Skip to main content

Configure Linux Clients To Authenticate Using OpenLDAP

In this guide let us see how to configure Linux clients to authenticate using OpenLDAP server.
For the purpose of this tutorial, we will be using Debian 8 MATE desktop as LDAP client.
My client system’s details:
  • Operating system: Debian 8 MATE desktop
  • IP Address: 192.168.1.150/24
My LDAP Server’s details:
  • Operating system: Ubuntu 15.04 server
  • IP Address: 192.168.1.100/24

Configure Linux Clients To Authenticate Using OpenLDAP

Here, I am going to split this tutorial into two sections. First, we’ll see how to install LDAP client on Debian 8, and then we’ll see how to configure Debian 8 desktop to authenticate.

1. Install LDAP client

I assume that you’ve had a working LDAP server already. If not, refer the above link to setup OpenLDAP server in Debian and Ubuntu and its derivatives.
Now let us install the required packages in our LDAP client.
Switch to root user:
sudo su
Or
su
Run the following command from your Terminal to install LDAP client packages.
apt-get install libnss-ldap libpam-ldap nscd
During installation, you will be asked a variety of questions. Read them carefully and enter the appropriate values.
First enter the ldap server IP address as shown in the below screenshot.
sk@debian: ~_001
Note that you should enter LDAP server URI as ldap://ip-address-of-ldapserver/. Using IP address is always recommended to avoid failures when domain name services are unavailable.
Then enter the distinguished name of the search base. This value should match with your LDAP server’s /etc/phpldaadmin/config.php file values. In my case it’s dc=unixmen, dc=local.
sk@debian: ~_002
Select Ldap version to use as 3. It is recommended to use highest available version.
sk@debian: ~_003
Enter LDAP administrative account details.
In our case, it was: cn=admin, dc=unixmen.com, dc=local.
sk@debian: ~_005
Enter LDAP administrative password:
sk@debian: ~_006
The next window will say that you have to manually edit nsswitch.conf file. Click Ok to continue.
sk@debian: ~_007
Now the libnss-ldap package has been installed. Now, we should enter the same answers for libpam-ldap, i.e the above questions will be repeated for libpam-ldap.
We don’t need to act the client LDAP admin account as local root, hence we will select No.
sk@debian: ~_008
Select No.
sk@debian: ~_009
Now, let us reconfigure libnss-ldap to improve debconf configuration by entering the following command:
dpkg-reconfigure libnss-ldap
Make sure that the LDAP server URI is correct.
sk@debian: ~_010
Make sure that the LDAP server search base:
sk@debian: ~_011
LDAP version to use:
sk@debian: ~_012
LDAP database doesn’t require login, hence we select No.
sk@debian: ~_013
Select No.
sk@debian: ~_014
Select No.
sk@debian: ~_015
Finally, Select Ok.
sk@debian: ~_016
That’s it. Now we have installed ldap client packages. 

2. Configure LDAP Client

We must update our client system to look for LDAP server by adjusting their configuration files.
To do so, First edit file /etc/ldap/ldap.conf,
nano /etc/ldap/ldap.conf
Uncomment the following lines and Enter your LDAP server search BASE and URI as shown below.
[...]
BASE    dc=unixmen,dc=local
URI     ldap://192.168.1.100
[...]
Edit file /etc/nsswitch.conf,
nano /etc/nsswitch.conf
Find the following three lines and adjust them as shown below.
[...]
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
[...]
netgroup:       ldap
[...]
Now restart nscd service:
systemctl restart nscd
On Ubuntu 14.10/Debian 7 and previous versions:
service nscd restart

PAM Configuration

Now we should verify the PAM configuration. The PAM configuration is modified during libnss-ldap installation. But it is advisable to verify the PAM configuration files as look like below.
Edit file /etc/pam.d/common-auth,
nano /etc/pam.d/common-auth
Make sure this file contains the following lines.
[...]
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
[...]
auth    requisite                       pam_deny.so
[...]
auth    required                        pam_permit.so
[...]
Edit file /etc/pam.d/common-account,
nano /etc/pam.d/common-account
[...]
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
[...]
account requisite                       pam_deny.so
[...]
account required                        pam_permit.so
[...]
Edit file nano /etc/pam.d/common-password,
nano /etc/pam.d/common-password
[...]
password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
[...]
password        requisite                       pam_deny.so
[...]
password        required                        pam_permit.so
[...]
Edit file /etc/pam.d/common-session,
nano /etc/pam.d/common-session
Add the following line at the bottom.
[...]
session  required                                         pam_mkhomedir.so
The above line will create a HOME directory for LDAP users who does not have home directory when login to LDAP server.
Edit file /etc/pam.d/common-session-noninteractive,
nano /etc/pam.d/common-session-noninteractive
[...]
session [default=1]                     pam_permit.so
[...]
session requisite                       pam_deny.so
[...]
session required                        pam_permit.so
[...]
session required        pam_unix.so
session optional                        pam_ldap.so
Restart nscd service to save changes.
systemctl restart nscd
On Debian 7/Ubuntu 14.10 and lower versions:
service nscd restart
Reboot your client system and try to login with your LDAP user from client system.

