Changes

*symas-openldap-clients*openldapsssd*sssd-clientsldap*nss_ldapsssd-tools*nssopenssl-pam-ldapdperl</li><li>If you would like to actually log into the client machines as an ldap user, you need to reconfigure the way the system authentication processes your login. Use To do this, you will use the “authconfig” authselect tool on the client machine.<br />

<li>Prior to making any changes to how your machines handle login information, use Copy the server's signed certificate onot the authconfigclient:*openssl s_client -connect ldap.pcallagh.ops:636 -showcerts < /dev/null | openssl x509 -savebackup command to save your current configuration into text > /etc/rootopenldap/ldapcerts/backupcacert.crt</li><li>Use Set up the authconfig command to configure your vm SSSD service to use vm1 as ldap for authentication.<ul><li>Start by adding the ldap serverfollowing settings to /etc/sssd/sssd.conf<br />Note that you will may have to enable create /etc/sssd/sssd.conf yourself. Make sure the file is owned by root:root and that the permissions are 0600.<source>[sssd]services = nss, pamconfig_file_version = 2domains = default [sudo] [nss]homedir_substring = /home [pam]offline_credentials_expiration = 60 [domain/default]ldap_id_use_start_tls = Truecache_credentials = Trueldap_search_base = 'The Base DN from your ldap server'id_provider = ldapauth_provider = ldapchpass_provider = ldapaccess_provider = ldapldap_uri = ldaps://<HOSTNAME or IP ADDRESS of your ldap server>ldap_chpass_uri = ldaps://<HOSTNAME or IP ADDRESS of your ldap authentication, identify server>ldap_tls_reqcert = allowldap_tls_cacert = <The absolute path of the certificate you copied over from the server>ldap_tls_cacertdir = <The absolute path to the directory the ldap server's certificate is in>ldap_search_timeout = 50ldap_network_timeout = 60ldap_access_order = filterldap_access_filter = (objectClass=posixAccount)</source></li><li>Now direct sssd to use those changes by running 'authselect select sssd --force'. you need the --force option to make it make changes to several files.</li><li>Test your configuration with 'sssctl config-check' and fix any errors it identifies</li><li>Once your configuration passes the sssctl check, start and the base distinguished name in a single commandenable sssd.</li></ul></li><li>Check Test that your machine is connected to the ldap server by searching for the ldapuser 1 account:<source>id ldapuser1</source>You should get something similar to the name service switch configuration file following (but may not be exactly the same):<source>uid=1002(ldapuser1) gid=1002(ldapuser1) groups=1002(ldapuser1)</source></li><li>If you want to be able to use commands like ldapsearch from this machine, you will also need to configure ldap in /etc/nsswitchopenldap.ldap.conf . This configuration file should already exist, you just need to confirm that modify the parameters to identify the LDAP isserver and location of its certificate.<ul><li>BASE <base DC from your ldap server></li><li>URI ldaps://<hostname or ip address of your ldap server></li>enabled<li>TLS_CACERT <the absolute path of the certificate you downloaded from the server earlier.></li><li>TLS_CACERTDIR <the directory you saved the certificate in></li></ul></li> 

You should get something results similar to the following (but may not be exactly the same):

</source></li>

<li>Repeat steps 1 through 6 7 on vm3.</li>