ldap-client cheatsheet

Home

1 authselect cheat

authselect select ssd authselect list

2 LDAP Resources

2.1 LDAP server resources

Two main online resources for LDAP are:

  1. ldap.com
  2. ldapwiki.com
  3. openldap.org
  4. itzgeek (from lab7 installation notes)
  5. openldap admin guide

2.2 LDAP client resources

Arther DeJong on ldapd on LDAP authentication with nss-pam-ldapd (CentOS 7)

access.redhat.com Chptr 1 Authselect on CentOS8

access.redhat.com Chpt2 SSSD on CentOS8

3 LDAP authentication using nss-pam-ldapd

4 Overview User Authentication using Authselect.

Authselect is a utility that simplifies the configuration of user authentication on a RedHat / CentOS 8 host. Authselect comes with two profiles out of the box, that can be universally used with all modern identify management systems

  1. the sssd profile
  2. the winbind profile

NIS is also included for legacy systems.

  1. Warning

    Do not use authselect if your host is part of Red Hat Enterprise Linux Identity Management or Active Directory. The ipa-client-install command, called when joining your host to a Red Hat Identity Management domain, takes full care of configuring authentication on your host. Similarly the realm join command, called when joining your host to an Active Directory domain, takes full care of configuring authentication on your host.

4.0.1 authconfig is deprecated in CentOS8

The authconfig utility, used in previous Red Hat Enterprise Linux versions, created and modified many different configuration files, making troubleshooting a difficult task.

Authselect makes testing and troubleshooting easy) because it only modifies files in these directories:

  • /etc/nsswitch.conf
  • /etc/pam.d/* files
  • /etc/dconf/db/distro.d/* files

4.1 Name Service Switch (NSS)

4.1.1 /etc/nsswitch.conf

NSS is used by GNU C Library and some other applications to determine the sources from which to obtain name-service info in a range of catagories, and in what order. Each category of info is identified by a database name.

4.2 Linux-PAM (Pluggable Authentication Modules)

is a system of modules that handle the authentication tasks of applications (services) on the system. The nature of the authentication is dynamically configurable. The sys\admin can choose how individual service-providing applications will authenticate users. this dynamic configuration is set by the contents of the configuration files in etc/pam.d which list the PAMS that will do the authentication tasks required by this service, and the appropriate behaviour of the PAM-API in the event that individual PAMS fail.

Once the authselect profile is selected for a given host, the profile will be applied to every user logging into the host.

4.3 Choosing an authselect profile

System admins can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into that host.

  1. 1) Select the authselect profile

    Select the authselect profile that is appropriate for your authentication provider. For example, for logging into the network of a company that uses LDAP, choose sssd. Run the command as root:

    authselect select sssd 

    root@vm1/etc/dconf/db/distro.d[1039]$ 
authselect select sssd
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. 
See SSSD documentation for more information.

root@vm1/etc/dconf/db/distro.d[1040]$
  2. 2)Optionally, review the contents of the /etc/nsswitch.conf file:

    passwd: sss files group: sss files netgroup: sss files automount: sss files services: sss files …

    The content of the /etc/nsswitch.conf file shows that selecting the sssd profile means that the system first uses sssd if information concerning one of the first five items is requested. Only if the requested information is not found in the sssd cache and on the server providing authentication, or if sssd is not running, the system looks at the local files, that is /etc/*.

    For example, if information is requested about a user id, the user id is first searched in the sssd cache. If it is not found there, the /etc/passwd file is consulted.

    Likewise, if a user’s group affiliation is requested, it is first searched in the sssd cache and only if not found there, the /etc/group file is consulted.

    In practice, the local files database does not normally get consulted at all. The only exception is the case of the root user, which is neve r handled by sssd but by files.

