Part 1: Authentication.
LDAP and Kerberos
- Configuring external authentication to LDAP. Read below for FreeIPA
Need to know - authconfig
Authconfig manages the configuration of many authentication services.
Authconfig writes to /etc/sssd/sssd.conf and manages these service mappings.
If any authconfig dependencies are missing, NSLCD will be used in place.
The directory /etc/pam.d contains authentication modules
Services will look up SSSD to determine how to authenticate.
What you need:
Server address, LDAP CA Certificate and the BaseDN.
yum group install "Directory Client"
yum install pam_krb5 nss-pam-ldapd
Copy the CA certificate into /etc/openldap/cacerts before running authconfig. A symlink will be create during the configuration.
authconfig-tui To configure authentication
Select Use LDAP under User Information
Under Authentication, select Use LDAP Authentication. If using Kerberos, also select Use Kerberos. Next to continue.
On the LDAP Settings screen, select Use TLS and enter the server address and the BaseDN, then Next.
For Kerberos settings, select Use DNS to resolve hosts to realms and Use DNS to locate KDCs for realms. If DNS is not properly configured in your environment, Kerberos may not function properly.
To verify everything is working properly, log in as an LDAP user
su - ldapuser
Verify Kerberos and view the Kerberos ticket.
Configuring for FreeIPA
FreeIPA is the upstream of Red Hat Identity Manager. It has many of the same features that you would find in Microsoft's Active Directory.
To configure a new FreeIPA client, start by adding the required packages.
yum install -y ipa-client
The IPA client should use the IPA server as a DNS server. Verify the settings in /etc/resolv.conf.
ipa-client-install to configure the IPA client.
If you receive a message that NTPD time and date synchronization will not be used because a chronyd is enabled. That is not a problem. All thats needed is time synchronization and chronyd is doing it. NTPD is the legacy service. Chronyd is much more efficient and is the default in later version of RHEL.
Some differences between LDAP and IPA are related to SSH, among other things. The IPA client automatically integrates SSH in Kerberos which means that users with a valid Kerberos ticket will be allowed to connect to an SSH server without entering passwords. There are many more advantages offered by using the IPA server plus the IPA client set up. See more at FreeIPA and ClusterApps Books.