LDAP authentication in RHEL 8?

Latest response

I'm the first person in my office to upgrade to RHEL 8, and I'm finding that the normal process used in the past for setting up LDAP-based authentication no longer applies, as authconfig tools are no longer provided. I've also been unable to find any resource online that fully describes the process.

What I have/know:
* The LDAP server name
* The base DN
* Connection requires TLS
* Certificate file

I'd like to use the above to set up authentication so I can log in using my existing user account on our LDAP server.

Can anyone point me to a comprehensive description on how this is done in RHEL 8?



Also i am finding for above requirement but no luck till now ... waiting for help from someone .

Thanks in Advance

You could start by looking at authselect

It appears that authselect (intentionally) covers a subset of the functionality of the former authconfig tools. In particular, it does not present an interface with which a user can apply the knowledge I have (listed above) to successfully set up authentication via LDAP.

My question remains unanswered. A tool has existed in RHEL in the past that performed a very useful function -- providing an interface into which the above details can be specified, resulting in a correct LDAP client configuration. What tool or process has replaced it? That tool is evidently not authselect, or at the very least no documentation exists on how to use authselect for that purpose.

With the following command line, our RHEL 7 workstations here can be set up correctly for LDAP authentication:

authconfig --enableldap --ldapserver [our ldap server] --enableldapauth --ldapbasedn [our base DN] --enableldaptls --ldaploadcacert=[our slapd cert file] --update

The authconfig compatibility stub provided with RHEL 8 does not support --ldaploadcacert, and seems to leave a number of other steps incomplete. I've been studying how to configure sssd manually, but have had no luck with that so far either.

Setting up a machine as an LDAP client is a very common administrative operation involving a relatively small set of variables, as formerly provided to authconfig. I think it's reasonable to assume that this functionality should still exist, in some different utility or user interface.

I'm a fairly basic user, certainly no RH admin guru. Our network administrator at this office knows quite a bit more than I do, but he has been unable so far to figure this out either. (To be fair, he's had very limited time to work on it.) And my organization's central IT helpdesk hasn't been able to help -- they've recently added to the support ticket I posted about this, only to ask if I've figured it out yet.

I'm beginning to get the impression that no one in the world knows how to set up RHEL 8 as an LDAP client. I really want to be wrong about that.

I totally agree with Chris here.

RHEL 8 is around for some month now but there does not seem to be a proper replacement for authconfig. I really would appreciate it if someone could provide documentation, how to or an example config to setup a valid ldap-client config with the information provided in the initial posting.

Seriously, my Solaris colleagues are starting laughing at us for the trouble we have with this topic.

I agree completely, I've been trying to figure it out for a month and have yet to be successful.

Have you been able to resolve the issue that --ldaploadcacert is not available for rhel8 and centos8 it broke my ldap sssd configuration.

If you put your cacert in /etc/pki/ca-trust/source/anchors/ and run update-ca-trust, thus adding it to your computers trusted certificate file, then sssd should find it. Alternatively you can use the ldap_tls_cacert or ldap_tls_cacertdir options in your sssd configuration file, see man sssd-ldap for usage.

I have the same issue. Lots of documentation for Fedora 26 and below and RHEL7 but nothing for Fedora 28 or RHEL8. I want to authenticate users via an existing ldap server. Works for RHEL7 but nothing on how to interoperate with RHEL8.

Your RHEL7 configuration may still work in RHEL8 though you would have to apply it manually, and nss-pam-ldapd, if you are using it, is deprecated in RHEL8 so might be withdrawn in a later release. However, you are probably better using authselect to set the system to use sssd (unless you are using Red Hat Enterprise Linux Identity Management or Active Directory in which case Red Hat recommends ipa-client-install and realm join respectively) and then set up sssd (I haven't found any RHEL8 documentation but it doesn't look like it has changed much since RHEL7). There are more details in the documentation linked to in my previous posts.

So sssd is the only option going forward and the use of ldap will be deprecated?

I don't think "LDAP" (the protocol) is going away any time soon - though sssd might be the only Red Hat-supported way to use it. "ldap" as a directly-usable option in places like nsswitch.conf and pam.d/* files might be on the way out, though.

In my case, I've been using LDAP via SSSD since shortly after RHEL 6.1 came out. My RHEL 7 sssd.conf works as-is in RHEL 8 (and the RHEL 8 pam.d files from Red Hat work 'as-is', unlike RHEL 6 & 7 versions). So I haven't really had to care about 'authselect' vs 'authconfig', since I don't use either of them.

Anybody have any luck with getting home directories to mount? I have configured LDAP authentication to the point where I can do an "id username" and it will return the correct values. When I "su - domain\username" but it creates a local directory rather than mounting the correct user directory.

Any suggestions?


rhel8 mounts home dirs for me

for basic sssd i install via:


yum install -y realmd sssd-common oddjob oddjob-mkhomedir -y


sed -i 's/pam/pam\ndefault_domain_suffix = DOMAINNAME/g' /etc/sssd/sssd.conf

systemctl enable sssd

systemctl restart sssd


or for ldap, i modify my sssd.conf to be:

[sssd] domains = MYDOMAIN

config_file_version = 2

services = nss, pam

default_domain_suffix = MYDOMAIN


ad_domain = MYDOMAIN

krb5_realm = MYDOMAIN

realmd_tags = manages-system joined-with-adcli

cache_credentials = True

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = True

fallback_homedir = /home/%u@%d

access_provider = ad

enumerate = false

id_provider = ldap

auth_provider = ldap

chpass_provider = ldap

ldap_uri = ldap://LDAP-HOST:3268 ldap_schema = ad

ldap_user_object_class = user

ldap_user_home_directory = unixHomeDirectory

ldap_user_principal = sAMAccountName

ldap_user_name = sAMAccountName

ldap_group_object_class = group

ldap_access_order = expire

ldap_account_expire_policy = ad

ldap_force_upper_case_realm = true

ldap_referrals = false

ldap_user_search_base = DC=XXX,DC=com?subtree?(memberOf=CN=[XXX] XXXXXXXXXXXXXXXXXXXXXXXXXX,OU=Groups,OU=XXX,OU=US,OU=Servers,DC=XX,DC=XXX,DC=com)

ldap_default_bind_dn = CN=[MDR] Anonymous LDAP Query,CN=Users,DC=XX,DC=XXX,DC=com

ldap_default_authtok_type = password

ldap_default_authtok = XXXXXX

ldap_id_use_start_tls = true

ldap_tls_reqcert = demand

ldap_tls_cacert = /etc/ssl/certs/DigiCertSHA2SecureServerCA.pem

ldap_use_tokengroups = true


filter_users = root

filter_groups = root

Yours looks to be a mix of AD and LDAP, so I am unsure what goes where. I've tried creating an sssd.conf file but it doesn't take, also why did you install sssd common and what the heck does oddjob do? I thought authselect was supposed to be the only tool we needed for this supposed ldap connect ability.