  3. 3)*Optionally*, review the contents of the /etc/pam.d/system-auth file:
    # Generated by authselect on Tue Sep 11 22:59:06 2018
# Do not modify this file manually.

auth        required        pam_env.so
auth        required        pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]    pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]    pam_localuser.so
auth        sufficient      pam_unix.so nullok try_first_pass
auth        requisite       pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient      pam_sss.so forward_pass
auth        required        pam_deny.so

account     required        pam_unix.so
account     sufficient      pam_localuser.so
...

    Among other things, the /etc/pam.d/system-auth file contains information about:

    • user password lockout condition
    • the possibility to authenticate with a smart card
    • the possibility to authenticate with fingerprints

      You can modify the default profile settings by adding the following options to the authselect select sssd or authselect select winbind command, for example:

      • with-faillock
      • with-smartcard
      • with-fingerprint

    To see the full list of available options, see Section 1.5, “Converting your scripts from authconfig to authselect” or the authselect-migration(7) man page.

    Make sure that the config files for your profile are configured properly before finishing the authselect procedure.

    If adjusting a ready-made profile by adding one of the authselect select command-line options described above is not enough for your use case, you can:

    • modify a ready-made profile by changing the /etc/authselect/user-nsswitch.conf file.
    • create your own custom profile.

4.4 Modifying a ready-made authselect profile

/etc/authselect/user-nsswitch.conf

A sys admin can modify one of the default profiles, the ssd, winbind, or the nis profile as needed. You can modify any of the items in the /etc/authselect/user-nsswitch.conf file with the exception of:

  • passwd
  • group
  • netgroup
  • automount
  • services

Running authselect select profile_name afterwards will result in permissible changes to the profile being transferred from /etc/authselect/user-nsswitch.conf to the /etc/nsswitch.conf file, with bad changes being overwritten by the default profile config.

DO NOT modify the /etc/nsswitch.conf file directly.

  1. 0) list available profiles

    authselect list

  2. 1) Select an authselect profile

    for example authselect select sssd

  3. 2) Edit /etc/authselect/user-nsswitch.conf file

    My (vm1) user-nsswitch.conf file 

    passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd

hosts:      files dns myhostname

bootparams: files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   sss

publickey:  files

automount:  files sss
aliases:    files
  4. 3) Appy these changes to /etc/authselect/user-nsswitch.conf file

    authselect apply-changes Changes were successfully applied.

  5. 4) Optionally review /etc/nsswitch.conf file to verify the

    transfer of the changes.

4.5 Create a home-grown authselect profile

A sysadmin can create and deploy a custom profile by customizing one of the default profiles, the sssd, winbind, or the nis profile. This is particularly useful if a ready-made authselect profile” is not enough for your needs. When you deploy a custom profile, the profile is applied to every user logging into the given host.

  1. 1)Create your custom profile by using the authselect create-profile command

    For example, to create a custom profile called user-profile based on the ready-made sssd profile but one in which you can configure the items in the /etc/nsswitch.conf file yourself: authselect create-profile user-profile -b sssd --symlink-meta --symlink-pam

    New profile was created at /etc/authselect/custom/user-profile

    Including the –symlink-pam option in the command means that PAM templates will be symbolic links to the origin profile files instead of their copy; including the –symlink-meta option means that meta files, such as README and REQUIREMENTS will be symbolic links to the origin profile files instead of their copy. This ensures that all future updates to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.

    The command has created a copy of the /etc/nsswitch.conf file in the /etc/authselect/custom/user-profile directory.

  2. 2)Configure the /etc/authselect/custom/user-profile/nsswitch.conf file
  3. 3) authselect select custom/<name-of-profile> to select it.

    Selecting the user-profile profile for your machine means that if the sssd profile is subsequently updated by Red Hat, you will benefit from all the updates with the exception of updates made to the /etc/nsswitch.conf file.

  4. 4)Check that the selecting profile has
    • created the /etc/pam.d/system-auth file according to the sssd profile
    • left the configuration in the /etc/nsswitch.con unchanged.

