RHCSA Rapid Track

Bookmark this page
P12345678910111213141516
PreviousNext

Guided Exercise: Connecting to a Central LDAP and Kerberos Server

In this lab, you will connect your desktopX system to become a client of the LDAP server running on classroom.example.com. You will configure your desktopX system to use the Kerberos infrastructure provided by classroom.example.com for additional authentication.

Resources:
Files: http://classroom.example.com/pub/example-ca.crt
Machines: desktopX

Outcomes

desktopX configured for LDAP user information and Kerberos authentication from classroom.example.com.

  • Reset your desktopX system.

To simplify user management, your company has decided to switch to centralized user management. Another team has already set up all the required LDAP and Kerberos services. Centralized home directories are not yet available, so the system should be configured to create local home directories when a user first logs in.

Given the following information, configure your desktopX system to use user information from the LDAP server, and authentication services from the Kerberos KDC. DNS service records for the realm have not yet been configured, so you will have to configure Kerberos settings manually.

NameValue
LDAP server ldap://classroom.example.com
LDAP base DN dc=example,dc=com
Use TLS Yes
Root CA http://classroom.example.com/pub/example-ca.crt
Kerberos realm EXAMPLE.COM
Kerberos KDC classroom.example.com
Kerberos admin server classroom.example.com

  1. Start by installing the necessary packages: sssd, krb5-workstation, and authconfig-gtk. 

    1. [student@desktopX ~]$ sudo yum -y install sssd authconfig-gtk krb5-workstation

  2. Launch the Authentication Configuration application, then apply the settings from the table for both LDAP and Kerberos options.

    1. Either launch system-config-authentication from the command line, or launch ApplicationsSundryAuthentication. Enter the student password (student) when asked.

    2. Make sure the Identity & Authentication tab is open.

    3. In the User Account Database, select LDAP.

    4. Enter dc=example,dc=com in the LDAP Search Base DN field, and classroom.example.com in the LDAP Server field.

    5. Make sure the Use TLS to encrypt connections box is checked, then click the Download CA Certificate... button.

    6. Enter http://classroom.example.com/pub/example-ca.crt in the Certificate URL field, then click OK.

    7. Select Kerberos password from the Authentication Method dropdown, and uncheck both Use DNS... boxes.

    8. Enter EXAMPLE.COM in the REALM field, and classroom.example.com in both the KDCs and Admin Servers fields.

    9. Switch to the Advanced Options tab and place a checkmark in the Create home directories on the first login box.

    10. Click the Apply button to apply your changes.

  3. Use both getent and ssh to verify your work. You can use the username ldapuserX (where X is your station number) with the password kerberos. Please note that your users will not yet have a home directory mounted. 

    1. [student@desktopX ~]$ getent passwd ldapuserX
ldapuserX:*:170X:170X:LDAP Test User X:/home/guests/ldapuserX:/bin/bash
    2. [student@desktopX ~]$ ssh ldapuserX@localhost
The authenticity of host 'localhost (::1)' can't be established.
EDCSA key fingerprint is XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
ldapuserX@localhost's password: kerberos
Creating home directory for ldapuserX.
[ldapuserX@desktopX ~]$ pwd
/home/guests/ldapuserX
[ldapuserX@desktopX ~]$ ls -a
.   .bash_history  .bash_profile  .cache   .mozilla
..  .bash_logout   .bashrc        .config
[ldapuserX@desktopX ~]$ logout
PreviousNext
Revision: rh199-7-d0984a3