Certification Objective 6.07-Network Authentication Configuration: NIS and LDAP

By default, access to a Linux computer requires a valid username and password. One problem with a large network of Linux systems is that "normally," each user requires an account on every Linux computer.

The two services that allow you to set up one centrally managed database of usernames and passwords for Linux and Unix computers are NIS and LDAP. With each of these services, you can maintain one password database on an NIS or LDAP server and configure the other systems on the network as clients. When a user logs into an NIS or LDAP client, that system first checks its local password file, usually /etc/passwd. If it can't find your username, it looks up the corresponding file on the server.

In the Red Hat Exam Prep guide, the only requirement is to be able to connect a client to a network directory service, such as NIS or LDAP. As of this writing, the prep course outline for the RHCE (RH300) no longer includes NIS server configuration requirements. I therefore focus on NIS and LDAP clients in this section.

First, I'll show you how you can configure NIS and LDAP clients using the command line interface and then use the Red Hat Authentication Configuration tool.

NIS Client Configuration

It's fairly simple to configure an NIS client on a network. Assuming you have an NIS server, you need to do three things. First, specify the server and domain name in /etc/yp.conf. Next, make sure the ypbind client service starts the next time you boot Linux. Finally, make sure the /etc/nsswitch.conf file looks to the NIS service for at least the username and password database.

The change to the /etc/yp.conf configuration file is simple. All you need is a command such as the following, which specifies the name of the NIS domain as nisdomain, and the name of the NIS server as enterprise5a:

 domain nisdomain server enterprise5a 

Making sure that the ypbind client service starts the next time you boot Linux is a simple matter. Just as with other Linux services, you can make sure it starts at the appropriate runlevels with a command such as the following:

 # chkconfig ypbind on 

If you want to start the service immediately, the following command should be familiar:

 # service ypbind start 

Finally, making sure your computer looks for the NIS server for key files means modifying the /etc/nsswitch.conf configuration file. For example, to make sure your computer looks to the NIS server for the username and password database, you'll want to configure the following commands in that file (you can add other services such as ldap to the list):

 passwd:   files nis shadow:   files nis group:    files nis 

This assumes that you're using the NIS server that's included with RHEL 5, NIS version 2.

One command you need to know about when running an NIS client is yppasswd. All users can manage their NIS password with this command.

LDAP Client Configuration

If you want to configure your RHEL computer as an LDAP client, you'll need the openldap-clients, openldap, and nss_ldap RPM packages. The openldap-clients RPM is a default part of the System Tools package group. The other two packages should be installed by default on your RHEL system.

To configure an LDAP client, you'll need to configure two different ldap.conf configuration files in the /etc and the /etc/openldap directories. While both files can get quite complex, for the purposes of the exam, I'll keep the definitions simple.

/etc/ldap.conf

The default version of the /etc/ldap.conf file includes a number of different commands and comments. To set up your LDAP client, you'll need to be concerned with several commands in this file, including those described in Table 6-8.

/etc/openldap/ldap.conf

You'll need to specify the HOST and BASE variables in this file, just as you did in the /etc/ldap.conf configuration file. Based on the parameters in the previous section, this leads to the following two commands:

 BASE dc=example,dc=com URI ldap://127.0.0.1 

If your LDAP server is not on the local computer, and your domain is not example.com, you'll need to substitute accordingly. Individual users can supersede this file in a hidden .ldaprc file in their home directories.

The Name Service Switch File

The Name Service Switch file, /etc/nsswitch.conf, governs how your computer searches for key files such as password databases. You can configure it to look through NIS and LDAP server databases. For example, when an NIS client looks for a computer host name, it might start with the following entry from /etc/nsswitch.conf:

 hosts: files nisplus nis dns 

This line tells your computer to search through name databases in the following order:

1. Start with the database of host names and IP addresses in /etc/hosts.

2. Next, search for the host name in a map file based on NIS+ (NIS Version 3).

3. Next, search for the host name in a map file based on NIS (Version 2).

4. If none of these databases includes the desired host name, refer to the DNS server.

You can configure the /etc/nsswitch.conf configuration file to look at an LDAP server for the desired databases. For example, if you want to set up a centralized username and password database for your network, you'll need to configure at least the following commands in /etc/nsswitch.conf:

 passwd:   files ldap shadow:   files ldap group:    files ldap 

You can configure a number of additional files in an LDAP or NIS centralized database; however, the details are beyond the scope of this book.

Configuring Clients with the Red Hat Authentication Tool

If you're not familiar with NIS or LDAP, it may be simpler to configure your computer as a client using the Red Hat Authentication Configuration tool. In RHEL 5, you can start it in the GUI with the system-config-authentication command or in the console with the authconfig-tui command. This opens an Authentication Configuration tool; the GUI version is shown in Figure 6-11.

Figure 6-11: Authentication Configuration

If you've gone through the First Boot process described in Chapter 2, you may have already configured your computer using this tool. You can set your computer to check an NIS and an LDAP server for usernames and passwords.

If you choose to activate the Enable NIS Support option, click the Configure NIS button. You'll need to enter the name of the NIS domain, as well as the name or IP address of the computer with the NIS server. Make any desired changes and click OK.

If you choose to activate the Enable LDAP Support option, click the Configure LDAP button. Make any desired changes and click OK. You'll need to enter the following information:

1. If you want to use Transport Layer Security to encrypt the passwords sent to the LDAP server, activate the Use TLS To Encrypt Connections option. If you do so, you can also click Download CA Certificate, which allows you to specify the URL with the CA Certificate associated with the LDAP domain or realm.

2. Enter the domain name for your server in LDAP format in the LDAP Search Base DN text box. For example, if your domain is my-domain.com, enter the following:

    dc=my-domain,dc=com 

3. Specify the location of the LDAP server. If it's the local computer, you can use the 127.0.0.1 IP address.

Once you've made your changes, click OK; it may take a few seconds for the Authentication Configuration tool to write the changes to the noted configuration files before it closes. If you've set up an NIS client, it automatically sets the ypbind service to start at appropriate runlevels the next time you boot Linux.