Log In To LDAP Server

Now, we have configured our client to be able to log in to our OpenLDAP server. Let us try to login using any ldap users created in the openldap server. Please note that this LDAP user doesn’t exist in the local client system. Don’t be confused.
I have already created a user named “kumar” in my OpenLDAP server. Refer the section Sample Configuration in my previous tutorial.
So, now let us login with user “kumar”.
Enter your LDAP user name and password.
Debian 8 Desktop [Running] - Oracle VM VirtualBox_004
Please note that the user named “kumar” is not a local user. We have created this user in our previous guide using phpLDAPAdmin tool..
Congratulations! Now, you will be able to log in to your client system with LDAP user.
Debian 8 Desktop [Running] - Oracle VM VirtualBox_005
Let us check who exactly is this user.
Open Terminal, and run:
whoami
Sample output:
kumar
Selection_006
Run pwd command from the Terminal to know the user’s present working directory:
pwd
Sample output:
/home/users/kumar
Selection_007
You should see that the home directory you selected for your user on the LDAP server is being used on this machine. It has been created on-demand to serve the LDAP user.
You should now be able to authenticate multiple computers using a centralized LDAP server. Your LDAP users will be allowed to use any of the machines you configure in this way, as long as they have the valid login credentials.
Initially this how-to will look bit difficult, but if you follow the steps carefully you will be able to setup the complete LDAP server/client.
Good Luck!

Comments

Post a Comment

Popular posts from this blog

How To Setup a USB Flash Drive to Install Windows 7

If you have an ISO image of Windows 7, using Microsoft’s free utility is a quick and easy option to get the image on your USB flash drive. It requires XP SP2 or higher and if you’re using an XP machine you’ll need .NET Framework 2.0, and Microsoft Image Mastering API V2…both of which can be downloaded from the link below. It seemed to work best if I formatted the flash drive as NTFS before using the download tool. But that could be because of the flash drive I used…your mileage may vary.   It’s a pretty straight forward process, first browse to the location of your Windows 7 ISO file and click Next. Select USB device…this also helps you burn the ISO to DVD as well if you need that option. Choose your flash drive and click Begin copying. Now just wait for the process to complete. The drive will be formatted and files copied to the flash drive. When the process is finished you will be able to see the files on the flash drive as you would if you opened the installat...
1 comment
Read more

Configuring the Linksys WRT54GS Router for wifi

Basic ADSL Router setup The full GUI can be accessed at http://ui.linksys.com/WRT54G/v1-v4/4.20.7/index.htm location  The router will work out of the box, but has none of the security functions enabled as standard. It should be connected by Cat5 or 5e ethernet cable between a modem and the computer network as its job is to manage traffic and protect the network with its built-in firewall. Configuring the WRT54GS is quite straightforward thanks to its user-friendly web interface. To access it enter; http://192.168.1.1 into your web browser. You will be prompted to enter a username and password. Enter admin for both, you will be changing this later. Router Name This image above is of the first web interface showing the basic configuration settings. Nothing needs to be changed here for most home user setups, but I suggest changing the Router Name to something meaningful and changing the Time Zone. If you have made any changes, click Save at t...
1 comment
Read more

Tiny 11 - A Lightweight Windows 11 that can run on 2GB RAM and requires less harddisk space.

  In terms of Windows 11, its   system requirements   are high since this system requires at least 4GB RAM, 64GB storage space, enabled TPM & Secure Boot, a high CPU (1 GHz or faster with 2 or more cores on a compatible 64-bit processor), etc. compared to any old Windows operating systems. If you have an old or lower-end PC, Windows 11 is not a good option to install since many issues like random crashes, blue screen errors, etc. could appear on the unsupported hardware. Overview of Tiny11 If you want to run Windows 11 on your old computer with low RAM and disk space, Tiny11 appears in public. It is a project from NTDev and Tiny11 is a Windows 11 tiny edition. This edition is based on Windows 11 Pro 22H2 and includes everything you need for a comfortable computing experience since this tool doesn’t have the bloat and clutter of a standard Windows installation. Tiny11 Requirements In terms of Tiny11 requirements, a scant 8GB of storage and just 2GB of RAM are requ...
Post a Comment
Read more