[CentOS] C7: need authconfig against LDAP

Fri Aug 29 08:06:01 UTC 2014
anax <anax at ayni.com>


On 2014-08-29 08:37, Mihamina Rakotomandimby wrote:
> Hi all,
>
> On a C6 box, when I want to enable LDAP authentication, I issue:
>
> # yum -y install nss-pam-ldapd pam_ldap nscd
> # authconfig --enableldap --enableldapauth --enablemkhomedir \
>       --ldapserver=ldap://ldap-blabla/  \
>       --ldapbasedn="blabla" \
>       --enablecache --disablefingerprint \
>       --kickstart --update
>
> All is working fine, the directory structure is fine and compliant.
>
> What about C7?
>
> As far as I read,
> - there is a switch to "sssd"
> - I found 1 link:
> http://www.certdepot.net/ldap-client-configuration-authconfig/
>
> Is there something in particular I should pay attention for?
> Note that I have only GUI-less servers.
>
> Thank you.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

sssd is a hard peace to configure. In C7 it wants absolutely to have an 
encrypted connection to the LDAP server. Therefore, it must at least 
have a valid CAcert at disposition. Also, the LDAP server itself must 
have a valid CAcert (eventually the same as the sssd client) and a valid 
server-certificate with the Common-Name of the host it runs on.

Follows our /etc/sssd/sssd.conf:

[domain/default]

autofs_provider = ldap
cache_credentials = True
ldap_search_base = ou=pam-ldap,dc=mydomain,dc=com
ldap_user_search_base = ou=people,ou=pam-ldap,dc=mydomain,dc=com
ldap_group_search_base = ou=group,ou=pam-ldap,dc=mydomain,dc=com
ldap_default_bind_dn = cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com
ldap_default_authtok = ********
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://casablanca.lan/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
config_file_version = 2

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]
-------------------------------

In the /etc/nsswitch.conf you must have:

.....
passwd:     files sss
shadow:     files sss
group:      files sss
.....

-------------------------------

sssd, in our config, logs into the /var/log/daemonlog

-------------------------------

you must have authconfig set-up as you said in your message.

-------------------------------

In case you see just "Unable to establish TLS connection" with the LDAP 
server from sssd then you may be better off to start sssd in debug mode:
sssd -d0x777 -i
In this debug you search for "Starting TLS".

Wishing you good luck

suomi