Local users, LDAP/SSSD integration, sudo configuration, and PAM modules.
# Create a user with home directory
sudo useradd -m -s /bin/bash username
# Set password
sudo passwd username
# Add user to supplementary groups
sudo usermod -aG wheel,docker username
# Create a group
sudo groupadd developers
# List user groups
id username
# Lock/unlock a user
sudo passwd -l username
sudo passwd -u username
# Delete a user and home directory
sudo userdel -r username# Edit sudoers safely
sudo visudo
# Grant passwordless sudo for a group
# %wheel ALL=(ALL) NOPASSWD: ALL
# Grant specific commands only
sudo tee /etc/sudoers.d/webadmin <<'EOF'
webadmin ALL=(ALL) NOPASSWD: /bin/systemctl restart httpd, /bin/systemctl reload httpd
EOF
# Test sudo permissions
sudo -l -U usernameSSSD (System Security Services Daemon) provides centralized authentication against LDAP, Active Directory, or FreeIPA.
# Install SSSD
sudo dnf install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common-tools
# Join Active Directory domain
sudo realm join ad.example.com
# Verify
realm list
# Configure automatic home directory creation
sudo authselect select sssd with-mkhomedir
# Query directory users
getent passwd ad_user
id ad_user
# Start SSSD
sudo systemctl enable --now sssd# List available PAM profiles
sudo authselect list
# Current profile
sudo authselect current
# Enable Fingerprint auth
sudo authselect select sssd with-fingerprint with-mkhomedir
# Account lockout after failed attempts
# Config in /etc/security/faillock.conf:
# deny = 5
# unlock_time = 900
# even_deny_root = false# Set limits per user or group in /etc/security/limits.conf:
# username soft nofile 65536
# username hard nofile 65536
# username soft nproc 4096
# username hard nproc 4096
# Or use drop-in files
sudo tee /etc/security/limits.d/99-webapp.conf <<'EOF'
webapp soft nofile 65536
webapp hard nofile 65536
webapp soft memlock unlimited
EOF