System-Level Authentication Guide
1. Introduction to System Authentication
Expand section "1. Introduction to System Authentication" Collapse section "1. Introduction to System Authentication"
I. System Logins
Expand section "I. System Logins" Collapse section "I. System Logins"
1. 2. Configuring System Authentication
  Expand section "2. Configuring System Authentication" Collapse section "2. Configuring System Authentication"
  1. 2.1. Identity Management Tools for System Authentication
  2. 2.2. Using authconfig
    
    Expand section "2.2. Using authconfig" Collapse section "2.2. Using authconfig"
    
    2.2.1. Tips for Using the authconfig CLI
    
    2.2.2. Installing the authconfig UI
    
    2.2.3. Launching the authconfig UI
    
    2.2.4. Testing Authentication Settings
    
    2.2.5. Saving and Restoring Configuration Using authconfig
2. 3. Selecting the Identity Store for Authentication with authconfig
  Expand section "3. Selecting the Identity Store for Authentication with authconfig" Collapse section "3. Selecting the Identity Store for Authentication with authconfig"
  1. 3.1. IPAv2
    
    Expand section "3.1. IPAv2" Collapse section "3.1. IPAv2"
    
    3.1.1. Configuring IdM from the UI
    
    3.1.2. Configuring IdM from the Command Line
  2. 3.2. LDAP and IdM
    
    Expand section "3.2. LDAP and IdM" Collapse section "3.2. LDAP and IdM"
    
    3.2.1. Configuring LDAP Authentication from the UI
    
    3.2.2. Configuring LDAP User Stores from the Command Line
  3. 3.3. NIS
    
    Expand section "3.3. NIS" Collapse section "3.3. NIS"
    
    3.3.1. Configuring NIS Authentication from the UI
    
    3.3.2. Configuring NIS from the Command Line
  4. 3.4. Winbind
    
    Expand section "3.4. Winbind" Collapse section "3.4. Winbind"
    
    3.4.1. Enabling Winbind in the authconfig GUI
    
    3.4.2. Enabling Winbind in the Command Line
3. 4. Configuring Authentication Mechanisms
  Expand section "4. Configuring Authentication Mechanisms" Collapse section "4. Configuring Authentication Mechanisms"
  1. 4.1. Configuring Local Authentication Using authconfig
    
    Expand section "4.1. Configuring Local Authentication Using authconfig" Collapse section "4.1. Configuring Local Authentication Using authconfig"
    
    4.1.1. Enabling Local Access Control in the UI
    
    4.1.2. Configuring Local Access Control in the Command Line
  2. 4.2. Configuring System Passwords Using authconfig
    
    Expand section "4.2. Configuring System Passwords Using authconfig" Collapse section "4.2. Configuring System Passwords Using authconfig"
    
    4.2.1. Password Security
    
    Expand section "4.2.1. Password Security" Collapse section "4.2.1. Password Security"
    
    4.2.1.1. Configuring Password Hashing in the UI
    
    4.2.1.2. Configuring Password Hashing on the Command Line
    
    4.2.2. Password Complexity
    
    Expand section "4.2.2. Password Complexity" Collapse section "4.2.2. Password Complexity"
    
    4.2.2.1. Configuring Password Complexity in the UI
    
    4.2.2.2. Configuring Password Complexity in the Command Line
  3. 4.3. Configuring Kerberos (with LDAP or NIS) Using authconfig
    
    Expand section "4.3. Configuring Kerberos (with LDAP or NIS) Using authconfig" Collapse section "4.3. Configuring Kerberos (with LDAP or NIS) Using authconfig"
    
    4.3.1. Configuring Kerberos Authentication from the UI
    
    4.3.2. Configuring Kerberos Authentication from the Command Line
  4. 4.4. Smart Cards
    
    Expand section "4.4. Smart Cards" Collapse section "4.4. Smart Cards"
    
    4.4.1. Configuring Smart Cards Using authconfig
    
    Expand section "4.4.1. Configuring Smart Cards Using authconfig" Collapse section "4.4.1. Configuring Smart Cards Using authconfig"
    
    4.4.1.1. Enabling Smart Card Authentication from the UI
    
    4.4.1.2. Configuring Smart Card Authentication from the Command Line
    
    4.4.2. Smart Card Authentication in Identity Management
    
    4.4.3. Supported Smart Cards
  5. 4.5. One-Time Passwords
  6. 4.6. Configuring Fingerprints Using authconfig
    
    Expand section "4.6. Configuring Fingerprints Using authconfig" Collapse section "4.6. Configuring Fingerprints Using authconfig"
    
    4.6.1. Using Fingerprint Authentication in the UI
    
    4.6.2. Configuring Fingerprint Authentication in the Command Line
4. 5. Managing Kickstart and Configuration Files Using authconfig
5. 6. Enabling Custom Home Directories Using authconfig
II. Identity and Authentication Stores
Expand section "II. Identity and Authentication Stores" Collapse section "II. Identity and Authentication Stores"
1. 7. Configuring SSSD
  Expand section "7. Configuring SSSD" Collapse section "7. Configuring SSSD"
  1. 7.1. Introduction to SSSD
    
