To enable LDAP authentication for an LDAP client by using the Authentication Configuration GUI:
Install the
openldap-clients
package:#
yum install openldap-clients
Run the Authentication Configuration GUI:
#
system-config-authentication
Select LDAP as the user account database and enter values for:
- LDAP Search Base DN
The LDAP Search Base DN for the database. For example:
dc=mydom,dc=com
.- LDAP Server
The URL of the LDAP server including the port number. For example,
ldap://ldap.mydom.com:389
orldaps://ldap.mydom.com:636
.
LDAP authentication requires that you use either LDAP over SSL (
ldaps
) or Transport Layer Security (TLS) to secure the connection to the LDAP server.If you use TLS, click Download CA Certificate and enter the URL from which to download the CA certificate that provides the basis for authentication within the domain.
Select either LDAP password or Kerberos password for authentication.
If you select Kerberos authentication, enter values for:
- Realm
The name of the Kerberos realm.
- KDCs
A comma-separated list of Key Distribution Center (KDC) servers that can issue Kerberos ticket granting tickets and service tickets.
- Admin Servers
A comma-separated list of Kerberos administration servers.
Alternatively, you can use DNS to configure these settings:
Select the Use DNS to resolve hosts to realms check box to look up the name of the realm defined as a
TXT
record in DNS, for example:_kerberos.mydom.com IN TXT "MYDOM.COM"
Select the Use DNS to locate KDCs for realms check box to look up the KDCs and administration servers defined as
SVR
records in DNS, for example:_kerberos._tcp.mydom.com IN SVR 1 0 88 krbsvr.mydom.com _kerberos._udp.mydom.com IN SVR 1 0 88 krbsvr.mydom.com _kpasswd._udp.mydom.com IN SVR 1 0 464 krbsvr.mydom.com _kerberos-adm._tcp.mydom.com IN SVR 1 0 749 krbsvr.mydom.com
Click Apply to save your changes.
Figure 22.3 shows the Authentication Configuration GUI with LDAP selected for the user account database and for authentication.
You can also enable LDAP by using the authconfig command.
To use LDAP as the authentication source, specify the --enableldapauth option together with the full LDAP server URL including the port number and the LDAP Search Base DN, as shown in the following example:.
#authconfig --enableldap --enableldapauth
\--ldapserver=ldaps://ldap.mydom.com:636
\--ldapbasedn="ou=people,dc=mydom,dc=com"
\--update
If you want to use TLS, additionally specify the --enableldaptls option and the download URL of the CA certificate, for example:
#authconfig --enableldap --enableldapauth
\--ldapserver=ldap://ldap.mydom.com:389
\--ldapbasedn="ou=people,dc=mydom,dc=com"
\--enableldaptls
\--ldaploadcacert=https://ca-server.mydom.com/CAcert.pem
\--update
The --enableldap option configures
/etc/nsswitch.conf
to enable the system to use LDAP and SSSD for
information services. The --enableldapauth option enables LDAP
authentication by modifying the PAM configuration files in /etc/pam.d
to
use the pam_ldap.so
module.
For more information, see the authconfig(8)
,
pam_ldap(5)
, and nsswitch.conf(5)
manual
pages.
For information about using Kerberos authentication with LDAP, see Section 22.6.3, “Enabling Kerberos Authentication”.
You must also configure SSSD to be able to access information in LDAP. See Section 22.4.10.1, “Configuring an LDAP Client to use SSSD”.
If your client uses automount maps stored in LDAP, you must configure
autofs
to work with LDAP. See Section 22.4.10.2, “Configuring an LDAP Client to Use Automount Maps”.