Network Authentication using an LDAP server:

Hi Techies,

So far we know that at local user accounts are managed through local files (/etc/passwd) on each machine. However, it is difficult to coordinate local user accounts on many systems.

In this blog, I will look at how to setup a machine as a client, to use a network user accounts that are provided by an existing LDAP (Lightweight Directory Access Protocol) directory service. This allows the LDAP directory to be our central authority for all network users and groups in your organization.

User account information determines the characteristics and configuration of the account Authentication methods are used to determine if someone trying to login should get access to the account. Network directory services can provide both user account information and authentication methods.

LDAP directory services can be used as a distributed, centralized, network user management service. Directory entries are arranged in a tree structure that can be searched. The base DN (Distinguished name) is the base of the tree that will be searched for directory entries for users and groups.

Key Elements for LDAP configuration

  1. Server’s fully qualified hostname

  2. Base DN to search for user definitions

  3. The certificate authority (“CA”) certificate used to sign the LDAP server’s SSL certificate.

You should ensure that the directory-client yum (for Redhat and Fedora) package group is installed, which includes the packages sssd, authoconfig-gtk, and oddjob-mkhomedir befor you begin.

System —> Administration —> or system-config-authentication can be used to modify the configuration of Identity and Authentication.

upload

Creating LDAP Account

upload2

Downloading CA Certificate

System-config-authentication will automatically turn on the sssd service which will look up and cache LDAP user information and authentication credentials for the client. If the LDAP server is unavailable but sssd is working, the system may be able to authenticate and get information about network users from the sssd cache.

Use getent passwd username to verify the account information being used. This works whether the user is a local user defined in etc/passwd or a network user from an LDAP service. The command will always show the definition that is actually being used by the system if there is any duplication between local users and network users. By default, the local user definition overrides the network user definition.

Advertisements

About Slash Rahul

A Passionate Software Engineer, Open-Source Enthusiastic.

Posted on 12/10/2013, in Technical and tagged , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: