. LDAP can also be used to authenticate users, allowing users to access their account from any machine on the LDAP network.

An entry is the basic unit of information within an LDAP directory. Each entry has one or more attributes. Each attribute has a name, a type or description, and one or more values. Examples of types are cn for common name and mail for an email address. In addition, the objectClass attribute allows you to control which attributes are required and which are optional. The values of objectClass determine the schema rules that an entry must obey.

Each entry in an LDAP directory is uniquely identified and referenced by its Distinguished Name (DN). The DN is constructed by taking the name of the entry itself (called the Relative Distinguished Name or RDN) and concatenating the names of its ancestor entries, known as the LDAP Search Base DN. For example, the DN for a user with an RDN of uid=gab451 might be similar to uid=gab451,ou=People,dc=mydomain,dc=com, where ou=People,dc=mydomain,dc=com is the LDAP Search base DN, ou stands for Organizational Unit and dc stands for Domain Component.

To be able to configure LDAP authentication, use yum to install the openldap-clients package.

If you use the Authentication Configuration GUI and select LDAP as the user account database, you are prompted to enter the LDAP Search Base DN and the URL of the LDAP server including the port number (for example, ldap://ldap-svr.mydomain.com:389).

You can configure LDAP to use either LDAP authentication or Kerberos authentication. LDAP authentication requires that you use either LDAP over SSL (ldaps) or Transport Layer Security (TLS) to secure the connection to the LDAP server. If you use TLS, you must enter the URL from which to download the CA certificate that provides the basis for authentication within the domain.

You can also enable and configure LDAP by using the authconfig command.

To use LDAP as the authentication source, specify the --enableldapauth option together with the full LDAP server URL (including the port number) and the LDAP Search Base DN, as shown in the following example:.

# authconfig --enableldap --enableldapauth \
  --ldapserver=ldap://ldap-svr.mydomain.com:389 \
  --ldapbasedn="ou=people,dc=mydomain,dc=com" \
  --update

If you want to use TLS, additionally specify the --enableldaptls option and the download URL of the CA certificate:

# authconfig --enableldap --enableldapauth \
  --ldapserver=ldap://ldap-svr.mydomain.com:389 \
  --ldapbasedn="ou=people,dc=mydomain,dc=com" \
  --enableldaptls \
  --ldaploadcacert=https://ca-server.mydomain.com/caCert.crt \
  --update 

For information about using Kerberos authentication with LDAP, see Section 3.4.6, “About Kerberos Authentication”.

For more information, see the authconfig(8) manual page.

For more information about LDAP, see the ldap(3) manual page.