4.6 Relation of authconfig options to authselect profiles

Authconfig options Authselect options
–enableldap sssd
–enableldapauth  
–enablesssd sssd
–enablesssdauth  
–enablekrb5 sssd
–enablewinblind winbind
–enablewinbindauth  
–enablenis nis

4.7 Relation of authselect options equivalents to authconfig options

Authconfig options Authselect options
–enablesmartcard with-smartcard
–enablefingerprint with-fingerprint
–enableecryptfs with-ecryptfs
–enablemkhomedir with-mkhomedir
–enablefaillock with-faillock
   
–enablepamaccess with-pamaccess
–enablewinbindkrb5 with-krb5

Examples: authconfig --enableldap --enableldapauth --enablefaillock --updateall becomes authselect select sssd with-faillock

authconfig –enablesssd –enablesssdauth –enablesmartcard –smartcardmodule=sssd –updateall becomes authselect select sssd with-smartcard

authconfig --enableecryptfs --enablepamaccess --updateall becomes authselect select sssd with-ecryptfs with-pamaccess

authconfig –enablewinbind –enablewinbindauth –winbindjoin=Administrator –updateall

becomes realm join -U Administrator --client-software=winbind WINBINDDOMAIN

5 Overview Configuring SSSD to use LDAP authentication (and optionally TLS)

From redhat The System Security Services Daemon (SSSD) is a daemon that manages identity data retrieval and authentication on a RHEL 8 host. A system administrator can configure the SSSD on the host to use a standalone LDAP server database as the user account database. Examples of an LDAP server include the OpenLDAP server and the Red Hat 389 Directory Server. In this chapter, the scenario also includes the requirement that the connection with the LDAP server must be encrypted with a TLS certificate.

The authentication method of the LDAP objects can be either a Kerberos password or an LDAP password. Note that the questions of authentication and authorization of the LDAP objects are not addressed in this chapter.

5.1 Configure SSSD to use LDAP

Users and groups that are defined in an LDAP server can log in to your system. Whether a user is known to the system, is managed through an NSS module and the authentication is done with a PAM module.

On CentOS8 or RHEL:

  • The RHEL system uses an OpenLDAP server as the user account database.
  • The RHEL system uses the System Security Services Daemon (SSSD) as the service responsible for retrieving the user data.
  • The RHEL system uses a TLS certificate to encrypt the connection with the OpenLDAP server. (optionally?)
  • The host you want to become a client of the OpenLDAP server needs to configure /etc/sssd/sssd.conf to specify ldap as the autofsprovider and the idprovider.

5.1.1 /etc/sssd/sssd.conf

Procedure: (see also archlinux )

  1. 1) Install neccessary packages:

    dnf -y install openldap-clients sssd sssd-ldap -ddjob-mkhomedir

  2. 2) Switch the authentication provider to sssd:

    authselect select sssd with-\mkhomedir

  3. 3) Copy core-dirsrv.ca.pem file containing the LDAP server certificate

    into the /etc/openldap/cacerts folder *(if using TLS)

    another approach: openssl sclient -connect ldapmaster.kifarunix-demo.com:636 -showcerts < /dev/null | openssl x509 -text

  4. 4) Ad dURL and suffix of yoru LDAP server to the /etc/openldap/ldap.conf

    file URI ldap://vm4.zintis.ops/ BASE dc=andrew,dc=ops

  5. 5) in /etc/openldap/ldap.conf specifiy the location of the OpenLDAP server

    certificate by adding a line pointing to TLSCACERT parameter to /etc/openldap/cacerts/core-dirsrv.ca.pem *(if using TLS)

    TLSCACERT /etc/openldap/certs/core-dirsrv.ca.pem

  6. 5.5) I had to also dnf install sssd-tools on vm1 (so far)
  7. 6) In /etc/sssd/sssd.conf file, add environement variables to [ldapuri]

    (I had /etc/sssd/conf.d/sssd.conf) .oO0Oo. .oO0Oo. seems redundant to me Here is my sssd.conf file: 

    [domain/default]
id_provider = ldap
autofs_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://vm4.zintis.ops/
ldap_search_base = dc=andrew,dc=ops
# ldap_id_use_start_tls = True
cache_credentials = true
account_cache_expiration = 1

 ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
 ldap_default_authtok = P@ssWOrd



[sssd]
services = nss, pam
domains = default
debug_level = 8

[nss]
homedir_substring = /home

[pam]
pam_verbosity = 8
debug_level =8

    Access.redhat.com CentOS8 docs had: 

    [domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap-server.example.com/
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = allow

[sssd]
services = nss, pam, autofs
domains = default

[nss]
homedir_substring = /home

    Another example file: (not yet tried or compared) 

    [sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://ldapmaster.kifarunix-demo.com:636
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = P@ssWOrd
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
    1. Possibly need to configure PAM to use sssd

      Add "pamssso.so" related entries to /etc/pam.d/password-auth and /etc/pam.d/system-auth ===> my vm1 already had that, but not configured manually. IT must have been authselect that did it for me.

  8. 7) In /etc/sssd/sssd.conf, specify the TLS authentication by modifying the

    ldaptlscacert and ldaptlsreqcert values in [domain/default]

    … cachecredentials = True ldaptlscacert = /etc/openldap/certs/core-dirsrv.ca.pem ldaptlsreqcert = hard …

  9. 8) Change the permissions on the /etc/sssd/sssd.conf file:

    chmod 600 /etc/sssd/sssd.conf

  10. 9) Restart and enable SSSD:

    systemctl restart sssd oddjobd

    systemctl enable sssd oddjobd

  11. 10) (Optional) If your LDAP server uses the deprecated TLS 1.0 or TLS 1.1

    protocols, switch the system-wide cryptographic policy on the client system to the LEGACY level to allow RHEL 8 to communicate using these protocols:

    update-crypto-policies --set LEGACY

    * I did this on vm1 only.

    1. Verify Verify login by using the id command and specifying an LDAP user

    uid=(16252(ldapuser) gid=51515(sysadmins) groups= 724236(sysadmins),25216(engineers),10(wheel),11515216(admins)

    The system administrator can now query users from LDAP using the id command The command returns a correct user ID and group membership.

5.1.2 I was still faiing to get vm1 to authenticate user jane on vm1 to ldap on vm4

Started System Security Services Daemon. Apr 03 15:26:15 vm1 sshd[1785]: Invalid user jane from 192.168.111.1 port 47090 Apr 03 15:26:54 vm1 login[940]: pamunix(login:auth): check pass; user unknown Apr 03 15:26:54 vm1 login[940]: pamunix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= Apr 03 15:26:56 vm1 login[940]: FAILED LOGIN 1 FROM tty1 FOR (unknown), User not known to the underlying authentication module Apr 03 15:27:50 vm1 systemd[1]: getty@tty1.service: Service has no hold-off time (RestartSec=0), scheduling restart.

  1. Not even trying to send anything to vm4, where is should be sending ldap request,

6 Troubleshooting

Possible tools for troubleshooting are: Query user info via nsswitch by using: id <name> getent passwd <name> getent -s sss passwd <name>

6.1 First how to turn it off

** Disable LDAP authentication –deprecated (authselect replaces authconfig) To disable LDAP authentication, use the following command: sudo /usr/bin/authconfig –disableldap –disableldapauth –ldapserver=ldap://your-ldap-server-name:port –ldapbasedn="dc=your-ldap-dc,dc=your-ldap-dc" –update

6.2 Installing nss-pam-ldapd

dnf install libsssnssidmap.x8664

6.3 Configure /etc/nslcd.conf

See man nslcd.conf(5) for list of all the available options

Minimally you need to tell nss where your ldap server resides: uri ldap://vm4.zintis.ops/

The base from which to search LDAP database base dc=andrew,dc=ops

The credentials for searching the LDAP database binddn cn=ldaproot,dc=andrew,dc=ops