    Expand section "7.1. Introduction to SSSD" Collapse section "7.1. Introduction to SSSD"
    
    7.1.1. How SSSD Works
    
    7.1.2. Benefits of Using SSSD
  2. 7.2. Using Multiple SSSD Configuration Files on a Per-client Basis
  3. 7.3. Configuring Identity and Authentication Providers for SSSD
    
    Expand section "7.3. Configuring Identity and Authentication Providers for SSSD" Collapse section "7.3. Configuring Identity and Authentication Providers for SSSD"
    
    7.3.1. Introduction to Identity and Authentication Providers for SSSD
    
    7.3.2. Configuring an LDAP Domain for SSSD
    
    7.3.3. Configuring the Files Provider for SSSD
    
    7.3.4. Configuring a Proxy Provider for SSSD
    
    7.3.5. Configuring a Kerberos Authentication Provider
  4. 7.4. Additional Configuration for Identity and Authentication Providers
    
    Expand section "7.4. Additional Configuration for Identity and Authentication Providers" Collapse section "7.4. Additional Configuration for Identity and Authentication Providers"
    
    7.4.1. Adjusting User Name Formats
    
    Expand section "7.4.1. Adjusting User Name Formats" Collapse section "7.4.1. Adjusting User Name Formats"
    
    7.4.1.1. Defining the Regular Expression for Parsing Full User Names
    
    7.4.1.2. Defining How SSSD Prints Full User Names
    
    7.4.2. Enabling Offline Authentication
    
    7.4.3. Configuring DNS Service Discovery
    
    7.4.4. Defining Access Control Using the simple Access Provider
    
    7.4.5. Defining Access Control Using the LDAP Access Filter
  5. 7.5. Configuring System Services for SSSD
    
    Expand section "7.5. Configuring System Services for SSSD" Collapse section "7.5. Configuring System Services for SSSD"
    
    7.5.1. Configuring Services: NSS
    
    7.5.2. Configuring Services: PAM
    
    7.5.3. Configuring Services: autofs
    
    7.5.4. Configuring Services: sudo
  6. 7.6. SSSD Client-side Views
    
    Expand section "7.6. SSSD Client-side Views" Collapse section "7.6. SSSD Client-side Views"
    
    7.6.1. Defining a Different Attribute Value for a User Account
    
    7.6.2. Listing All Overrides on a Host
    
    7.6.3. Removing a Local Override
    
    7.6.4. Exporting and Importing Local Views
  7. 7.7. Downgrading SSSD
  8. 7.8. Using NSCD with SSSD
  9. 7.9. Additional Resources
2. 8. Using realmd to Connect to an Identity Domain
3. 9. LDAP Servers
  Expand section "9. LDAP Servers" Collapse section "9. LDAP Servers"
  1. 9.1. Red Hat Directory Server
  2. 9.2. OpenLDAP
    
    Expand section "9.2. OpenLDAP" Collapse section "9.2. OpenLDAP"
    
    9.2.1. Introduction to LDAP
    
    Expand section "9.2.1. Introduction to LDAP" Collapse section "9.2.1. Introduction to LDAP"
    
    9.2.1.1. LDAP Terminology
    
    9.2.1.2. OpenLDAP Features
    
    9.2.1.3. OpenLDAP Server Setup
    
    9.2.2. Installing the OpenLDAP Suite
    
    Expand section "9.2.2. Installing the OpenLDAP Suite" Collapse section "9.2.2. Installing the OpenLDAP Suite"
    
    9.2.2.1. Overview of OpenLDAP Server Utilities
    
    9.2.2.2. Overview of OpenLDAP Client Utilities
    
    9.2.2.3. Overview of Common LDAP Client Applications
    
    9.2.3. Configuring an OpenLDAP Server
    
    Expand section "9.2.3. Configuring an OpenLDAP Server" Collapse section "9.2.3. Configuring an OpenLDAP Server"
    
    9.2.3.1. Changing the Global Configuration
    
    9.2.3.2. The Front End Configuration
    
    9.2.3.3. The Monitor Back End
    
    9.2.3.4. Database-Specific Configuration
    
    9.2.3.5. Extending Schema
    
    9.2.3.6. Establishing a Secure Connection
    
    9.2.3.7. Setting Up Replication
    
    9.2.3.8. Loading Modules and Back ends
    
    9.2.4. SELinux Policy for Applications Using LDAP
    
    9.2.5. Running an OpenLDAP Server
    
    Expand section "9.2.5. Running an OpenLDAP Server" Collapse section "9.2.5. Running an OpenLDAP Server"
    
