Deepak Dubey on Cloud, Big Data Analytics, Data Science, Machine Learning, DevOps, Full Stack, Java: Setting up Red Hat Linux Server (RHEL) to the LDAP Server for Pluggable Authentication Module (PAM) setup

Thursday, April 24, 2014

Setting up Red Hat Linux Server (RHEL) to the LDAP Server for Pluggable Authentication Module (PAM) setup

This artcle describes connecting a redhat server to the dsee (LDAP) server. This includes serveral steps

1.1 Create ldap groups

Ldap groups are used to be sure that only authenticated users can login to the server. Two ldapgroups where created test01_user_group and test01_admin_group in the following way:

Create an file <import.ldif> with the following content:

dn: cn= test01_user_group,ou=UsrSubGroups,ou=UserGroups,ou=group, dc=mycomp,dc=mydomain,dc=com

objectClass: groupOfUniqueNames

objectClass: top

cn: test01_user_group

dn: cn=test01_admin_group,ou=AdmSubGroups,ou=AdminGroups,ou=group, dc=mycomp,dc=mydomain,dc=com

objectClass: groupOfUniqueNames

objectClass: top

objectclass:posixGroup

gidNumber:99998

cn: test01_admin_group

Then from a machine where an ldapclient is installed (for instance the dsee server) issue the following command

> ldapadd -h localhost -p 1389 -D "cn=Directory Manager" -f import.ldif -q

1.2 Overwrite /etc/openldap/ldap.conf

Login to the server you want to connect to ldap as root (via sudo) and overwrite the content of /etc/openldap/ldap.conf with the following:

URI ldap://192.168.148.128:389

BASE ou=people,dc=mycomp,dc=mydomain,dc=com

TLS_CACERTDIR /etc/openldap/cacerts

1.3 Overwrite /etc/ldap.conf

Login to the server you want to connect to ldap as root (via sudo) and overwrite the content of /etc/ldap.conf with the following:

base dc=mycomp,dc=mydomain,dc=com

scope sub

timelimit 120

bind_timelimit 120

idle_timelimit 3600

pam_login_attribute uid

ldap_version 3

nss_base_passwd ou=people,dc=mycomp,dc=mydomain,dc=com?one

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

uri ldap://172.27.83.253:389

pam_filter isMemberOf=cn=test01_user_group,ou=UsrSubGroups,ou=UserGroups,ou=group,dc=mycomp,dc=mydomain,dc=com

ssl no

tls_cacertdir /etc/openldap/cacerts

The following parameters differ from server to server

Parameter	Description
uri	Comma seperated list of url of the ldaps for the specific site (luton west-brom)
pam_filter isMemberOf=	The group users have to be (indirect) member of in order to be able to login to this server

1.4 Complete configuration

Issue the following command:

> authconfig --enableldap --enableldapauth --update

Then open /etc/pam.d/system-auth and add the following line:

session required pam_mkhomedir.so mask=0022 skel=/etc/skel

1.5 Add sudo configuration

Using viduo add the following line to the sudoers file:

%test01_admin_group ALL=(ALL) ALL