The credentials with which to bind bindpw seneca99ldap

The dn to perform password modifications by root (root password modifier dn) rootpwmoddn cn=ldaproot,dc=andrew,dc=ops

Set the uid and gid optiosn to the crearted user and group uid nslcd gid ldap # examples in arthurjong.org had gid nslcd

6.3.1 After making these mods, restart nslcd

6.4 Configure /etc/nsswitch.conf

Have to add ldap to the passwd, group and shadow maps. Maps seem to be telling auth where to look for users. For example, if you have the follwing in /etc/nsswitch.conf:

passwd: files ldap group: files ldap shaddow: files ldap

Then the authentication process will first look for user defined in passwd (through useradd) and if not found, will defer to ldap.

6.5 Configure /etc/pam.conf OR /etc/pam.d/*

You will need to config these in order enable logins using BOTH LDAP and local users. You have to edit files in /etc/pam.d directory.

Everywhere that pamunix is called you should also call pamldap.

  1. password-auth (Do not modify this file manually. Generated by authselect)

6.6 authselect

Select the system identity and authentication sources.

From the man page:AUTHSELECT(8) It is a configuration tool, by selecting a specific profile. A profile is a set of files that describes how the resulting system configuration will look like. When a profile is selected, authselect will create nsswitch.conf(5) and PAM(8) stack to use identity and authentication sources.

If the provided profile set is not sufficient, the admin may create a custom profile by putting it in a special profile directory /etc/authselect/custom By doing so the profile is immediately usable by authselect.

6.7 authselect commands

authselect - lists all available commands authselect select –help - explains the command COMMAND authselect select –force authselect select -b backup system files before activating the selected profile authselect select –backup=NAME, stored in /var/lib/authselect/backups/NAME

authselect apply-changes re-apply currently selected profile. Will work if the existing configuration is a valid authselect configuration. Otherwise an error is returned. authselect apply-changes -b backup system files before applying changes authselect apply-changes –backup=NAME ditto as in select

authselect list list available profiles authselect list-features list available profiles

authselect show profileid print info about profile authselect requirements profileid # info about profile requirements authselect current # print info about currrently selected profile authselect check # is current profile valid? authselect test profileid # print contents of files generated by authselect without actually making any changes.

-a all files -n print nsswitch.conf content -s print system-auth content -p print password-auth content -c print smartcard-auth content -o print postlogin content -d print dconf database content -l print dconf lock content

authselect create-profile NAME # a new custom profile is created. (see man)

7 some additional stuff that might be old (from artherdejong.org )

/etc/pam.conf or /etc/pam.d/* To enable logins using both LDAP and local users (e.g. you want to keep root logins) you should edit files under /etc/pam.d (or /etc/pam.conf if your system uses that). Everywhere that pamunix is called you should also call pamldap. A very basic snippet is included below.

auth sufficient pamunix.so auth sufficient pamldap.so minimumuid=1000 usefirstpass auth required pamdeny.so

account required pamunix.so account sufficient pamldap.so minimumuid=1000 account required pampermit.so

session required pamunix.so session optional pamldap.so minimumuid=1000

password sufficient pamunix.so nullok md5 shadow useauthtok password sufficient pamldap.so minimumuid=1000 tryfirstpass password required pamdeny.so

—————— that's it from arthur——————————

This is my (vm1) /etc/pam.d/f file

auth required pamenv.so auth required pamfaildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pamsucceedif.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pamlocaluser.so auth sufficient pamunix.so nullok tryfirstpass auth requisite pamsucceedif.so uid >= 1000 quietsuccess auth sufficient pamsss.so forwardpass auth required pamdeny.so

account required pamunix.so account sufficient pamlocaluser.so account sufficient pamsucceedif.so uid < 1000 quiet account [default=bad success=ok userunknown=ignore] pamsss.so account required pampermit.so

password requisite pampwquality.so tryfirstpass localusersonly password sufficient pamunix.so sha512 shadow nullok tryfirstpass useauthtok password sufficient pamsss.so useauthtok password required pamdeny.so

session optional pamkeyinit.so revoke session required pamlimits.so -session optional pamsystemd.so session optional pamoddjobmkhomedir.so umask=0077 session [success=1 default=ignore] pamsucceedif.so service in crond quiet useuid session required pamunix.so session optional pamsss.so ~

