====== Login Linux via INFN-AAI ====== https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/System-Level_Authentication_Guide/Red_Hat_Enterprise_Linux-7-System-Level_Authentication_Guide-en-US.pdf yum install nss-pam-ldapd pam_ldap pam_krb5 ---- authconfig-tui ┌────────────────┤ Authentication Configuration ├─────────────────┐ │ │ │ User Information Authentication │ │ [*] Cache Information [ ] Use MD5 Passwords │ │ [*] Use LDAP [*] Use Shadow Passwords │ │ [ ] Use NIS [ ] Use LDAP Authentication │ │ [ ] Use IPAv2 [*] Use Kerberos │ │ [ ] Use Winbind [ ] Use Fingerprint reader │ │ [ ] Use Winbind Authentication │ │ [*] Local authorization is sufficient │ │ │ │ ┌────────┐ ┌──────┐ │ │ │ Cancel │ │ Next │ │ │ └────────┘ └──────┘ │ │ │ │ │ └─────────────────────────────────────────────────────────────────┘ ┌─────────────────┤ LDAP Settings ├─────────────────┐ │ │ │ [*] Use TLS │ │ Server: ldap://ds1.infn.it/_____________________ │ │ Base DN: dc=lnf,dc=infn,dc=it____________________ │ │ │ │ ┌──────┐ ┌──────┐ │ │ │ Back │ │ Next │ │ │ └──────┘ └──────┘ │ │ │ │ │ └───────────────────────────────────────────────────┘ ┌─────────────────┤ Kerberos Settings ├──────────────────┐ │ │ │ Realm: LNF.INFN.IT_____________________________ │ │ KDC: ________________________________________ │ │ Admin Server: ________________________________________ │ │ [*] Use DNS to resolve hosts to realms │ │ [*] Use DNS to locate KDCs for realms │ │ │ │ ┌──────┐ ┌────┐ │ │ │ Back │ │ Ok │ │ │ └──────┘ └────┘ │ │ │ │ │ └────────────────────────────────────────────────────────┘ ┌────────────────┤ Warning ├─────────────────┐ │ │ │ To connect to a LDAP server with TLS │ │ protocol enabled you need a CA certificate │ │ which signed your server's certificate. │ │ Copy the certificate in the PEM format to │ │ the '/etc/openldap/cacerts' directory. │ │ Then press OK. │ │ │ │ ┌────┐ │ │ │ Ok │ │ │ └────┘ │ │ │ │ │ └────────────────────────────────────────────┘ ---- curl http://www.lnf.infn.it/~dmaselli/cacerts.tgz | tar -C /etc/openldap/cacerts/ -xzvf - ---- **vi /etc/nslcd.conf** # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=daemon,dc=SEDE,dc=infn,dc=it # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. bindpw secret