Red Hat Enterprise Linux 7

System-Level Authentication Guide

About System-Level Services for Authentication and Identity Management

Aneta Šteflová Petrová

Red Hat Customer Content Services

Marc Muehlfeld

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Ella Deon Ballard

Red Hat Customer Content Services

Abstract

This guide covers different applications and services available to configure authentication on local systems.
In addition to this guide, you can find documentation on the features and services related to Red Hat Enterprise Linux Identity Management in the following guides:
The Linux Domain Identity, Authentication, and Policy Guide documents Red Hat Identity Management, a solution that provides a centralized and unified way to manage identity stores as well as authentication and authorization policies in a Linux-based domain.
The Windows Integration Guide documents how to integrate Linux domains with Microsoft Windows Active Directory (AD) using Identity Management. Among other topics, the guide covers various aspects of direct and indirect AD integration, using SSSD to access a Common Internet File System (CIFS), and the realmd system.
1. Introduction to System Authentication
1.1. Confirming User Identities
1.2. As Part of Planning Single Sign-On
1.3. Available Services
I. System Logins
2. Configuring System Authentication
2.1. Identity Management Tools for System Authentication
2.2. Using authconfig
2.2.1. Tips for Using the authconfig CLI
2.2.2. Installing the authconfig UI
2.2.3. Launching the authconfig UI
2.2.4. Testing Authentication Settings
2.2.5. Saving and Restoring Configuration Using authconfig
3. Selecting the Identity Store for Authentication with authconfig
3.1. IPAv2
3.1.1. Configuring IdM from the UI
3.1.2. Configuring IdM from the Command Line
3.2. LDAP and IdM
3.2.1. Configuring LDAP Authentication from the UI
3.2.2. Configuring LDAP User Stores from the Command Line
3.3. NIS
3.3.1. Configuring NIS Authentication from the UI
3.3.2. Configuring NIS from the Command Line
3.4. Winbind
3.4.1. Enabling Winbind in the authconfig GUI
3.4.2. Enabling Winbind in the Command Line
4. Configuring Authentication Mechanisms
4.1. Configuring Local Authentication Using authconfig
4.1.1. Enabling Local Access Control in the UI
4.1.2. Configuring Local Access Control in the Command Line
4.2. Configuring System Passwords Using authconfig
4.2.1. Password Security
4.2.1.1. Configuring Password Hashing in the UI
4.2.1.2. Configuring Password Hashing on the Command Line
4.2.2. Password Complexity
4.2.2.1. Configuring Password Complexity in the UI
4.2.2.2. Configuring Password Complexity in the Command Line
4.3. Configuring Kerberos (with LDAP or NIS) Using authconfig
4.3.1. Configuring Kerberos Authentication from the UI
4.3.2. Configuring Kerberos Authentication from the Command Line
4.4. Smart Cards
4.4.1. Configuring Smart Cards Using authconfig
4.4.1.1. Enabling Smart Card Authentication from the UI
4.4.1.2. Configuring Smart Card Authentication from the Command Line
4.4.2. Smart Card Authentication in Identity Management
4.5. One-Time Passwords
4.6. Configuring Fingerprints Using authconfig
4.6.1. Using Fingerprint Authentication in the UI
4.6.2. Configuring Fingerprint Authentication in the Command Line
5. Managing Kickstart and Configuration Files Using authconfig
6. Enabling Custom Home Directories Using authconfig
II. Identity and Authentication Stores
7. Using and Caching Credentials with SSSD
7.1. The Basics of SSSD Configuration
7.1.1. Setting up the sssd.conf File
7.1.1.1. Creating the sssd.conf File
7.1.1.2. Using a Custom Configuration File
7.1.1.3. Additional Resources
7.1.2. Starting and Stopping SSSD
7.2. SSSD and System Services
7.2.1. Configuring Services: NSS
7.2.1.1. About NSS Service Maps and SSSD
7.2.1.2. Configuring NSS Services to Use SSSD
7.2.1.3. Configuring SSSD to Work with NSS
7.2.2. Configuring Services: PAM
7.2.3. Configuring Services: autofs
7.2.3.1. About Automount, LDAP, and SSSD
7.2.3.2. Configuring autofs Services in SSSD
7.2.4. Configuring Services: sudo
7.2.4.1. About sudo, LDAP, and SSSD
7.2.4.2. Configuring sudo with SSSD
7.2.5. Configuring Services: OpenSSH and Cached Keys
7.2.5.1. Configuring OpenSSH to Use SSSD for Host Keys
7.2.5.2. Configuring OpenSSH to Use SSSD for User Keys
7.3. SSSD and Identity Providers (Domains)
7.3.1. Creating an LDAP Identity Provider
7.3.1.1. Parameters for Configuring an LDAP Domain
7.3.1.2. Configuring an LDAP Identity Provider
7.3.2. Creating an Identity Management (IdM) Identity Provider