8 Deprecated authconfig (as of CentOS8)

On redhat discussions boards (deprecated, authconfig is replaced by authselect)

authconfig –enableldap –ldapserver [our ldap server] –enableldapauth –ldapbasedn [our base DN] –enableldaptls –ldaploadcacert=[our slapd cert file] –update

8.1 From redhat documentation CentOS8

2.1. An OpenLDAP client using SSSD to retrieve data from LDAP in an encrypted way. The System Security Services Daemon (SSSD) is a daemon that manages identity data retrieval and authentication on a RHEL 8 host. A system administrator can configure the SSSD on the host to use a standalone LDAP server database as the user account database. Examples of an LDAP server include the OpenLDAP server and the Red Hat 389 Directory Server. In this chapter, the scenario also includes the requirement that the connection with the LDAP server must be encrypted with a TLS certificate.

The authentication method of the LDAP objects can be either a Kerberos password or an LDAP password. Note that the questions of authentication and authorization of the LDAP objects are not addressed in this chapter.

9 continuation from some older systems:

9.1 Configure sssd through /etc/sssd/sssd.conf

Configure the LDAP client by using sssd. The sssd configuration is located at /etc/sssd/sssd.conf. Examples of sssd.conf: [sssd] configfileversion = 2 services = nss, pam domains = default

[nss] filterusers = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[domain/default] authprovider = ldap idprovider = ldap ldapschema = rfc2307 ldapsearchbase = ou=im,dc=example,dc=com ldapgroupmember = memberuid ldaptlsreqcert = never ldapidusestarttls = False chpassprovider = ldap ldapuri = ldap://ldap.example.com:389/ ldaptlscacertdir = /etc/openldap/cacerts entrycachetimeout = 600 ldapnetworktimeout = 3 #ldapaccessfilter = (&(object)(object)) ldapdefaultbinddn = cn=Manager,ou=im,dc=example,dc=com ldapdefaultauthtoktype = password ldapdefaultauthtok = YOURPASSWORD cachecredentials = True enumerate=true

9.2 OpenLDAP client that comes with the server.

OpenLDAP provides not only a server, but also a client, openldap-clients This package includes the following command line utilities

  • ldapadd: Adds entries to an LDAP directory either from a file or from standard input.
  • ldapmodify: Modifies entries in an LDAP directory [ ldapmodify -a is identical to ldapadd. ]
  • ldapcompare: Compares a given attribute with an LDAP directory entry
  • ldapdelete: Deletes entries from an LDAP directory
  • ldapexop: Performs extended LDAP operations
  • ldapmodrdn: Modifies the RDN value of an LDAP directory entry
  • ldappasswd: Is a password utility for an LDAP user
  • ldapsearch: Is an LDAP directory search tool
  • ldapurl: Is an LDAP URL formatting tool
  • ldapwhoami: Performs a whoami operation on an LDAP server

There are also several GUI LDAP clients. Use at your own risk.

dn: cn=ldaproot,dc=andrew,dc=ops

9.3 Adding three users to ldap

useradd zintis -u 10000
useradd -c "Jane Greystoke" jane -u 10001
useradd -c "Andrew's Guests" guest -u 10002

if user jane already exists, delete her with userdel jane
also chown her mailbox with chown jane /var/spool/mail/jane
And delete /var/spool/mail/andrew

grep -w zintis /etc/passwd > /root/zintis.entry
grep -w Jane /etc/passwd > /root/jane.entry
grep -w Andrew /etc/passwd > /root/guest.entry

/usr/share/migrationtools/migrate_passwd.pl /root/zintis.entry /root/zintis.ldif
/usr/share/migrationtools/migrate_passwd.pl /root/jane.entry /root/jane.ldif
/usr/share/migrationtools/migrate_passwd.pl /root/guest.entry /root/guest.ldif

ldapadd -v -f ldapusers.ldif -D cn="ldaproot,dc=andrew,dc=ops" -W 
ldapadd -v -f jane.ldif -D cn="ldaproot,dc=andrew,dc=ops" -W 
ldapadd -v -f guest.ldif -D cn="ldaproot,dc=andrew,dc=ops" -W

10 ldap client

To let a VM authenticate to an ldap server.

