Identify and fix LDAP and Kerberos identity management issues

Hands-On Lab

 

Photo of Michael Christian

Michael Christian

Course Development Director in Content

Length

01:30:00

Difficulty

Advanced

In this exercise, you will troubleshoot and resolve authentication issues with both LDAP and Kerberos.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Identify and fix LDAP and Kerberos identity management issues

Introduction

In this exercise, you will troubleshoot and resolve authentication issues with both LDAP and Kerberos.

10.0.1.5 provides authentication for both Server1 and Server2.

LDAP: dc=example,dc=com
Kerberos: EXAMPLE.COM

testuser01 should be able to log in to both hosts using the password welcome1 and receive a Kerberos ticket.

Solution

Start by logging in to the lab servers using the credentials provided on the hands-on lab page:

ssh cloud_user@PUBLIC_IP_ADDRESS

Become the root user:

sudo su -

Be sure to log in to both Server1 and Server2 in separate tabs or windows.

Verify LDAP and Kerberos logins on Server1

On Server1 (10.0.1.10)

  1. Attempt to SSH in as testuser01 and receive a Kerberos ticket:

    ssh testuser01@localhost

    Password: welcome1

    kinit
  2. LDAP seems functional, but Kerberos is broken. View the Kerberos config:

    cat /etc/krb5.conf
  3. Modify /etc/krb5.conf:

    vim /etc/krb5.conf

    Change EXAMPLE_COM to EXAMPLE.COM.

    Save and close the file:

    :wq
  4. Use authconfig to enable Kerberos logins (leave all other settings as they are):

    authconfig-tui
  5. SSH in as testuser01 and receive a Kerberos ticket:

    ssh testuser01@localhost
    kinit
    klist

Verify LDAP and Kerberos logins on Server2

On Server2 (10.0.1.11)

  1. Attempt to SSH in as testuser01:

    ssh testuser01@localhost
  2. Use getent to retrieve account information about testuser01:

    getent passwd testuser01
  3. Verify LDAP and Kerberos logins are enabled:

    cat /etc/sysconfig/authconfig
  4. User authconfig-tui to modify LDAP settings:

    authconfig-tui
    • Be sure to enable Use LDAP in the User Information section, as well as Use LDAP Authentication in the Authentication section.
    • On the LDAP Settings screen, be sure the server is set to ldap://auth.example.com
  5. Use getent to retrieve account information about testuser01:

    getent passwd testuser01
  6. SSH in as testuser01 and receive a Kerberos ticket:

    ssh testuser01@localhost
    kinit
    klist

Conclusion

Congratulations, you've completed this hands-on lab!