In this tutorial I will share the steps configure LDAP Client using SSSD over TLS on RHEL/CentOS 8 Linux node.
I hope you already know that openldap-server
are removed from RHEL 8 (It may still be available in some open source package) but we can still configure RHEL/CentOS 8 as LDAP client using SSSD. In my last article where I shared the steps to configure LDAP client on RHEL/CentOS 7, I had used authconfig-tui
. But again this tool is also deprecated in RHEL/CentOS 8 so we must use authconfig CLI.
Lab Environment
I have already configured my LDAP server in the previous articles so I will use the same setup. In this tutorial I will be using CentOS 8 but the same steps will work also on RHEL 8
LDAP Server IP: 10.0.2.20
Base DN: dc=example,dc=com
LDAP Server hostname: ldap-server
LDAP Client hostname: ldap-client
Pre-requisites
You must have a working LDAP server configured with TLS or SSL. We will use TLS to connect to our LDAP server
Basics LDAP Tutorial for Beginners – Understanding Terminologies & Usage
Step-by-Step Tutorial: Install and Configure OpenLDAP
Step-by-Step Tutorial: Configure OpenLDAP with TLS certificates
1. Install OpenLDAP Client packages
First we must install openldap-clients
, sssd
and other dependent rpms. We are also installing oddjob-mkhomedir
to automatically create home directory for any ldap user who logs in for the first time. If this is not your requirement, then you may choose to skip this rpm for installation.
[root@client ~]# dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir openssl-perl
2. Enable TLS in SSSD and LDAP
We will use TLS configuration to connect to the LDAP server which we had configured in previous article. If you are planning to use SSL, then I will share the sample sssd configuration for SSL as well.
Create /etc/openldap/cacerts
on the ldap-client
(you may choose to use any other directory)
[root@ldap-client ~]# mkdir /etc/openldap/cacerts
Copy the ca.cert.pem
from ldap-server
to ldap-client
[root@ldap-server ~]# scp /etc/openldap/cacerts/ca.cert.pem ldap-client:/etc/openldap/cacerts/ca.cert.pem
3. Configure LDAP client to authenticate with LDAP server using SSSD
Create a new /etc/sssd/sssd.conf
file (if not present) or remove everything and add the below content to use TLS of ldap communication:
[root@ldap-client ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam,autofs domains = default [nss] homedir_substring = /home [pam] [domain/default] id_provider = ldap autofs_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://10.0.2.20 ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts cache_credentials = True ldap_tls_reqcert = allow
You may modify the values based on your environment. Here I have provided by BaseCDN
and ldap_uri
which is the IP of my ldap-server
. If you have configured a DNS or updated your /etc/hosts file then you may use hostname instead of IP
[domain/default] id_provider = ldap autofs_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.example.com:636 ldap_chpass_uri = ldaps://ldap.example.com:636 ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/certs cache_credentials = True ldap_tls_reqcert = demand entry_cache_timeout = 600 ldap_network_timeout = 3 ldap_connection_expire_timeout = 60
Next change the file permission and ownership
[root@ldap-client ~]# chmod 600 /etc/sssd/sssd.conf [root@ldap-client ~]# chown root:root /etc/sssd/sssd.conf
4. Configure ldap.conf
Add below content in /etc/openldap/ldap.conf
BASE dc=example,dc=com URI ldap://10.0.2.20 TLS_CACERT /etc/openldap/cacerts/ca.cert.pem TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
TLS_REQCERT
parameter that indicates how strict the client needs are to enforce TLS security. We set it to never to bypass any problems that are related to TLS certificate features. In this case you can remove or comment out TLS_CACERT
and TLS_CACERTDIR
entries
5. Refresh the certificates
Rehash the certificate which we have copied from ldap-server
:
[root@ldap-client ~]# openssl rehash /etc/openldap/cacerts
6. Configure mkhomedir to auto create home directories
We can use oddjob-mkhomedir
to create home directories automatically for any ldap user which logs into the client node. This requires pam_mkhomedir.so
provided by oddjob-mkhomedir
which we had already installed earlier. Configure the system with authselect
[root@client ~]# authselect select sssd with-mkhomedir --force Profile "sssd" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled - systemctl enable oddjobd.service - systemctl start oddjobd.service
7. Enable and Start SSSD and ODDJOBD service
Now we are done with the steps to configure ldap client using RHEL/CentOS 8 Linux node. The final step is to restart/start sssd
and oddjobd
service
[root@ldap-client ~]# systemctl enable sssd.service --now [root@ldap-client ~]# systemctl enable oddjobd.service --now
8. Validate LDAP user login
If you already have a user, now you can try to connect using your LDAP user on this client node or you can create a ldap user.
In my case I have testuser1
from ldap
database
[root@client ~]# id testuser1 uid=1001(testuser1) gid=1001 groups=1001
Next I will connect using this user
login as: testuser1
testuser1@127.0.0.1's password:
Welcome to server1
This file was created on 2020-02-01
Go away if you have no business being here
Contact admin@golinuxcloud.com if anything is wrong
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Thu Jul 23 12:49:01 2020 from 10.0.2.2
[testuser1@client ~]$
So our client is able to properly connect with the ldap server.
Conclusion
In this tutorial we learned about the steps to configure ldap client using RHEL/CentOS 8 Linux node. We have used SSSD with TLS to communicate with the LDAP server. You can also use SSL depending upon your environment, I have also shared a sample configuration file which you can use with SSL.
Lastly I hope the steps from the article to configure LDAP client on RHEL/CentOS 8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References
I have used below external references for this tutorial guide
How to configure Red Hat Enterprise Linux 8 machines as a LDAP Client
Hi author, thnk you so much for this comprehensive tutorial! In my case the user check “id username” doesn’t work, but I have a simpler configuration, not requiring mkhomedir and lacking TLS/SSL. I’d like to track down the issue, so my question is: What are the relevant log files to do so?
Thank you and kind regards!
The issue can be different, you can try to check the application log file. But I prefer using
journalctl
directly or to troubleshoot a servicejournalctl -u SERVICE
. You can usejournalctl -f
to check runtime logsExcellent series of tutorials! Completely up-to-date and a life saver when internet is so full of outdated tutorials still using things like authconfig or just skipping sssd. Only had a trouble and it was that I found necessary to use systemctl restart sssd after enabling the service. Wishing you the best!
Thank you for the kind words!