24.4.10 Enabling LDAP Authentication

To enable LDAP authentication for an LDAP client by using the Authentication Configuration GUI:

  1. Install the openldap-clients package:

    # yum install openldap-clients
  2. Run the Authentication Configuration GUI:

    # system-config-authentication
  3. Select LDAP as the user account database and enter values for:

    LDAP Search Base DN

    The LDAP Search Base DN for the database. For example: dc=mydom,dc=com.

    LDAP Server

    The URL of the LDAP server including the port number. For example, ldap://ldap.mydom.com:389 or ldaps://ldap.mydom.com:636.

    LDAP authentication requires that you use either LDAP over SSL (ldaps) or Transport Layer Security (TLS) to secure the connection to the LDAP server.

  4. If you use TLS, click Download CA Certificate and enter the URL from which to download the CA certificate that provides the basis for authentication within the domain.

  5. Select either LDAP password or Kerberos password for authentication.

  6. If you select Kerberos authentication, enter values for:

    Realm

    The name of the Kerberos realm.

    KDCs

    A comma-separated list of Key Distribution Center (KDC) servers that can issue Kerberos ticket granting tickets and service tickets.

    Admin Servers

    A comma-separated list of Kerberos administration servers.

    Alternatively, you can use DNS to configure these settings:

    • Select the Use DNS to resolve hosts to realms check box to look up the name of the realm defined as a TXT record in DNS, for example:

      _kerberos.mydom.com    IN TXT "MYDOM.COM"
    • Select the Use DNS to locate KDCs for realms check box to look up the KDCs and administration servers defined as SVR records in DNS, for example:

      _kerberos._tcp.mydom.com      IN SVR 1  0 88  krbsvr.mydom.com
      _kerberos._udp.mydom.com      IN SVR 1  0 88  krbsvr.mydom.com
      _kpasswd._udp.mydom.com       IN SVR 1  0 464 krbsvr.mydom.com
      _kerberos-adm._tcp.mydom.com  IN SVR 1  0 749 krbsvr.mydom.com
  7. Click Apply to save your changes.

Figure 24.3 shows the Authentication Configuration GUI with LDAP selected for the user account database and for authentication.

Figure 24.3 Authentication Configuration Using LDAP

The figure shows the Authentication Configuration GUI with LDAP selected as the user account database and for authentication.


You can also enable LDAP by using the authconfig command.

To use LDAP as the authentication source, specify the --enableldapauth option together with the full LDAP server URL including the port number and the LDAP Search Base DN, as shown in the following example:.

# authconfig --enableldap --enableldapauth \
  --ldapserver=ldaps://ldap.mydom.com:636 \
  --ldapbasedn="ou=people,dc=mydom,dc=com" \
  --update

If you want to use TLS, additionally specify the --enableldaptls option and the download URL of the CA certificate, for example:

# authconfig --enableldap --enableldapauth \
  --ldapserver=ldap://ldap.mydom.com:389 \
  --ldapbasedn="ou=people,dc=mydom,dc=com" \
  --enableldaptls \
  --ldaploadcacert=https://ca-server.mydom.com/CAcert.pem \
  --update 

The --enableldap option configures /etc/nsswitch.conf to enable the system to use LDAP and SSSD for information services. The --enableldapauth option enables LDAP authentication by modifying the PAM configuration files in /etc/pam.d to use the pam_ldap.so module.

For more information, see the authconfig(8), pam_ldap(5), and nsswitch.conf(5) manual pages.

For information about using Kerberos authentication with LDAP, see Section 24.6.3, “Enabling Kerberos Authentication”.

Note

You must also configure SSSD to be able to access information in LDAP. See Section 24.4.10.1, “Configuring an LDAP Client to use SSSD”.

If your client uses automount maps stored in LDAP, you must configure autofs to work with LDAP. See Section 24.4.10.2, “Configuring an LDAP Client to Use Automount Maps”.