I have the DNS name : server.exemple.com
I have top domain: .com
I have subdomain: exemple
I have a leave object: server
In LDAP can have something like:
lisa.example.com
In LDAP is not write that way. This is DNS way. In LDAP.
the domain will be dc (domain container)
dc=com
dc=example
For leave objects will use “common name”: cn=server
cn=lisa,dc=example,dc=com
Is not using “.”, is using “,”.
When setup the connection to LDAP must setup the “base context”. This is like search domain in DNS. Is the starting point where the client should look for objects.
The base content must be setup before and then the user will use it to login.
Steps to login to LDAP:
1. find the binary for login:
# which login
Those binaries are used by user to connect to anything.
Those binaries is using library files. Find the library files:
# ldd /bin/login
The libpam.so library is a plugin to login which add functionality to login command.
PAM is from Pluggable Authentication Modules.
The authentication module is in /etc/pam.d/ directory. Here are configuration files for any kind on authentication. Here is the configuration file for login:
# /etc/pam.d/login
Here is defined what is happening when system is starting. “auth” is the common definition for login procedure of any process which is related to user authentication.
Check the system-auth file:
# vi /etc/pam.d/system-auth
The line with pam.unix.so is telling Linux to check local login mechanism. If that is not successful the user will go to pam_ldap.so. This will search the user to LDAP. This is how internal programs know about LDAP.
Use:
# authconfig
or
# authconfig-tui
graphical interface configuration:
# yum install authconfig-gtk -y
Need additional packages (Name Server Cache Daemon). Is caching the information on local server during working with Authentication.
Also we need nss-pam-ldap. This will resolve local name resolution and send to LDAP. Also we need the libraries for make local authentication: pam_ldap. I need all of these.
# yum install nscd nss-pam-ldap pam_ldap -y
Now I can lunch the graphical authconfig:
# authconfig-gtk
or can use authconfig-gui but on exam is easy with gtk.
I have to setup the user account to use LDAP database.
The error with /lib64/security/pam_krb5.so is related to kerberos and since we are not using, is OK. But in order to have the package complete, is ok to be installed.
Kerberos is in RHCE course.
Authentication method to LDAP password.
LDAP Search Base DN: dc=example,dc=com
LDAP server name. IP addresses is not working: ldap://server.example.com. Is not working with name because the name should match the name from certificate and the certificate is for name not the IP.
Check TLS to encrypt connection, download certificate from ftp://server.example.com/pub/certification.pem. Click Apply.
Modifying nslcd Configuration
Many things happening when connecting using LDAP process. Those are related to nslcd process:
# systemctl status nslcd
The file /etc/nsswitch.conf is the configuration file used by client in order to connect to LDAP server.
Is show that first is loking in file system and after that in sss (is not used anymore) and after that in ldap.
pam – pluggable authntication modules – is using also nslcd.
The directory /etc/pam.d/ have configuration files for LDAP.
the file /etc/pam.d/login have the definition on what should happen when user will login. The most important is system-auth
To find the LDAP server we need the nslcd.
# less /etc/nslcd.conf
There is an nscd file which is not related to LDAP.
Here is the URI and base context of LDAP server.
Also there are information about downloaded certificate.
Check also /var/log/messages