    9.2.5.1. Starting the Service
    
    9.2.5.2. Stopping the Service
    
    9.2.5.3. Restarting the Service
    
    9.2.5.4. Verifying the Service Status
    
    9.2.6. Configuring a System to Authenticate Using OpenLDAP
    
    Expand section "9.2.6. Configuring a System to Authenticate Using OpenLDAP" Collapse section "9.2.6. Configuring a System to Authenticate Using OpenLDAP"
    
    9.2.6.1. Migrating Old Authentication Information to LDAP Format
    
    9.2.7. Additional Resources
III. Secure Applications
Expand section "III. Secure Applications" Collapse section "III. Secure Applications"
1. 10. Using Pluggable Authentication Modules (PAM)
  Expand section "10. Using Pluggable Authentication Modules (PAM)" Collapse section "10. Using Pluggable Authentication Modules (PAM)"
  1. 10.1. About PAM
    
    Expand section "10.1. About PAM" Collapse section "10.1. About PAM"
    
    10.1.1. Other PAM Resources
    
    10.1.2. Custom PAM Modules
  2. 10.2. About PAM Configuration Files
    
    Expand section "10.2. About PAM Configuration Files" Collapse section "10.2. About PAM Configuration Files"
    
    10.2.1. PAM Configuration File Format
    
    10.2.2. Annotated PAM Configuration Example
  3. 10.3. PAM and Administrative Credential Caching
    
    Expand section "10.3. PAM and Administrative Credential Caching" Collapse section "10.3. PAM and Administrative Credential Caching"
    
    10.3.1. Common pam_timestamp Directives
    
    10.3.2. Removing the Timestamp File
  4. 10.4. Restricting Domains for PAM services
2. 11. Using Kerberos
  Expand section "11. Using Kerberos" Collapse section "11. Using Kerberos"
  1. 11.1. About Kerberos
    
    Expand section "11.1. About Kerberos" Collapse section "11.1. About Kerberos"
    
    11.1.1. The Basics of How Kerberos Works
    
    11.1.2. About Kerberos Principal Names
    
    11.1.3. About the Domain-to-Realm Mapping
    
    11.1.4. Environmental Requirements
    
    11.1.5. Considerations for Deploying Kerberos
    
    11.1.6. Additional Resources for Kerberos
  2. 11.2. Configuring the Kerberos KDC
    
    Expand section "11.2. Configuring the Kerberos KDC" Collapse section "11.2. Configuring the Kerberos KDC"
    
    11.2.1. Configuring the Master KDC Server
    
    11.2.2. Setting up Secondary KDCs
    
    11.2.3. Kerberos Key Distribution Center Proxy
  3. 11.3. Configuring a Kerberos Client
  4. 11.4. Setting up a Kerberos Client for Smart Cards
  5. 11.5. Setting up Cross-Realm Kerberos Trusts
    
    Expand section "11.5. Setting up Cross-Realm Kerberos Trusts" Collapse section "11.5. Setting up Cross-Realm Kerberos Trusts"
    
    11.5.1. A Trust Relationship
    
    11.5.2. Setting up a Realm Trust
3. 12. Working with certmonger
  Expand section "12. Working with certmonger" Collapse section "12. Working with certmonger"
4. 13. Configuring Applications for Single Sign-On
  Expand section "13. Configuring Applications for Single Sign-On" Collapse section "13. Configuring Applications for Single Sign-On"
A. Troubleshooting
Expand section "A. Troubleshooting" Collapse section "A. Troubleshooting"
1. A.1. Troubleshooting SSSD
  Expand section "A.1. Troubleshooting SSSD" Collapse section "A.1. Troubleshooting SSSD"
  1. A.1.1. Setting Debug Logs for SSSD Domains
  2. A.1.2. Checking SSSD Log Files
  3. A.1.3. Problems with SSSD Configuration
  4. A.1.4. A User Cannot Log In After UID or GID Changed
  5. A.1.5. SSSD Control and Status Utility
    
    Expand section "A.1.5. SSSD Control and Status Utility" Collapse section "A.1.5. SSSD Control and Status Utility"
    
    A.1.5.1. SSSD Configuration Validation
    
    A.1.5.2. Displaying User Data
    
    A.1.5.3. Domain Information
    
    A.1.5.4. Cached Entries Information
    
    A.1.5.5. Truncating the Log Files
    
    A.1.5.6. Removing the SSSD Cache
    
    A.1.5.7. Obtaining Information about an LDAP Group Takes Long
2. A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs
  Expand section "A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs" Collapse section "A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs"
  1. A.2.1. SSSD and sudo Debug Logging
3. A.3. Troubleshooting Firefox Kerberos Configuration
B. Revision History
Legal Notice

Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Part I. System Logins

This part provides instruction on how to configure system authentication with the use of the authconfig, ipa-client-install, and realmd tools.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Red Hat Training

Part I. System Logins