7.3.3. Creating an Active Directory Identity Provider
7.3.3.1. About Active Directory Identities on the Local System
7.3.3.2. Configuring an Active Directory Domain with ID Mapping
7.3.3.3. Configuring an Active Directory Domain with POSIX Attributes
7.3.3.4. Configuring Active Directory as an LDAP Domain
7.3.3.5. Additional Configuration Examples
7.3.4. Setting Additional Identity Provider Options
7.3.4.1. Setting User name Formats
7.3.4.2. Enabling Offline Authentication
7.3.4.3. Setting Password Expiry
7.3.4.4. LDAP Groups with Local System Users
7.3.4.5. Ignoring Group Members
7.3.4.6. Using DNS Service Discovery
7.3.4.7. Using IP Addresses in Certificate Subject Names (LDAP Only)
7.3.4.8. Configuring Different Types of Access Control
7.3.4.9. Configuring Primary Server and Backup Servers
7.3.5. Creating a Proxy Identity Provider
7.3.6. Configuring Kerberos Authentication with an Identity Provider
7.4. Managing Local System Users in SSSD
7.4.1. Installing SSSD Utilities
7.4.2. SSSD and UID and GID Numbers
7.4.3. Creating Local System Users
7.4.4. Seeding Users into the SSSD Cache During Kickstart
7.4.5. Managing the SSSD Cache
7.4.5.1. Purging the SSSD Cache
7.4.5.2. Deleting Domain Cache Files
7.5. SSSD Control and Status Utility
7.5.1. SSSD Configuration Validation
7.5.2. Domain Information
7.5.3. Cached Entries Information
7.5.4. Truncating the Log Files
7.5.5. Removing the SSSD Cache
7.6. SSSD Client-side Views
7.6.1. Defining a Different Attribute Value for a User Account
7.6.2. Listing All Overrides on a Host
7.6.3. Removing a Local Override
7.6.4. Exporting and Importing Local Views
7.7. Downgrading SSSD
7.8. Using NSCD with SSSD
8. Using realmd to Connect to an Identity Domain
9. OpenLDAP
9.1. Introduction to LDAP
9.1.1. LDAP Terminology
9.1.2. OpenLDAP Features
9.1.3. OpenLDAP Server Setup
9.2. Installing the OpenLDAP Suite
9.2.1. Overview of OpenLDAP Server Utilities
9.2.2. Overview of OpenLDAP Client Utilities
9.2.3. Overview of Common LDAP Client Applications
9.3. Configuring an OpenLDAP Server
9.3.1. Changing the Global Configuration
9.3.2. The Front End Configuration
9.3.3. The Monitor Back End
9.3.4. Database-Specific Configuration
9.3.5. Extending Schema
9.3.6. Establishing a Secure Connection
9.3.7. Setting Up Replication
9.3.8. Loading Modules and Back ends
9.4. SELinux Policy for Applications Using LDAP
9.5. Running an OpenLDAP Server
9.5.1. Starting the Service
9.5.2. Stopping the Service
9.5.3. Restarting the Service
9.5.4. Verifying the Service Status
9.6. Configuring a System to Authenticate Using OpenLDAP
9.6.1. Migrating Old Authentication Information to LDAP Format
9.7. Additional Resources
III. Secure Applications
10. Using Pluggable Authentication Modules (PAM)
10.1. About PAM
10.1.1. Other PAM Resources
10.1.2. Custom PAM Modules
10.2. About PAM Configuration Files
10.2.1. PAM Configuration File Format
10.2.2. Annotated PAM Configuration Example
10.3. PAM and Administrative Credential Caching
10.3.1. Removing the Timestamp File
10.3.2. Common pam_timestamp Directives
10.4. Restricting Domains for PAM services
11. Using Kerberos
11.1. About Kerberos
11.1.1. The Basics of How Kerberos Works
11.1.2. About Kerberos Principal Names
11.1.3. About the Domain-to-Realm Mapping
11.1.4. Environmental Requirements
11.1.5. Considerations for Deploying Kerberos
11.1.6. Additional Resources for Kerberos
11.2. Configuring the Kerberos KDC
11.2.1. Configuring the Master KDC Server
11.2.2. Setting up Secondary KDCs
11.2.3. Kerberos Key Distribution Center Proxy
11.3. Configuring a Kerberos Client
11.4. Setting up a Kerberos Client for Smart Cards
11.5. Setting up Cross-Realm Kerberos Trusts
11.5.1. A Trust Relationship
11.5.2. Setting up a Realm Trust
12. Working with certmonger
12.1. certmonger and Certificate Authorities
12.2. Requesting a Self-signed Certificate with certmonger
12.3. Requesting a CA-signed Certificate Through SCEP
12.4. Storing Certificates in NSS Databases
12.5. Tracking Certificates with certmonger
13. Configuring Applications for Single Sign-On
13.1. Configuring Firefox to Use Kerberos for Single Sign-On
13.2. Certificate Management in Firefox
13.3. Certificate Management in Email Clients
A. Troubleshooting
A.1. Troubleshooting SSSD
A.1.1. Setting Debug Logs for SSSD Domains
A.1.2. Checking SSSD Log Files
A.1.3. Problems with SSSD Configuration
A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs
A.2.1. SSSD and sudo Debug Logging
A.3. Troubleshooting Firefox Kerberos Configuration
B. Revision History