Table of Contents
In this tutorial I will share the steps configure LDAP Client using SSSD over TLS on RHEL/CentOS 8 Linux node.
I hope you already know that
openldap-server are removed from RHEL 8 (It may still be available in some open source package) but we can still configure RHEL/CentOS 8 as LDAP client using SSSD. In my last article where I shared the steps to configure LDAP client on RHEL/CentOS 7, I had used
authconfig-tui. But again this tool is also deprecated in RHEL/CentOS 8 so we must use authconfig CLI.
I have already configured my LDAP server in the previous articles so I will use the same setup. In this tutorial I will be using CentOS 8 but the same steps will work also on RHEL 8
LDAP Server IP:
LDAP Server hostname:
LDAP Client hostname:
You must have a working LDAP server configured with TLS or SSL. We will use TLS to connect to our LDAP server
1. Install OpenLDAP Client packages
First we must install
sssd and other dependent rpms. We are also installing
oddjob-mkhomedir to automatically create home directory for any ldap user who logs in for the first time. If this is not your requirement, then you may choose to skip this rpm for installation.
[root@client ~]# dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir openssl-perl
2. Enable TLS in SSSD and LDAP
We will use TLS configuration to connect to the LDAP server which we had configured in previous article. If you are planning to use SSL, then I will share the sample sssd configuration for SSL as well.
/etc/openldap/cacerts on the
ldap-client (you may choose to use any other directory)
[root@ldap-client ~]# mkdir /etc/openldap/cacerts
[root@ldap-server ~]# scp /etc/openldap/cacerts/ca.cert.pem ldap-client:/etc/openldap/cacerts/ca.cert.pem
3. Configure LDAP client to authenticate with LDAP server using SSSD
Create a new
/etc/sssd/sssd.conf file (if not present) or remove everything and add the below content to use TLS of ldap communication:
[root@ldap-client ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam,autofs domains = default [nss] homedir_substring = /home [pam] [domain/default] id_provider = ldap autofs_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://10.0.2.20 ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts cache_credentials = True ldap_tls_reqcert = allow
You may modify the values based on your environment. Here I have provided by
ldap_uri which is the IP of my
ldap-server. If you have configured a DNS or updated your /etc/hosts file then you may use hostname instead of IP
Next change the file permission and ownership
[root@ldap-client ~]# chmod 600 /etc/sssd/sssd.conf [root@ldap-client ~]# chown root:root /etc/sssd/sssd.conf
4. Configure ldap.conf
Add below content in
BASE dc=example,dc=com URI ldap://10.0.2.20 TLS_CACERT /etc/openldap/cacerts/ca.cert.pem TLS_CACERTDIR /etc/openldap/cacerts
5. Refresh the certificates
Rehash the certificate which we have copied from
[root@ldap-client ~]# openssl rehash /etc/openldap/cacerts
6. Configure mkhomedir to auto create home directories
We can use
oddjob-mkhomedir to create home directories automatically for any ldap user which logs into the client node. This requires
pam_mkhomedir.so provided by
oddjob-mkhomedir which we had already installed earlier. Configure the system with
[root@client ~]# authselect select sssd with-mkhomedir --force Profile "sssd" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled - systemctl enable oddjobd.service - systemctl start oddjobd.service
7. Enable and Start SSSD and ODDJOBD service
Now we are done with the steps to configure ldap client using RHEL/CentOS 8 Linux node. The final step is to restart/start
[root@ldap-client ~]# systemctl enable sssd.service --now [root@ldap-client ~]# systemctl enable oddjobd.service --now
8. Validate LDAP user login
If you already have a user, now you can try to connect using your LDAP user on this client node or you can create a ldap user.
In my case I have
[root@client ~]# id testuser1 uid=1001(testuser1) gid=1001 groups=1001
Next I will connect using this user
login as: testuser1 firstname.lastname@example.org's password: Welcome to server1 This file was created on 2020-02-01 Go away if you have no business being here Contact email@example.com if anything is wrong Activate the web console with: systemctl enable --now cockpit.socket Last login: Thu Jul 23 12:49:01 2020 from 10.0.2.2 [testuser1@client ~]$
So our client is able to properly connect with the ldap server.
In this tutorial we learned about the steps to configure ldap client using RHEL/CentOS 8 Linux node. We have used SSSD with TLS to communicate with the LDAP server. You can also use SSL depending upon your environment, I have also shared a sample configuration file which you can use with SSL.
Lastly I hope the steps from the article to configure LDAP client on RHEL/CentOS 8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.
I have used below external references for this tutorial guide
How to configure Red Hat Enterprise Linux 8 machines as a LDAP Client