Setup LDAP and Kerberos on RHEL 7.x

Setup LDAP and Kerberos on RHEL 7.x

One of the RHCE objectives is to know how to configure a RHEL server to authenticate using LDAP or Kerberos.  The video tutorial shows all the steps to install, configure, and test authentication with LDAP and Kerberos.

I have included the steps below as well if you are unable to view the video for any reason.

Testing Connectivity

First we want to verify we can reach our IPA server.

If you get positive results we can continue, if not, you’ll need resolve the issue with the DNS first.

Install the required packages

This will give you all the packages required to be able to use sssd.

Copy the certificate from the IPA server

Setting up authentication

Ensure the following are set:

Choose the following options to setup LDAP Authentication

  • Cache Information
  • Use LDAP
  • Use LDAP Authentication
  • Use TLS

For the TLS information we want to point to our IPA server.

Server: rhellab.den.therootuser.com

Base DN: dc=den,dc=therootuser,dc=com

Verify the configuration was done properly.

Testing LDAP authentication

As this will test authentication via LDAP we want to ensure you have a user setup on your IPA server to test with.

At this time auto mount is not setup, so you’ll see an error on mapping the users home volume.

We can use the id command to verify we are logged in as that user.

Setting up Kerberos Authentication

We need to go back and make some changes using authconfig-tui

Let’s install the needed packages

Choose Kerberos in the options to enable Kerberos authentication

When you get to the Kerberos Settings section we can choose use DNS to Resolve Hosts to Relams and Use DNS to Locate KDCs for Relams

Otherwise if you do it manually you would type in:

Realm: DEN.THEROOTUSER.COM

KDC: rhellab.den.therootuser.com

Admin Server: rhellab.den.therootuser.com

Verifying kerberos authentication

If all comes back positive you have successfully setup ldap and kerberos on a RHEL server.

If you have any questions about this procedure, please feel free to contact me.

Cheers,

Ivan Windon – RHCSA

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.