Setup LDAP on Rocky Linux 8


# dnf installl -y authselect-compat openldap-clients openldap sssd-ldap nss-pam-ldapd


# cd /etc/openldap/certs
# wget
# openssl x509 -noout -hash -in cacert.pem | xargs -i ln -s cacert.pem {}.0

利用 authconfig 設定 ldap,如果有使用憑證記得將 TLS_CACERT 設定到 ldap.conf

# authconfig --enableldap --enableldapauth --ldapserver=ldaps://,ldaps:// --ldapbasedn="dc=liho,dc=tw" --update
# echo "TLS_CACERT /etc/openldap/certs/cacert.pem" >> /etc/openldap/ldap.conf

然後設定 sssd.conf 檔案

cat << EOF > /etc/sssd/sssd.conf
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://,ldaps://
ldap_search_base = dc=liho,dc=tw
ldap_id_use_start_tls = True
cache_credentials = True
#ldap_tls_cacertdir = /etc/openldap/certs
#ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/openldap/certs/cacert.pem
ldap_tls_reqcert = hard

services = nss, pam, autofs
domains = default
# chmod 600 /etc/sssd/sssd.conf

還有啟動 sssd & oddjobd 服務

# systemctl enable sssd oddjobd


如果某天不想要用 ldap 可以用下列指令解除:

# authconfig --disableldapauth --disableldap --enableshadow --updateall

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.