RHCSA - Part17 - sssd

In order to connect to a Directory server, you need either sssd, nslcd or realmd.

Install sssd and nss-pam-ldapd:

# yum install -y sssd nss-pam-ldapd

Enable USESSSDAUTH in /etc/sysconfig/authconfig:

# vi /etc/sysconfig/authconfig
[...]
USESSSDAUTH=yes
[...]

Run authconfig-tui (easier but deprecated) or authconfig with options:

# authconfig --useldap --useldapauth --ldapserver="ldap.example.local" \
				--ldapbasedn="dc=example, dc=local" --update

Retrieve the CA from the LDAP server (ftp, scp, etc. …):

e.g:
# scp root@ldap.example.local:/etc/openldap/certs/cert.pem /etc/openldap/cacerts/cert.pem
or, if a CA is provided by ftp:
# cd /etc/openldap/cacerts
# wget ftp://ldap.example.local/pub/ca.crt

Note that pem certificates may have issues. In order to use TLS, it might be required to add ldaptlsreqcert=never to /etc/sssd/sssd.conf and restart sssd.

Run authconfig again to enable TLS:

# authconfig --enabletls --update

Test configuration with a valid LDAP user:

# getent passwd alice
uid=1211200001(alice) gid=1211200001(alice) groups=1211200001(alice)
# su - alice
-bash-4.2$