The nss_ldap in RHEL 5 for LDAP authentication has been obsolete in RHEL 6, the replacement is nss-pam-ldapd. But the preferred method for LDAP authentication in RHEL 6 is System Security Services Daemon (SSSD) (in fact, RHEL 5.6 or later supports SSSD ).
SSSD unique features:
- Credentials caching, user can still login when LDAP server is offline.
- Persistent connection, reducing the overhead of opening a new socket for each request
- support for multiple LDAP/NIS domains
Install SSSD packages
$yum install sssd sssd-client
Run the following command, which will make necessary changes in /etc/krb5.conf, /etc/sssd/sssd.conf, /etc/nsswitch.conf, /etc/pam.d/
$authconfig --enablesssd --ldapserver=ldap://adc.ad.example.com --ldapbasedn="OU=_USERS,DC=ad,DC=example,DC=com" --enablerfc2307bis --enablesssdauth --krb5kdc=adc.ad.example.com --krb5realm=AD.EXAMPLE.COM --disableforcelegacy --enablelocauthorize --enablemkhomedir --updateall
All files should be updated automatically, only /etc/sssd/sssd.conf need to be customized. The following is an example file with minimum parameters needed.
#cat /etc/sssd/sssd.conf[sssd]config_file_version = 2services = nss, pamdomains = default[nss]#debug_level=7[pam][domain/default]ldap_id_use_start_tls = Falsecache_credentials = True#Without enumerate = True, users won’t be show from ‘getent passwd’ output.enumerate = Trueid_provider = ldapauth_provider = krb5chpass_provider = krb5ldap_schema = rfc2307bisldap_force_upper_case_realm = Trueldap_user_object_class = userldap_group_object_class = groupldap_user_gecos = displayNameldap_user_home_directory = unixHomeDirectoryldap_uri = ldap://adc.ad.example.comldap_search_base = OU=_USERS,DC=ad,DC=example,DC=comldap_user_search_base = OU=_USERS,DC=ad,DC=example,DC=comldap_group_search_base = OU=_GROUPS,DC=ad,DC=example,DC=comldap_default_bind_dn = CN=svc_ldap_client,OU=MGT,OU=_USERS,DC=ad,DC=example,DC=comldap_default_authtok_type = passwordldap_default_authtok = P@ss123ldap_tls_cacertdir = /etc/openldap/cacertskrb5_server = adc.ad.example.comkrb5_kpasswd = adc.ad.example.comkrb5_realm = AD.EXAMPLE.COM
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.