See all of the guides.

Part 1: Authentication.

LDAP and Kerberos

  • Configuring external authentication to LDAP. Read below for FreeIPA

Need to know - authconfig
Authconfig manages the configuration of many authentication services.

Authconfig writes to /etc/sssd/sssd.conf and manages these service mappings.
- ldap
- kerberos
- ad
-NIS
- PAM

If any authconfig dependencies are missing, NSLCD will be used in place.
The directory /etc/pam.d contains authentication modules

Services will look up SSSD to determine how to authenticate.

What you need:
Server address, LDAP CA Certificate and the BaseDN.

yum group install "Directory Client"

yum install pam_krb5 nss-pam-ldapd

Copy the CA certificate into /etc/openldap/cacerts before running authconfig. A symlink will be create during the configuration.

authconfig-tui To configure authentication

Select Use LDAP under User Information
Under Authentication, select Use LDAP Authentication. If using Kerberos, also select Use Kerberos. Next to continue.

On the LDAP Settings screen, select Use TLS and enter the server address and the BaseDN, then Next.

For Kerberos settings, select Use DNS to resolve hosts to realms and Use DNS to locate KDCs for realms. If DNS is not properly configured in your environment, Kerberos may not function properly.

To verify everything is working properly, log in as an LDAP user

su - ldapuser

Verify Kerberos and view the Kerberos ticket.

Verifying the LDAP and Kerberos settings

Configuring for FreeIPA

FreeIPA is the upstream of Red Hat Identity Manager. It has many of the same features that you would find in Microsoft's Active Directory.

To configure a new FreeIPA client, start by adding the required packages.

yum install -y ipa-client

The IPA client should use the IPA server as a DNS server. Verify the settings in /etc/resolv.conf.

Run ipa-client-install to configure the IPA client.

IPA client setup

If you receive a message that NTPD time and date synchronization will not be used because a chronyd is  enabled. That is not a problem. All thats needed is time  synchronization and chronyd is doing it. NTPD is the  legacy service. Chronyd is much more efficient and is the default in later version of RHEL.

Some differences between LDAP and IPA are related to SSH, among other things. The IPA client automatically integrates SSH in Kerberos which means that users with a  valid Kerberos ticket will be allowed to connect to an SSH server without entering passwords. There are many more advantages offered  by using the IPA server plus the IPA client set up. See more at FreeIPA and ClusterApps Books.