# yum install sssd openldap-clients
# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
No cliente:
# mkdir /etc/openldap/cacerts # scp ldap-master-01.exemplo.org:/tmp/ca.crt /etc/openldap/cacerts/
# cacertdir_rehash /etc/openldap/cacerts/
# authconfig \ > --disablesmartcard \ > --disablefingerprint \ > --enablesssd \ > --enablesssdauth \ > --enablelocauthorize \ > --disablemd5 \ > --passalgo=sha512 \ > --enablepamaccess \ > --enableldap \ > --enableldapauth \ > --disableldaptls \ > --ldapserver=ldaps://ldap-master-01.exemplo.org:636 \ > --ldapbasedn=dc=exemplo,dc=org \ > --enablemkhomedir \ > --disablecachecreds \ > --disablekrb5 \ > --disablekrb5kdcdns \ > --disablekrb5realmdns \ > --krb5kdc=" #" \ > --updateall
# systemctl enable sssd # systemctl start sssd
# ldapwhoami -H ldaps://ldap-master-01.exemplo.org -x -D "cn=Manager,dc=exemplo,dc=org" -W Enter LDAP Password: dn:cn=Manager,dc=exemplo,dc=org
# ldapsearch -H ldaps://ldap-master-01.exemplo.org -x -D "cn=Manager,dc=exemplo,dc=org" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=exemplo,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # exemplo.org dn: dc=exemplo,dc=org dc: exemplo objectClass: top objectClass: domain # Usuarios, exemplo.org dn: ou=Usuarios,dc=exemplo,dc=org ou: people ou: Usuarios objectClass: top objectClass: organizationalUnit # Grupos, exemplo.org dn: ou=Grupos,dc=exemplo,dc=org ou: groups ou: Grupos objectClass: top objectClass: organizationalUnit # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3
Para desabilitar consultas anônimas
# vim /etc/sssd/sssd.conf [domain/<domain name like 'default' or 'LDAP'] ... ldap_default_bind_dn = cn=...,ou=... ldap_default_authtok_type = password # obfuscated_password: obfuscating the password provides no real security benefit ldap_default_authtok = <your bind dn password>
Consultar usuário:
# getent -s sss passwd <username> # getent -s sss group <groupname> # id -a <username>