This is the second part of our previous tutorial, titled how to install and configure OpenLDAP server on Debian and Ubuntu systems. In this guide let us see how to configure Linux clients to authenticate using OpenLDAP server. I have tested this Guide on Debian 8 desktop and Ubuntu 15.04 desktop, it worked perfectly without any issues. And also, this guide should on other Debian and Ubuntu distributions. If you find any problems, feel free to let me know. I will check and update this tutorial ASAP.
For the purpose of this tutorial, we will be using Debian 8 MATE desktop as LDAP client.
My client system’s details:
- Operating system: Debian 8 MATE desktop
- IP Address: 192.168.1.150/24
My LDAP Server’s details:
- Operating system: Ubuntu 15.04 server
- IP Address: 192.168.1.100/24
Configure Linux Clients To Authenticate Using OpenLDAP
Here, I am going to split this tutorial into two sections. First, we’ll see how to install LDAP client on Debian 8, and then we’ll see how to configure Debian 8 desktop to authenticate.
1. Install LDAP client
I assume that you’ve had a working LDAP server already. If not, refer the above link to setup OpenLDAP server in Debian and Ubuntu and its derivatives.
Now let us install the required packages in our LDAP client.
Switch to root user:
Run the following command from your Terminal to install LDAP client packages.
apt-get install libnss-ldap libpam-ldap nscd
During installation, you will be asked a variety of questions. Read them carefully and enter the appropriate values.
First enter the ldap server IP address as shown in the below screenshot.
Note that you should enter LDAP server URI as ldap://ip-address-of-ldapserver/. Using IP address is always recommended to avoid failures when domain name services are unavailable.
Then enter the distinguished name of the search base. This value should match with your LDAP server’s /etc/phpldaadmin/config.php file values. In my case it’s dc=unixmen, dc=local.
Select Ldap version to use as 3. It is recommended to use highest available version.
Enter LDAP administrative account details.
In our case, it was: cn=admin, dc=unixmen.com, dc=local.
Enter LDAP administrative password:
The next window will say that you have to manually edit nsswitch.conf file. Click Ok to continue.
Now the libnss-ldap package has been installed. Now, we should enter the same answers for libpam-ldap, i.e the above questions will be repeated for libpam-ldap.
We don’t need to act the client LDAP admin account as local root, hence we will select No.
Now, let us reconfigure libnss-ldap to improve debconf configuration by entering the following command:
Make sure that the LDAP server URI is correct.
Make sure that the LDAP server search base:
LDAP version to use:
LDAP database doesn’t require login, hence we select No.
Finally, Select Ok.
That’s it. Now we have installed ldap client packages.
2. Configure LDAP Client
We must update our client system to look for LDAP server by adjusting their configuration files.
To do so, First edit file /etc/ldap/ldap.conf,
Uncomment the following lines and Enter your LDAP server search BASE and URI as shown below.
[...] BASE dc=unixmen,dc=local URI ldap://192.168.1.100 [...]
Edit file /etc/nsswitch.conf,
Find the following three lines and adjust them as shown below.
[...] passwd: compat ldap group: compat ldap shadow: compat ldap [...] netgroup: ldap [...]
Now restart nscd service:
systemctl restart nscd
On Ubuntu 14.10/Debian 7 and previous versions:
service nscd restart
Now we should verify the PAM configuration. The PAM configuration is modified during libnss-ldap installation. But it is advisable to verify the PAM configuration files as look like below.
Edit file /etc/pam.d/common-auth,
Make sure this file contains the following lines.
[...] auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass [...] auth requisite pam_deny.so [...] auth required pam_permit.so [...]
Edit file /etc/pam.d/common-account,
[...] account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so [...] account requisite pam_deny.so [...] account required pam_permit.so [...]
Edit file nano /etc/pam.d/common-password,
[...] password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass [...] password requisite pam_deny.so [...] password required pam_permit.so [...]
Edit file /etc/pam.d/common-session,
Add the following line at the bottom.
session required pam_mkhomedir.so
The above line will create a HOME directory for LDAP users who does not have home directory when login to LDAP server.
Edit file /etc/pam.d/common-session-noninteractive,
[...] session [default=1] pam_permit.so [...] session requisite pam_deny.so [...] session required pam_permit.so [...] session required pam_unix.so session optional pam_ldap.so
Restart nscd service to save changes.
systemctl restart nscd
On Debian 7/Ubuntu 14.10 and lower versions:
service nscd restart
Reboot your client system and try to login with your LDAP user from client system.
Log In To LDAP Server
Now, we have configured our client to be able to log in to our OpenLDAP server. Let us try to login using any ldap users created in the openldap server. Please note that this LDAP user doesn’t exist in the local client system. Don’t be confused.
I have already created a user named “kumar” in my OpenLDAP server. Refer the section Sample Configuration in my previous tutorial.
So, now let us login with user “kumar”.
Enter your LDAP user name and password.
Please note that the user named “kumar” is not a local user. We have created this user in our previous guide using phpLDAPAdmin tool..
Congratulations! Now, you will be able to log in to your client system with LDAP user.
Let us check who exactly is this user.
Open Terminal, and run:
Run pwd command from the Terminal to know the user’s present working directory:
You should see that the home directory you selected for your user on the LDAP server is being used on this machine. It has been created on-demand to serve the LDAP user.
You should now be able to authenticate multiple computers using a centralized LDAP server. Your LDAP users will be allowed to use any of the machines you configure in this way, as long as they have the valid login credentials.
Initially this how-to will look bit difficult, but if you follow the steps carefully you will be able to setup the complete LDAP server/client.
Reference: Setup OpenLDAP On Debian