Setup LDAP Server for Authentication

Latest response

I'm managing multiple Red Hat Linux physical/virtual machines that have multiple user accounts on them.

We have to update the passwords every 60 days due to security policies, and all of this has to be done maunally.

I'm interested in setting up an LDAP server to see if this would ease this burden, or if there is another solution that someone would recommend.

thanks

  • Chris

Responses

Hi Chris,

If you already have Active Directory setup in your environment, then you could authenticate against that.

If you create a group within AD and assign the users allowed access to the RHEL servers to that group, you can then update pam_winbind.conf on the RHEL servers with the groups SID no.

Then using "system-config-authentication" to enable Winbind authentication and point it at one of your domain controllers you should then be able to ssh onto each RHEL server enabled with your AD credentials. (Don't forget to check the box to auto create the home account at 1st login)

SSH -l "DOMAIN\userid" server

Cheers
Jonathan

I would personally advise against using Winbind and instead configure sssd in this scenario, especially if it is a new configuration.

sssd can also restrict logins based on AD groups.

Regardless of the method you use, the following is an excellent resource for RHEL 6.
https://access.redhat.com/articles/216933

We've been using 389 from the EPEL EL6 repo for several years now. It has worked well for a Linux lab (which is currently EL6) at a university.

We use kerberos to authenticate with AD. LDAP (389) is used for user information (uid, gid, etc.). sssd is also used.

The client configuration can be set up by the authconfig command.

As above, there are multiple solutions to the problem, 389 is a good LDAP server if you aren't planning to configure a full Windows domain for Windows integration in future.

I believe the currently suggested method is to use IdM, which includes/installs 389 server.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/installing-ipa.html

Depending on what you need, the full IdM suite may be a little 'heavy' though.

Hi,
it all depends on the environment and your know-how, there are several different ways.

1.
what others didn't mentioned (probably because it's so old-school :D) is possibility to use the YP server (NIS+) - if you have purely Unix environment in secured LAN, then this could help you out, because it's quite easy to setup (just saying, dont throw stones at me) :D

2.
SSSD daemon running on every linux machine 'looking' to LDAP backend that stores all user related data (usenames, passwords, phones, emails ...)
LDAP (389 DS) can prove quite benefiting, because LDAP became nowadays standard, that a lot applications, devices (like e.g. printers) know and can be authenticated against it.
To add robustness to your authentication backend, you just install more 389DS servers in a master/slave or multimaster replication.