10.1 Install the necessary LDAP client packages on the client machine.

This is PAM the "Pluggable Authentication Module" and NSS the "Name Service Switch"

yum install -y openldap-clients nss-pam-ldapd Since CentOS8 does not see nss-pam-ldap I did the following:

First: dnf provides nss-pam-ldapd Then, based on the above this: dnf install -y nss-pam-ldapd-0.9.9-3.el8.x8664

10.2 About nss-pam-ldapd

From arthurdejong.org: This is nss-pam-ldapd which provides a Name Service Switch (NSS, nsswitch) module that allows your LDAP server to provide user account, group, host name, alias, netgroup, and basically any other information that you would normally get from /etc flat files or NIS. It also provides a Pluggable Authentication Module (PAM) to do identity and authentication management with an LDAP server on unix systems.

This is implemented using thin NSS and PAM modules which delegate to a dedicated service (nslcd) that queries the LDAP server with persistent connections, authentication, attribute translation, etc.

The NSS module was originally a fork of nssldap with some structural design improvements. The most important features of nss-pam-ldapd are:

  • light and simple NSS and PAM libraries
  • avoid loading LDAP and SSL libraries in all programs
  • separation between NSS, PAM and LDAP code
  • fewer connections to the LDAP server
  • better debugging possibilities
  • better performance
  • See the documentation section for more detai

11 Configuring LDAP Authentication on CentOS 8

From tylers guides I have dnf installed nss-pam-ldapd, and nss ? which one?

I have edited /etc/nslcd.conf according to tyler's website

I skipped the TLS section.

And I have enbled and started nslcd

I have authselect ready to go, after running these commands as root with the goal of replacing the SSSD related text with NSLCD equivalent in the relevant files.

root@vm1/etc[1038]$ tar cf /root/pre-ldap-config.tar nsswitch.conf pam.d root@vm1/etc[1039]$ date Mon Mar 30 18:52:43 EDT 2020

authselect select custom/nslcd –force Profile "custom/nslcd" was selected. The following nsswitch maps are overwritten by the profile:

  • passwd
  • group
  • netgroup
  • automount
  • services

Make sure that NSLCD service is configured and enabled. See NSLCD documentation for more information.

11.1 Centos7 only (authconfig is deprecated and replaced by authselect)

Configure the client VM to use LDAP To add the client machine to LDAP server for single sign-on. Replace “192.168.1.10” with your LDAP server’s IP address or hostname.

authconfig –enableldap –enableldapauth –ldapserver=192.168.1.10 –ldapbasedn="dc=itzgeek,dc=local" –enablemkhomedir –update

Restart the LDAP client service. O.K, so this will make this VM defer logins to the LDAP server rather than looking in its own /etc/passwd file ??? That would mean that the users defined in the ldap server would require a local prescence on this VM, including home directory, and entry in /etc/passwds. I guess this is just centralizing the passwords themselves I guess?? Confirm this!

systemctl restart nslcd To verify LDAP Login, use the getent command to get the LDAP entries from the LDAP server.

getent passwd raj Output:

raj:x:9999:100:Raj [Admin (at) ITzGeek]:/home/raj:/bin/bash Screenshot:

OpenLDAP Server Configuration on CentOS 7 - Verify LDAP Login OpenLDAP Server Configuration on CentOS 7 – Verify LDAP Login

To verify the LDAP, log in using the LDAP user “raj” on the client machine. Like this:

11.2 Home