The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
Both LDAP and NIS authentication optionally support Kerberos authentication. (In the case of IPA, Kerberos is fully integrated.) Kerberos provides a secure connection over standard ports, and it also allows offline logins by using credential caching with SSSD.
To be able to use Kerberos authentication, use
yum to install the
krb5-libs and
krb5-workstation packages.
If you use the Authentication Configuration GUI and select LDAP or NIS as the user account database, select Kerberos password as the authentication method. You are prompted for the following information that is required to connect to the Kerberos realm:
The name of the Kerberos realm.
A comma-separated list of Key Distribution Center (KDC) servers that can issue Kerberos tickets.
A comma-separated list of Kerberos Administration Servers.
You can also select whether Kerberos should use DNS to resolve the host names of Kerberos servers and to search for KDCs within the realm. DNS domains are typically coterminous with Kerberos realms.
You can use the following options with the authconfig command to configure Kerberos authentication with LDAP or NIS:
- --enablekrb5
Use Kerberos authentication. (Specify instead of --enableldapauth for LDAP.)
- --enablekrb5kdcdns
Use DNS to resolve the host names of Kerberos servers.
- --enablekrb5realmdns
Use DNS to search for KDCs within a Kerberos realm.
-
--krb5adminserver=
server Specify a Kerberos Administration Server.
-
--krb5kdc=
server Specify a KDC server.
-
--krb5realm=
realm Specify the name of the Kerberos realm.
For more information, see the authconfig(8)
manual page.