8 simple steps to configure ldap client RHEL/CentOS 8


OpenLDAP

In this tutorial I will share the steps configure LDAP Client using SSSD over TLS on RHEL/CentOS 8 Linux node.

I hope you already know that openldap-server are removed from RHEL 8 (It may still be available in some open source package) but we can still configure RHEL/CentOS 8 as LDAP client using SSSD. In my last article where I shared the steps to configure LDAP client on RHEL/CentOS 7, I had used authconfig-tui. But again this tool is also deprecated in RHEL/CentOS 8 so we must use authconfig CLI.

 

Lab Environment

I have already configured my LDAP server in the previous articles so I will use the same setup. In this tutorial I will be using CentOS 8 but the same steps will work also on RHEL 8

LDAP Server IP: 10.0.2.20
Base DN: dc=example,dc=com
LDAP Server hostname: ldap-server
LDAP Client hostname: ldap-client

 

Pre-requisites

You must have a working LDAP server configured with TLS or SSL. We will use TLS to connect to our LDAP server

Basics LDAP Tutorial for Beginners – Understanding Terminologies & Usage
Step-by-Step Tutorial: Install and Configure OpenLDAP
Step-by-Step Tutorial: Configure OpenLDAP with TLS certificates

 

1. Install OpenLDAP Client packages

First we must install openldap-clients, sssd and other dependent rpms. We are also installing oddjob-mkhomedir to automatically create home directory for any ldap user who logs in for the first time. If this is not your requirement, then you may choose to skip this rpm for installation.

NOTE:
On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
[root@client ~]# dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir openssl-perl

 

2. Enable TLS in SSSD and LDAP

We will use TLS configuration to connect to the LDAP server which we had configured in previous article. If you are planning to use SSL, then I will share the sample sssd configuration for SSL as well.

Create /etc/openldap/cacerts on the ldap-client (you may choose to use any other directory)

[root@ldap-client ~]# mkdir /etc/openldap/cacerts

Copy the ca.cert.pem from ldap-server to ldap-client

[root@ldap-server ~]# scp /etc/openldap/cacerts/ca.cert.pem ldap-client:/etc/openldap/cacerts/ca.cert.pem

 

3. Configure LDAP client to authenticate with LDAP server using SSSD

Create a new /etc/sssd/sssd.conf file (if not present) or remove everything and add the below content to use TLS of ldap communication:

[root@ldap-client ~]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam,autofs
domains = default

[nss]
homedir_substring = /home

[pam]

[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://10.0.2.20
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
cache_credentials = True
ldap_tls_reqcert = allow

You may modify the values based on your environment. Here I have provided by BaseCDN and ldap_uri which is the IP of my ldap-server. If you have configured a DNS or updated your /etc/hosts file then you may use hostname instead of IP

Next change the file permission and ownership

[root@ldap-client ~]# chmod 600 /etc/sssd/sssd.conf
[root@ldap-client ~]# chown root:root /etc/sssd/sssd.conf

 

4. Configure ldap.conf

Add below content in /etc/openldap/ldap.conf

BASE    dc=example,dc=com
URI     ldap://10.0.2.20
TLS_CACERT      /etc/openldap/cacerts/ca.cert.pem
TLS_CACERTDIR /etc/openldap/cacerts

 

5. Refresh the certificates

Rehash the certificate which we have copied from ldap-server:

[root@ldap-client ~]# openssl rehash /etc/openldap/cacerts

 

6. Configure mkhomedir to auto create home directories

We can use oddjob-mkhomedir to create home directories automatically for any ldap user which logs into the client node. This requires pam_mkhomedir.so provided by oddjob-mkhomedir which we had already installed earlier. Configure the system with authselect

[root@client ~]# authselect select sssd with-mkhomedir --force
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service

 

7. Enable and Start SSSD and ODDJOBD service

Now we are done with the steps to configure ldap client using RHEL/CentOS 8 Linux node. The final step is to restart/start sssd and oddjobd service

[root@ldap-client ~]# systemctl enable sssd.service --now
[root@ldap-client ~]# systemctl enable oddjobd.service --now

 

8. Validate LDAP user login

If you already have a user, now you can try to connect using your LDAP user on this client node or you can create a ldap user.

In my case I have testuser1 from ldap database

[root@client ~]# id testuser1
uid=1001(testuser1) gid=1001 groups=1001

Next I will connect using this user

login as: testuser1
testuser1@127.0.0.1's password:
Welcome to server1

This file was created on 2020-02-01
Go away if you have no business being here

Contact admin@golinuxcloud.com if anything is wrong
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Thu Jul 23 12:49:01 2020 from 10.0.2.2
[testuser1@client ~]$

So our client is able to properly connect with the ldap server.

 

Conclusion

In this tutorial we learned about the steps to configure ldap client using RHEL/CentOS 8 Linux node. We have used SSSD with TLS to communicate with the LDAP server. You can also use SSL depending upon your environment, I have also shared a sample configuration file which you can use with SSL.

Lastly I hope the steps from the article to configure LDAP client on RHEL/CentOS 8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References

I have used below external references for this tutorial guide
How to configure Red Hat Enterprise Linux 8 machines as a LDAP Client

Deepak Prasad

Deepak Prasad

Deepak Prasad is the founder of GoLinuxCloud, bringing over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, Networking, and Security. His extensive experience spans development, DevOps, networking, and security, ensuring robust and efficient solutions for diverse projects.

Certifications and Credentials:

  • Certified Kubernetes Application Developer (CKAD)
  • Go Developer Certification
  • Linux Foundation Certified System Administrator (LFCS)
  • Certified Ethical Hacker (CEH)
  • Python Institute PCAP (Certified Associate in Python Programming)
You can connect with him on his LinkedIn profile and join his Facebook and LinkedIn page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

4 thoughts on “8 simple steps to configure ldap client RHEL/CentOS 8”

  1. Hi author, thnk you so much for this comprehensive tutorial! In my case the user check “id username” doesn’t work, but I have a simpler configuration, not requiring mkhomedir and lacking TLS/SSL. I’d like to track down the issue, so my question is: What are the relevant log files to do so?

    Thank you and kind regards!

    Reply
    • The issue can be different, you can try to check the application log file. But I prefer using journalctl directly or to troubleshoot a service journalctl -u SERVICE. You can use journalctl -f to check runtime logs

      Reply
  2. Excellent series of tutorials! Completely up-to-date and a life saver when internet is so full of outdated tutorials still using things like authconfig or just skipping sssd. Only had a trouble and it was that I found necessary to use systemctl restart sssd after enabling the service. Wishing you the best!

    Reply

Leave a Comment