First configure yum and install SSSD
# Configure yum in the /etc/yum.repos.d/ Get it from http://public-yum.oracle.com/oracle-linux-6.html
Install SSSD
yum install sssd sssd-client # yum tip yum clean all yum makecache
our SSSD config – /etc/sssd/sssd.conf
[sssd] services = nss, pam, sudo, autofs config_file_version = 2 domains = default [domain/default] ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = o=domain.com,dc=devtech101,dc=com #krb5_realm = DEVTECH101.COM #krb5_server = n01.domain.com:88,n02.domain.com:88 id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap1.domain.com:1636/,ldaps://ldap2.domain.com:1636/ ldap_tls_reqcert = allow #ldap_tls_reqcert = never #ldap_tls_cacertdir = /etc/openldap/cacerts ldap_group_member = memberUid entry_cache_timeout = 600 ldap_network_timeout = 3 #ldap_access_filter = (&(object)(object)) ldap_default_bind_dn = cn=proxyagent,ou=profile,dc=devtech101,dc=com #ldap_default_authtok_type = password ldap_default_authtok = password enumerate = True ldap_user_search_base = ou=people,o=domain.com,dc=devtech101,dc=com?sub? ldap_group_search_base = ou=group,o=domain.com,dc=devtech101,dc=com ldap_netgroup_search_base = ou=netgroup,o=domain.com,dc=devtech101,dc=com #access_provider = ldap #ldap_access_filter = memberOf=cn=bda-group,ou=netgroup,o=domain.com,dc=devtech101,dc=com #ldap_access_filter = uniquemember=cn=bda-group,ou=netgroup,o=domain.com,dc=devtech101,dc=com access_provider = simple simple_allow_groups = bda-login-allow autofs_provider = ldap ldap_tls_cacertdir = /etc/openldap/cacerts krb5_realm = DEVTECH101.COM krb5_server = n01.domain.com:88,n02.domain.com:88 [nss] [pam] [sudo] [autofs] [ssh]
Reference https://docs.oracle.com/cd/E37670_01/E41138/html/ol_sssd_ldap.html
Secure and start SSSD
chmod 0600 /etc/sssd/sssd.conf service sssd start chkconfig sssd on
Create LDAP configuration – /etc/ldap.conf
base o=domain.com,dc=devtech101,dc=com binddn cn=proxyagent,ou=profile,dc=devtech101,dc=com bindpw password scope sub timelimit 120 bind_timelimit 30 bind_policy soft idle_timelimit 3600 pam_filter objectclass=posixaccount pam_login_attribute uid pam_lookup_policy yes nss_base_passwd ou=People,o=domain.com,dc=devtech101,dc=com?sub nss_base_shadow ou=People,o=domain.com,dc=devtech101,dc=com?sub nss_base_group ou=Group,o=domain.com,dc=devtech101,dc=com?one nss_base_netgroup ou=Netgroup,o=domain.com,dc=devtech101,dc=com?one nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman uri ldaps://ldap1.domain.com:1636/ ldaps://ldap2.domain.com:1636/ #ssl start_tls #tls_cacertdir /etc/openldap/cacerts TLS_REQCERT allow ssl no bind_policy soft pam_password md5 tls_cacertdir /etc/openldap/cacert
Note: Update also /etc/openldap/ldap.conf
mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf-org;ln -s /etc/ldap.conf /etc/openldap/ldap.conf
Modify /etc/security/access.conf
+ : ALL : LOCAL + : @bda-group : ALL + : root : ALL -:ALL:ALL
Initialize LDAP and update OS files for first time
authconfig --enableldap --enableldapauth --ldapserver=ldaps://ldap1.domain.com:1636/,ldaps://ldap2.domain.com:1636/ --ldapbasedn="o=domain.com,dc=devtech101,dc=com" --update
Note: You need to add users to the LDAP bda-login-allow group to be able to login
Add NFS for users mount
# Test on commend line mount -o vers=3 10.10.10.11:/export/bda_users /users # Add to /etc/fstab # Users home directory's 10.10.10.11:/export/bda_users /users nfs vers=3,intr
* SSSD tips Flush sss cache sss_cache -E
Issues need to address
You need to create and ldap user for example hive, and in Hue add it the proper group for example bda_dwbi to get it to work
In Hue by creating a table from a file hive user needs full access to move the file from the src directory to not errror, it will still create the table but will error if not.