Como configurar un sistema para que utilice el servicio LDAP utilizando authconfig

Este tema ya lo hemos explicado de la forma facil, pero en esta oportunidad vamos a realizarlo via cli (command line interface). Para esto vamos a partir de los siguientes datos:

192.168.4.200 labipa.example.com
192.168.4.100 class2.example.com
192.168.4.101 class3.example.com

Antes de comenzar con la configuracion debemos de instalar los paquetes necesarios:

[root@class2 ~]# yum install openldap-clients nss-pam-ldapd sssd
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package nss-pam-ldapd.x86_64 0:0.8.13-8.el7 will be installed
--> Processing Dependency: nscd for package: nss-pam-ldapd-0.8.13-8.el7.x86_64
---> Package openldap-clients.x86_64 0:2.4.40-13.el7 will be installed
---> Package sssd.x86_64 0:1.14.0-43.el7 will be installed
--> Processing Dependency: python-sssdconfig = 1.14.0-43.el7 for package: sssd-1.14.0-43.el7.x86_64
--> Processing Dependency: sssd-ad = 1.14.0-43.el7 for package: sssd-1.14.0-43.el7.x86_64
--> Processing Dependency: sssd-common = 1.14.0-43.el7 for package: sssd-1.14.0-43.el7.x86_64
--> Processing Dependency: sssd-ipa = 1.14.0-43.el7 for package: sssd-1.14.0-43.el7.x86_64
--> Processing Dependency: sssd-krb5 = 1.14.0-43.el7 for package: sssd-1.14.0-43.el7.x86_64
--> Processing Dependency: sssd-ldap = 1.14.0-43.el7 for package: sssd-1.14.0-43.el7.x86_64
--> Processing Dependency: sssd-proxy = 1.14.0-43.el7 for package: sssd-1.14.0-43.el7.x86_64
--> Running transaction check
---> Package nscd.x86_64 0:2.17-157.el7 will be installed
---> Package python-sssdconfig.noarch 0:1.14.0-43.el7 will be installed
---> Package sssd-ad.x86_64 0:1.14.0-43.el7 will be installed

...
...

Installed:
nss-pam-ldapd.x86_64 0:0.8.13-8.el7 openldap-clients.x86_64 0:2.4.40-13.el7 sssd.x86_64 0:1.14.0-43.el7

Dependency Installed:
c-ares.x86_64 0:1.10.0-3.el7 cyrus-sasl-gssapi.x86_64 0:2.1.26-20.el7_2 libdhash.x86_64 0:0.4.3-27.el7 libipa_hbac.x86_64 0:1.14.0-43.el7
libsss_autofs.x86_64 0:1.14.0-43.el7 libsss_sudo.x86_64 0:1.14.0-43.el7 nscd.x86_64 0:2.17-157.el7 python-sssdconfig.noarch 0:1.14.0-43.el7
sssd-ad.x86_64 0:1.14.0-43.el7 sssd-common.x86_64 0:1.14.0-43.el7 sssd-common-pac.x86_64 0:1.14.0-43.el7 sssd-ipa.x86_64 0:1.14.0-43.el7
sssd-krb5.x86_64 0:1.14.0-43.el7 sssd-krb5-common.x86_64 0:1.14.0-43.el7 sssd-ldap.x86_64 0:1.14.0-43.el7 sssd-proxy.x86_64 0:1.14.0-43.el7

Complete!
[root@class2 ~]#

Entonces una vez instalado lo necesario procedemos a ejecutar nuestro cli. Vamos a utilizar el comando “authconfig“. Si no esta familiarizado con este comando les recomiendo leer la ayuda. Pero para tener una mejor idea de que opciones vamos a utilizar con este comando ejecutamos lo siguiente:

[root@class2 ~]# authconfig --help | grep ldap
--enableldap enable LDAP for user information by default
--disableldap disable LDAP for user information by default
--enableldapauth enable LDAP for authentication by default
--disableldapauth disable LDAP for authentication by default
--ldapserver=<server>
--ldapbasedn=<dn> default LDAP base DN
--enableldaptls, --enableldapstarttls
--disableldaptls, --disableldapstarttls
--ldaploadcacert=<URL>
[root@class2 ~]#

Como pueden ver, aqui tenemos las opciones posibles para completar el ejercicio. En el caso de que usted este utilizando REALM y KDCs, pues simplemente agrega este valor al comando anterior de la siguiente forma:

[root@class2 ~]# authconfig --help | egrep 'ldap|krb'
--enableldap enable LDAP for user information by default
--disableldap disable LDAP for user information by default
--enableldapauth enable LDAP for authentication by default
--disableldapauth disable LDAP for authentication by default
--ldapserver=<server>
--ldapbasedn=<dn> default LDAP base DN
--enableldaptls, --enableldapstarttls
--disableldaptls, --disableldapstarttls
--ldaploadcacert=<URL>
--enablekrb5 enable kerberos authentication by default
--disablekrb5 disable kerberos authentication by default
--krb5kdc=<server> default kerberos KDC
--krb5adminserver=<server>
--krb5realm=<realm> default kerberos realm
--enablekrb5kdcdns enable use of DNS to find kerberos KDCs
--disablekrb5kdcdns disable use of DNS to find kerberos KDCs
--enablekrb5realmdns enable use of DNS to find kerberos realms
--disablekrb5realmdns
--enablewinbindkrb5 winbind will use Kerberos 5 to authenticate
--disablewinbindkrb5 winbind will use the default authentication method
[root@class2 ~]#

Vamos a realizar ambos ejemplos, pero comenzaremos con la configuracion basica. Para esto vamos a utilizar los siguientes datos del servidor ldap:

Servidor LDAP: labipa.example.com
Base DN: dc=example,dc=com
Usar TLS: Si
Certificado CA: ftp://labipa.example.com/pub/ca.crt
Cliente: class2.example.com

Y ahora ejecutamos nuestro comando de la siguiente forma utilizando las opciones correctas:

[root@class2 ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://labipa.example.com --ldapbasedn="dc=example,dc=com" --enableldaptls --ldaploadcacert=ftp://labipa.example.com/pub/ca.crt --update
[root@class2 ~]# getent passwd ldapuser1
ldapuser1:*:699000001:699000001:ldapuser1 ldapuser1:/home/ldap/ldapuser1:/bin/sh
[root@class2 ~]#

Como pueden ver ya quedo correctamente configurado, y esto lo verificamos con el comando “getent“. Pero recuerden que tambien debemos realizar otra verificacion:

[root@class2 ~]# ssh ldapuser1@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is 65:16:d2:b6:f3:83:2f:70:75:b8:01:78:73:e2:71:16.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
ldapuser1@localhost's password:
Could not chdir to home directory /home/ldap/ldapuser1: No such file or directory
-sh-4.2$ id
uid=699000001(ldapuser1) gid=699000001(ldapuser1) groups=699000001(ldapuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$ exit
logout
Connection to localhost closed.
[root@class2 ~]#

Como pueden ver el directorio del usuario no fue montado. Esto lo pueden hacer con autofs o simplemente agregando otra opcion a nuestro comando:

[root@class2 ~]# authconfig --help | grep home
--winbindtemplatehomedir=</home/%D/%U>
the directory which winbind-created users will have as home directories
--enablemkhomedir create home directories for users on their first login
--disablemkhomedir do not create home directories for users on their first login
[root@class2 ~]# authconfig --enablemkhomedir --update
[root@class2 ~]# ssh ldapuser1@localhost
ldapuser1@localhost's password:
Creating home directory for ldapuser1.
Last login: Tue Apr 25 08:42:42 2017 from localhost
-sh-4.2$ pwd
/home/ldap/ldapuser1
-sh-4.2$ id
uid=699000001(ldapuser1) gid=699000001(ldapuser1) groups=699000001(ldapuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$ exit
logout
Connection to localhost closed.
[root@class2 ~]#

Muy simple verdad. Recuerden que este ultimo paso tambien se puede lograr con autofs.

Ahora vamos a pasar a la siguiente configuracion utilizando REALM y KDC. Para esto vamos a partir de los siguientes datos:

Servidor LDAP: labipa.example.com
Base DN: dc=example,dc=com
Usar TLS: Si
Certificado CA: ftp://labipa.example.com/pub/ca.crt
Kerberos REALM: EXAMPLE.COM
Kerberos KDC: labipa.example.com
Kerberos admin server: labipa.example.com
CLiente: class3.example.com

Entonces vamos a proceder a instalar los paquetes necesarios:

[root@class3 ~]# yum install -y sssd krb5-workstation authconfig-gtk nss-pam-ldapd pam_krb5
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package authconfig-gtk.x86_64 0:6.2.8-14.el7 will be installed
---> Package krb5-workstation.x86_64 0:1.14.1-26.el7 will be installed
--> Processing Dependency: libkadm5(x86-64) = 1.14.1-26.el7 for package: krb5-workstation-1.14.1-26.el7.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.8(kadm5clnt_mit_8_MIT)(64bit) for package: krb5-workstation-1.14.1-26.el7.x86_64
--> Processing Dependency: libkadm5srv_mit.so.10(kadm5srv_mit_10_MIT)(64bit) for package: krb5-workstation-1.14.1-26.el7.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.8()(64bit) for package: krb5-workstation-1.14.1-26.el7.x86_64
--> Processing Dependency: libkadm5srv_mit.so.10()(64bit) for package: krb5-workstation-1.14.1-26.el7.x86_64
---> Package nss-pam-ldapd.x86_64 0:0.8.13-8.el7 will be installed
--> Processing Dependency: nscd for package: nss-pam-ldapd-0.8.13-8.el7.x86_64
---> Package pam_krb5.x86_64 0:2.4.8-6.el7 will be installed
---> Package sssd.x86_64 0:1.14.0-43.el7 will be installed

...
...

