LDAP authentication in RHEL 8?

Latest response

I'm the first person in my office to upgrade to RHEL 8, and I'm finding that the normal process used in the past for setting up LDAP-based authentication no longer applies, as authconfig tools are no longer provided. I've also been unable to find any resource online that fully describes the process.

What I have/know:
* The LDAP server name
* The base DN
* Connection requires TLS
* Certificate file

I'd like to use the above to set up authentication so I can log in using my existing user account on our LDAP server.

Can anyone point me to a comprehensive description on how this is done in RHEL 8?

Thanks!

Responses

Also i am finding for above requirement but no luck till now ... waiting for help from someone .

Thanks in Advance

You could start by looking at authselect

It appears that authselect (intentionally) covers a subset of the functionality of the former authconfig tools. In particular, it does not present an interface with which a user can apply the knowledge I have (listed above) to successfully set up authentication via LDAP.

My question remains unanswered. A tool has existed in RHEL in the past that performed a very useful function -- providing an interface into which the above details can be specified, resulting in a correct LDAP client configuration. What tool or process has replaced it? That tool is evidently not authselect, or at the very least no documentation exists on how to use authselect for that purpose.

With the following command line, our RHEL 7 workstations here can be set up correctly for LDAP authentication:

authconfig --enableldap --ldapserver [our ldap server] --enableldapauth --ldapbasedn [our base DN] --enableldaptls --ldaploadcacert=[our slapd cert file] --update

The authconfig compatibility stub provided with RHEL 8 does not support --ldaploadcacert, and seems to leave a number of other steps incomplete. I've been studying how to configure sssd manually, but have had no luck with that so far either.

Setting up a machine as an LDAP client is a very common administrative operation involving a relatively small set of variables, as formerly provided to authconfig. I think it's reasonable to assume that this functionality should still exist, in some different utility or user interface.

I'm a fairly basic user, certainly no RH admin guru. Our network administrator at this office knows quite a bit more than I do, but he has been unable so far to figure this out either. (To be fair, he's had very limited time to work on it.) And my organization's central IT helpdesk hasn't been able to help -- they've recently added to the support ticket I posted about this, only to ask if I've figured it out yet.

I'm beginning to get the impression that no one in the world knows how to set up RHEL 8 as an LDAP client. I really want to be wrong about that.

I totally agree with Chris here.

RHEL 8 is around for some month now but there does not seem to be a proper replacement for authconfig. I really would appreciate it if someone could provide documentation, how to or an example config to setup a valid ldap-client config with the information provided in the initial posting.

Seriously, my Solaris colleagues are starting laughing at us for the trouble we have with this topic.

I agree completely, I've been trying to figure it out for a month and have yet to be successful.

Have you been able to resolve the issue that --ldaploadcacert is not available for rhel8 and centos8 it broke my ldap sssd configuration.

If you put your cacert in /etc/pki/ca-trust/source/anchors/ and run update-ca-trust, thus adding it to your computers trusted certificate file, then sssd should find it. Alternatively you can use the ldap_tls_cacert or ldap_tls_cacertdir options in your sssd configuration file, see man sssd-ldap for usage.

I have the same issue. Lots of documentation for Fedora 26 and below and RHEL7 but nothing for Fedora 28 or RHEL8. I want to authenticate users via an existing ldap server. Works for RHEL7 but nothing on how to interoperate with RHEL8.

Your RHEL7 configuration may still work in RHEL8 though you would have to apply it manually, and nss-pam-ldapd, if you are using it, is deprecated in RHEL8 so might be withdrawn in a later release. However, you are probably better using authselect to set the system to use sssd (unless you are using Red Hat Enterprise Linux Identity Management or Active Directory in which case Red Hat recommends ipa-client-install and realm join respectively) and then set up sssd (I haven't found any RHEL8 documentation but it doesn't look like it has changed much since RHEL7). There are more details in the documentation linked to in my previous posts.

So sssd is the only option going forward and the use of ldap will be deprecated?

I don't think "LDAP" (the protocol) is going away any time soon - though sssd might be the only Red Hat-supported way to use it. "ldap" as a directly-usable option in places like nsswitch.conf and pam.d/* files might be on the way out, though.

In my case, I've been using LDAP via SSSD since shortly after RHEL 6.1 came out. My RHEL 7 sssd.conf works as-is in RHEL 8 (and the RHEL 8 pam.d files from Red Hat work 'as-is', unlike RHEL 6 & 7 versions). So I haven't really had to care about 'authselect' vs 'authconfig', since I don't use either of them.

Anybody have any luck with getting home directories to mount? I have configured LDAP authentication to the point where I can do an "id username" and it will return the correct values. When I "su - domain\username" but it creates a local directory rather than mounting the correct user directory.

Any suggestions?

Thanks

rhel8 mounts home dirs for me

for basic sssd i install via:

=======

yum install -y realmd sssd-common oddjob oddjob-mkhomedir -y

realm join DOMAINNAME -U USERNAME

sed -i 's/pam/pam\ndefault_domain_suffix = DOMAINNAME/g' /etc/sssd/sssd.conf

systemctl enable sssd

systemctl restart sssd

=======

or for ldap, i modify my sssd.conf to be:

