The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
LDAP allows systems to access centrally stored information over a network. LDAP servers store the information in directory-based database that is optimized for searching. Directory entries are arranged in a hierarchical tree-like structure that can store a variety of information such as names, addresses, phone numbers, authentication data, network services, printers, and many other types of data. LDAP can also be used to authenticate users, allowing users to access their account from any machine on the LDAP network.
An entry is the basic unit of information within an LDAP
directory. Each entry has one or more attributes. Each attribute
has a name, a type or description, and one or more values.
Examples of types are cn
for common name and
mail
for an email address. In addition, the
objectClass
attribute allows you to control
which attributes are required and which are optional. The values
of objectClass
determine the schema rules
that an entry must obey.
Each entry in an LDAP directory is uniquely identified and
referenced by its Distinguished Name (DN). The DN is constructed
by taking the name of the entry itself (called the Relative
Distinguished Name or RDN) and concatenating the names of its
ancestor entries, known as the LDAP Search Base DN. For example,
the DN for a user with an RDN of uid=gab451
might be similar to
uid=gab451,ou=People,dc=mydomain,dc=com
,
where ou=People,dc=mydomain,dc=com
is the
LDAP Search base DN, ou
stands for
Organizational Unit and dc
stands for Domain
Component.
To be able to configure LDAP authentication, use
yum to install the
openldap-clients
package.
If you use the Authentication Configuration GUI and select LDAP
as the user account database, you are prompted to enter the LDAP
Search Base DN and the URL of the LDAP server including the port
number (for example,
ldap://ldap-svr.mydomain.com:389
).
You can configure LDAP to use either LDAP authentication or Kerberos authentication. LDAP authentication requires that you use either LDAP over SSL (ldaps) or Transport Layer Security (TLS) to secure the connection to the LDAP server. If you use TLS, you must enter the URL from which to download the CA certificate that provides the basis for authentication within the domain.
You can also enable and configure LDAP by using the authconfig command.
To use LDAP as the authentication source, specify the --enableldapauth option together with the full LDAP server URL (including the port number) and the LDAP Search Base DN, as shown in the following example:.
#authconfig --enableldap --enableldapauth
\--ldapserver=ldap://ldap-svr.mydomain.com:389
\--ldapbasedn="ou=people,dc=mydomain,dc=com"
\--update
If you want to use TLS, additionally specify the --enableldaptls option and the download URL of the CA certificate:
#authconfig --enableldap --enableldapauth
\--ldapserver=ldap://ldap-svr.mydomain.com:389
\--ldapbasedn="ou=people,dc=mydomain,dc=com"
\--enableldaptls
\--ldaploadcacert=https://ca-server.mydomain.com/caCert.crt
\--update
For information about using Kerberos authentication with LDAP, see Section 3.4.6, “About Kerberos Authentication”.
For more information, see the authconfig(8)
manual page.
For more information about LDAP, see the
ldap(3)
manual page.