DevTech101

DevTech101

First configure yum and install SSSD

# Configure yum in the /etc/yum.repos.d/
Get it from http://public-yum.oracle.com/oracle-linux-6.html

Install SSSD

yum install sssd sssd-client

# yum tip
yum clean all
yum makecache

our SSSD config – /etc/sssd/sssd.conf

[sssd]
services = nss, pam, sudo, autofs
config_file_version = 2

domains = default

[domain/default]

ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = o=domain.com,dc=devtech101,dc=com
#krb5_realm = DEVTECH101.COM
#krb5_server = n01.domain.com:88,n02.domain.com:88
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap1.domain.com:1636/,ldaps://ldap2.domain.com:1636/
ldap_tls_reqcert = allow
#ldap_tls_reqcert = never
#ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_group_member = memberUid
entry_cache_timeout = 600
ldap_network_timeout = 3
#ldap_access_filter = (&(object)(object))
ldap_default_bind_dn = cn=proxyagent,ou=profile,dc=devtech101,dc=com
#ldap_default_authtok_type = password
ldap_default_authtok = password
enumerate = True
ldap_user_search_base = ou=people,o=domain.com,dc=devtech101,dc=com?sub?
ldap_group_search_base = ou=group,o=domain.com,dc=devtech101,dc=com
ldap_netgroup_search_base = ou=netgroup,o=domain.com,dc=devtech101,dc=com
#access_provider = ldap
#ldap_access_filter = memberOf=cn=bda-group,ou=netgroup,o=domain.com,dc=devtech101,dc=com
#ldap_access_filter = uniquemember=cn=bda-group,ou=netgroup,o=domain.com,dc=devtech101,dc=com
access_provider = simple
simple_allow_groups = bda-login-allow


autofs_provider = ldap
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_realm = DEVTECH101.COM
krb5_server = n01.domain.com:88,n02.domain.com:88
[nss]

[pam]

[sudo]

[autofs]

[ssh]

Reference https://docs.oracle.com/cd/E37670_01/E41138/html/ol_sssd_ldap.html
Secure and start SSSD

chmod 0600 /etc/sssd/sssd.conf
service sssd start
chkconfig sssd on

Create LDAP configuration – /etc/ldap.conf

base o=domain.com,dc=devtech101,dc=com
binddn cn=proxyagent,ou=profile,dc=devtech101,dc=com
bindpw password

scope sub
timelimit 120
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_lookup_policy yes

nss_base_passwd		ou=People,o=domain.com,dc=devtech101,dc=com?sub
nss_base_shadow		ou=People,o=domain.com,dc=devtech101,dc=com?sub
nss_base_group		ou=Group,o=domain.com,dc=devtech101,dc=com?one
nss_base_netgroup	ou=Netgroup,o=domain.com,dc=devtech101,dc=com?one

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman

uri ldaps://ldap1.domain.com:1636/ ldaps://ldap2.domain.com:1636/
#ssl start_tls
#tls_cacertdir /etc/openldap/cacerts
TLS_REQCERT allow
ssl no
bind_policy soft
pam_password md5
tls_cacertdir /etc/openldap/cacert

Note: Update also /etc/openldap/ldap.conf

mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf-org;ln -s /etc/ldap.conf /etc/openldap/ldap.conf

Modify /etc/security/access.conf

+ : ALL : LOCAL
+ : @bda-group : ALL
+ : root : ALL
-:ALL:ALL

Initialize LDAP and update OS files for first time

authconfig --enableldap --enableldapauth --ldapserver=ldaps://ldap1.domain.com:1636/,ldaps://ldap2.domain.com:1636/ --ldapbasedn="o=domain.com,dc=devtech101,dc=com" --update

Note: You need to add users to the LDAP bda-login-allow group to be able to login

Add NFS for users mount

# Test on commend line
mount -o vers=3 10.10.10.11:/export/bda_users /users

# Add to /etc/fstab
# Users home directory's
10.10.10.11:/export/bda_users /users nfs vers=3,intr
* SSSD tips 
Flush sss cache
sss_cache -E

Issues need to address

You need to create and ldap user for example hive, and in Hue add it the proper group for example bda_dwbi to get it to work

In Hue by creating a table from a file hive user needs full access to move the file from the src directory to not errror, it will still create the table but will error if not.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: