The Authentication Configuration GUI and authconfig
configure
access to LDAP via sss
entries in /etc/nsswitch.conf
so you must configure the System Security Services Daemon (SSSD) on the LDAP
client.
To configure an LDAP client to use SSSD:
Install the
sssd
andsssd-client
packages:#
yum install sssd sssd-client
Edit the
/etc/sssd/sssd.conf
configuration file and configure the sections to support the required services, for example:[sssd] config_file_version = 2 domains = default services = nss, pam [domain/default] id_provider = ldap ldap_uri =
ldap://ldap.mydom.com
ldap_id_use_start_tls = true ldap_search_base =dc=mydom,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts auth_provider = krb5 chpass_provider = krb5 krb5_realm =MYDOM.COM
krb5_server =krbsvr.mydom.com
krb5_kpasswd =krbsvr.mydom.com
cache_credentials = true [domain/LDAP] id_provider = ldap ldap_uri =ldap://ldap.mydom.com
ldap_search_base =dc=mydom,dc=com
auth_provider = krb5 krb5_realm =MYDOM.COM
krb5_server =kdcsvr.mydom.com
cache_credentials = true min_id = 5000 max_id = 25000 enumerate = false [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5Change the mode of
/etc/sssd/sssd.conf
to 0600:#
chmod 0600 /etc/sssd/sssd.conf
Enable the SSSD service:
#
authconfig --update --enablesssd --enablesssdauth
For more information, see the sssd.conf(5)
manual page and Section 22.8, “About the System Security Services Daemon”.