Installed:
authconfig-gtk.x86_64 0:6.2.8-14.el7 krb5-workstation.x86_64 0:1.14.1-26.el7 nss-pam-ldapd.x86_64 0:0.8.13-8.el7
pam_krb5.x86_64 0:2.4.8-6.el7 sssd.x86_64 0:1.14.0-43.el7

Dependency Installed:
c-ares.x86_64 0:1.10.0-3.el7 cyrus-sasl-gssapi.x86_64 0:2.1.26-20.el7_2 libdhash.x86_64 0:0.4.3-27.el7
libipa_hbac.x86_64 0:1.14.0-43.el7 libkadm5.x86_64 0:1.14.1-26.el7 libsss_autofs.x86_64 0:1.14.0-43.el7
libsss_sudo.x86_64 0:1.14.0-43.el7 nscd.x86_64 0:2.17-157.el7 python-sssdconfig.noarch 0:1.14.0-43.el7
sssd-ad.x86_64 0:1.14.0-43.el7 sssd-common.x86_64 0:1.14.0-43.el7 sssd-common-pac.x86_64 0:1.14.0-43.el7
sssd-ipa.x86_64 0:1.14.0-43.el7 sssd-krb5.x86_64 0:1.14.0-43.el7 sssd-krb5-common.x86_64 0:1.14.0-43.el7
sssd-ldap.x86_64 0:1.14.0-43.el7 sssd-proxy.x86_64 0:1.14.0-43.el7

Complete!
[root@class3 ~]#

Ahora pues vamos a ver la ayuda nuevamente para estar seguros de que opciones utilizar:

[root@class3 ~]# authconfig --help | egrep 'ldap|krb'
--enableldap enable LDAP for user information by default
--disableldap disable LDAP for user information by default
--enableldapauth enable LDAP for authentication by default
--disableldapauth disable LDAP for authentication by default
--ldapserver=<server>
--ldapbasedn=<dn> default LDAP base DN
--enableldaptls, --enableldapstarttls
--disableldaptls, --disableldapstarttls
--ldaploadcacert=<URL>
--enablekrb5 enable kerberos authentication by default
--disablekrb5 disable kerberos authentication by default
--krb5kdc=<server> default kerberos KDC
--krb5adminserver=<server>
--krb5realm=<realm> default kerberos realm
--enablekrb5kdcdns enable use of DNS to find kerberos KDCs
--disablekrb5kdcdns disable use of DNS to find kerberos KDCs
--enablekrb5realmdns enable use of DNS to find kerberos realms
--disablekrb5realmdns
--enablewinbindkrb5 winbind will use Kerberos 5 to authenticate
--disablewinbindkrb5 winbind will use the default authentication method
[root@class3 ~]#

Ahora ejecutamos el comando:

[root@class3 ~]# authconfig --enableldap --disableldapauth --ldapserver=ldap://labipa.example.com --ldapbasedn="dc=example,dc=com" --enableldaptls --ldaploadcacert=ftp://labipa.example.com/pub/ca.crt --enablekrb5 --krb5kdc=labipa.example.com --krb5adminserver=labipa.example.com --krb5realm=EXAMPLE.COM --disablekrb5kdcdns --update
[root@class3 ~]# getent passwd ldapuser5
ldapuser5:*:699000006:699000006:ldapuser5 ldapuser5:/home/ldap/ldapuser5:/bin/sh
[root@class3 ~]# ssh ldapuser5@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is 38:13:a8:70:71:da:52:c7:25:e0:cc:99:e1:3e:63:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
ldapuser5@localhost's password:
Creating home directory for ldapuser5.
-sh-4.2$ pwd
/home/ldap/ldapuser5
-sh-4.2$ id
uid=699000006(ldapuser5) gid=699000006(ldapuser5) groups=699000006(ldapuser5) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$ exit
logout
Connection to localhost closed.
[root@class3 ~]#

Como ven hemos desabilitado “disableldapauth“, ya que ahora se va a utilizar via “enablekrb5“. Y como siempre nuestra verificacion nos comprueba que todo esta bien.

Espero que este articulo les ayude en su preparacion para el examen de certificacion de Red Hat RHCSA. Recuerden que esto tambien lo pueden hacer midiante “authconfig-gtk“, pero como siempre les comento; ustedes eligen cual es la mejor forma de hacerlo en el examen.

Leave a Reply

Your email address will not be published. Required fields are marked *