[sssd] domains = MYDOMAIN

config_file_version = 2

services = nss, pam

default_domain_suffix = MYDOMAIN

[domain/MYDOMAIN]

ad_domain = MYDOMAIN

krb5_realm = MYDOMAIN

realmd_tags = manages-system joined-with-adcli

cache_credentials = True

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = True

fallback_homedir = /home/%u@%d

access_provider = ad

enumerate = false

id_provider = ldap

auth_provider = ldap

chpass_provider = ldap

ldap_uri = ldap://LDAP-HOST:3268 ldap_schema = ad

ldap_user_object_class = user

ldap_user_home_directory = unixHomeDirectory

ldap_user_principal = sAMAccountName

ldap_user_name = sAMAccountName

ldap_group_object_class = group

ldap_access_order = expire

ldap_account_expire_policy = ad

ldap_force_upper_case_realm = true

ldap_referrals = false

ldap_user_search_base = DC=XXX,DC=com?subtree?(memberOf=CN=[XXX] XXXXXXXXXXXXXXXXXXXXXXXXXX,OU=Groups,OU=XXX,OU=US,OU=Servers,DC=XX,DC=XXX,DC=com)

ldap_default_bind_dn = CN=[MDR] Anonymous LDAP Query,CN=Users,DC=XX,DC=XXX,DC=com

ldap_default_authtok_type = password

ldap_default_authtok = XXXXXX

ldap_id_use_start_tls = true

ldap_tls_reqcert = demand

ldap_tls_cacert = /etc/ssl/certs/DigiCertSHA2SecureServerCA.pem

ldap_use_tokengroups = true

[nss]

filter_users = root

filter_groups = root

Yours looks to be a mix of AD and LDAP, so I am unsure what goes where. I've tried creating an sssd.conf file but it doesn't take, also why did you install sssd common and what the heck does oddjob do? I thought authselect was supposed to be the only tool we needed for this supposed ldap connect ability.

The book on RHEL8 authselect has a chapter on configuring LDAP+TLS: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_authselect_on_a_red_hat_enterprise_linux_host/configuring-sssd-to-use-ldap-and-require-tls-authentication_configuring-authentication-using-authselect

This link is broken, but I went looking for it. I found this page and was able to get LDAP working: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-sssd-to-use-ldap-and-require-tls-authentication_configuring-authentication-and-authorization-in-rhel

Thanks!

I fixed this by manually generating the x509 hash of the cacert and link, which authconfig used to do for you.

[/etc/openldap/cacerts]# openssl x509 -noout -hash -in mycert.crt

fc5a8f99

[/etc/openldap/cacerts]# ln -s mycert.crt fc5a8f99.0

After I restarted sssd, things worked for me.

Hi Experts, Besides the command line tool, are there any GUI tool (similar to 'authconfig-gtk' on RHEL7) for RHEL 8 ? Thanks.

I have not seen a GUI for this. I also fought with getting LDAP authentication working with RHEL 8 (my RHEL 7 sssd.conf did not work on RHEL 8 directly) and we utilize Red Hat Directory Server for our LDAP. I thought perhaps there would be configuration options within cockpit but no luck there, that appears to also be geared toward Active Directory.

In my kickstart I specify "authselect select sssd with-mkhomedir" and then in a %post script I copy a custom sssd.conf in place and add the necessary TLS certificates for our LDAP server.

We do a bit of custom stuff with LDAP attributes for access and don't mount home directories so not sure how helpful our sssd.conf would be but it does work for us and looks something like below. We have a custom script that runs on first boot that allows the person setting up the machine to customize a few things like the hostname and who gets admin privileges. I expect we will move a bit of this over to Ansible once we have Ansible Tower setup.

# Note, /etc/sssd/sssd.conf should be owned root.root and chmod 600
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2

[nss]
enum_cache_timeout = 7200
entry_cache_nowait_percentage = 50
entry_negative_timeout = 15
filter_groups = root, pcp, postfix, apache, tomcat
filter_users = root, pcp, postfix, apache, tomcat

[domain/LDAP]
# You should only enable enumerations (and the resultant performance issues) if you have applications or scripts in your environment that absolutely must be able to retrieve the complete lists. In these cases, enumeration can be enabled by setting.
# https://fedorahosted.org/sssd/wiki/FAQ
enumerate = true
# ldap_enumeration_refresh_timeout Default 300 seconds
ldap_enumeration_refresh_timeout = 3600
# entry_cache_timeout Default 5400
entry_cache_timeout = 5400
cache_credentials = false
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://ldap.example.com:636
ldap_search_base = dc=example,dc=com
ldap_user_search_base = dc=example,dc=com?subtree?(|(ouEduPersonGlobalAccess=superadmin)(ouEduPersonGlobalAccess=ops)(ouEduPersonHostAccess=@hostname))
ldap_group_search_base = ou=Group,dc=example,dc=com?subtree?
ldap_tls_cacertdir = /etc/openldap/certs
# ldap_tls_reqcert
# never = The client will not request or check any server certificate.
# allow = The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.
# try = The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.
# demand = The server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
# hard = Same as "demand"
# Default: hard
ldap_tls_reqcert = try
access_provider = ldap
ldap_access_filter = (|(ouEduPersonGlobalAccess=superadmin)(ouEduPersonGlobalAccess=ops)(ouEduPersonHostAccess=@hostname))
#entry_cache_timeout Default 60 (Keep a user cached for the time specified after a lookup, use `sss_cache -u userid` to uncache a user )
entry_cache_timeout = 600
#debug_level = 7
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Domains.html
# We use memberuid so rfc2307, if we used member then it would be rfc2307bis
ldap_schema = rfc2307
ldap_user_extra_attrs = ouEduPersonGlobalAccess, ouEduPersonHostAccess
ignore_group_members = false

ya'll honestly this is the best article i have found for ldap. couple of things are you still configuring ldap.conf? im an struggling with testing. I can't seem to narrow down if its a conf issue or cert. ldapsearch -x -b "uid=redcap, ou=omg,dc=omg,dc=org" text: 000004DC: LdapErr: DSID-0C0907E1, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v2580