8 simple steps to configure ldap client RHEL/CentOS 8

In this tutorial I will share the steps configure LDAP Client using SSSD over TLS on RHEL/CentOS 8 Linux node.

I hope you already know that openldap-server are removed from RHEL 8 (It may still be available in some open source package) but we can still configure RHEL/CentOS 8 as LDAP client using SSSD. In my last article where I shared the steps to configure LDAP client on RHEL/CentOS 7, I had used authconfig-tui. But again this tool is also deprecated in RHEL/CentOS 8 so we must use authconfig CLI.

 

Lab Environment

I have already configured my LDAP server in the previous articles so I will use the same setup. In this tutorial I will be using CentOS 8 but the same steps will work also on RHEL 8

LDAP Server IP: 10.0.2.20
Base DN: dc=example,dc=com
LDAP Server hostname: ldap-server
LDAP Client hostname: ldap-client

 

Pre-requisites

You must have a working LDAP server configured with TLS or SSL. We will use TLS to connect to our LDAP server

Basics LDAP Tutorial for Beginners – Understanding Terminologies & Usage
Step-by-Step Tutorial: Install and Configure OpenLDAP
Step-by-Step Tutorial: Configure OpenLDAP with TLS certificates

 

1. Install OpenLDAP Client packages

First we must install openldap-clients, sssd and other dependent rpms. We are also installing oddjob-mkhomedir to automatically create home directory for any ldap user who logs in for the first time. If this is not your requirement, then you may choose to skip this rpm for installation.

NOTE:

On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
[root@client ~]# dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir openssl-perl

 

2. Enable TLS in SSSD and LDAP

We will use TLS configuration to connect to the LDAP server which we had configured in previous article. If you are planning to use SSL, then I will share the sample sssd configuration for SSL as well.

Create /etc/openldap/cacerts on the ldap-client (you may choose to use any other directory)

[root@ldap-client ~]# mkdir /etc/openldap/cacerts

Copy the ca.cert.pem from ldap-server to ldap-client

[root@ldap-server ~]# scp /etc/openldap/cacerts/ca.cert.pem ldap-client:/etc/openldap/cacerts/ca.cert.pem

 

3. Configure LDAP client to authenticate with LDAP server using SSSD

Create a new /etc/sssd/sssd.conf file (if not present) or remove everything and add the below content to use TLS of ldap communication:

[root@ldap-client ~]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam,autofs
domains = default

[nss]
homedir_substring = /home

[pam]

[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://10.0.2.20
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
cache_credentials = True
ldap_tls_reqcert = allow

You may modify the values based on your environment. Here I have provided by BaseCDN and ldap_uri which is the IP of my ldap-server. If you have configured a DNS or updated your /etc/hosts file then you may use hostname instead of IP

Next change the file permission and ownership

[root@ldap-client ~]# chmod 600 /etc/sssd/sssd.conf
[root@ldap-client ~]# chown root:root /etc/sssd/sssd.conf

 

4. Configure ldap.conf

Add below content in /etc/openldap/ldap.conf

BASE    dc=example,dc=com
URI     ldap://10.0.2.20
TLS_CACERT      /etc/openldap/cacerts/ca.cert.pem
TLS_CACERTDIR /etc/openldap/cacerts

 

5. Refresh the certificates

Rehash the certificate which we have copied from ldap-server:

[root@ldap-client ~]# openssl rehash /etc/openldap/cacerts

 

6. Configure mkhomedir to auto create home directories

We can use oddjob-mkhomedir to create home directories automatically for any ldap user which logs into the client node. This requires pam_mkhomedir.so provided by oddjob-mkhomedir which we had already installed earlier. Configure the system with authselect

[root@client ~]# authselect select sssd with-mkhomedir --force
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service

 

7. Enable and Start SSSD and ODDJOBD service

Now we are done with the steps to configure ldap client using RHEL/CentOS 8 Linux node. The final step is to restart/start sssd and oddjobd service

[root@ldap-client ~]# systemctl enable sssd.service --now
[root@ldap-client ~]# systemctl enable oddjobd.service --now

 

8. Validate LDAP user login

If you already have a user, now you can try to connect using your LDAP user on this client node or you can create a ldap user.

In my case I have testuser1 from ldap database

[root@client ~]# id testuser1
uid=1001(testuser1) gid=1001 groups=1001

Next I will connect using this user

login as: testuser1
testuser1@127.0.0.1's password:
Welcome to server1

This file was created on 2020-02-01
Go away if you have no business being here

Contact admin@golinuxcloud.com if anything is wrong
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Thu Jul 23 12:49:01 2020 from 10.0.2.2
[testuser1@client ~]$

So our client is able to properly connect with the ldap server.

 

Conclusion

In this tutorial we learned about the steps to configure ldap client using RHEL/CentOS 8 Linux node. We have used SSSD with TLS to communicate with the LDAP server. You can also use SSL depending upon your environment, I have also shared a sample configuration file which you can use with SSL.

Lastly I hope the steps from the article to configure LDAP client on RHEL/CentOS 8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References

I have used below external references for this tutorial guide
How to configure Red Hat Enterprise Linux 8 machines as a LDAP Client

2 thoughts on “8 simple steps to configure ldap client RHEL/CentOS 8”

  1. Excellent series of tutorials! Completely up-to-date and a life saver when internet is so full of outdated tutorials still using things like authconfig or just skipping sssd. Only had a trouble and it was that I found necessary to use systemctl restart sssd after enabling the service. Wishing you the best!

    Reply

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.