Linux LDAP Client

This isn’t the gospel way, but this will get things up and running.

Install Packages

Installing those packages will ask a few questions. If you aren’t sure what to put, just accept the defaults. We’ll replace the configs in the next steps anyway.

Install the SSL certificate

Install the SSL certificate for the LDAP server to /etc/ssl/certs/servername.pem

Configure /etc/ldap.conf

Open up /etc/nslcd.conf in an editor and configure the following (this is a very minimal example):

The default nslcd.conf file on your system will be decently commented for other options.

If your LDAP server is Apple Open Directory:
Don’t bother with rootbinddn and things to get password changes to work. Open Directory no longer stores passwords in LDAP, Apple uses PasswordService, so this won’t work anyway. Maybe in the future (shakes fist @ Apple).

A word about nscd
nscd will try to cache service requests. Unfortunately, it’s kind of infamously quirky for a lot of folks. I’ve had a number of experiences where lookups fail when it’s running. That said, I leave it disabled. If you run into problems with failed lookups or other such bizarre things, I suggest disabling it.

In any event, if it’s running and you’ve just setup your nslcd.conf, you’ll need to restart it:

Edit /etc/nsswitch.conf

This was probably already setup for you by libnss-ldapd. Just make sure it’s looking at ldap for the relevant entries:
Edit /etc/nsswitch.conf and make it look like the following:

Verify

Execute the following:

You should get a whole slew of users from the LDAP directory.

Additionally, execute the following:

You should see the appropriate LDAP info for your user – your UID and groups.

Configure PAM

Open up /etc/pam.d/common-auth and enable the ignore_authinfo_unavail option for pam_ldap.so:

Do the same for common-password:

This will ignore the pam_ldap module if the LDAP server is unreachable. If you don’t have this, you’ll likely be “locked out” of the system if your LDAP server is unavailable (even from a local console login). At minimum, you’ll likely have a very delayed login and session.

Other stuff

The above will get you up and running. There’s a lot more you can configure to have much more granular and special settings on a server, but those are outside the scope of this document.

Do note, by default, PAM will not create home directories for LDAP users. So when you login as an LDAP user that doesn’t have a home on the local machine, you’ll get a (harmless) error. This can be configured in the appropriate PAM configs.

Also note, it’s a good idea to lock SSHD down to a specific list of groups. Check for the AllowGroups directive in /etc/ssh/sshd_config

For example:

In this example, I’m letting members of the local groups adm and admin login via SSH as well as members of my unixadmins LDAP group.

Keep in mind, if you’re setting this up on a web server that end-users use with SFTP, you’ll need to allow them as well. For example, you might add those users to an LDAP group called sftpusers or something.

For some more info on SSH hardening, see this document.

ldapd vs ldap

In this document, I installed libnss-ldapd and libpam-ldapd (note the trailing ‘d’). On Debian derivatives, there’s also the “classic” libpam-ldap and libnss-ldap.

From Debian’s wiki (emphasis is mine):

There are currently two packages available to configure NSS lookups through LDAP: the libnss-ldap package and the libnss-ldapd package. Which one to choose depends on the needs. In general libnss-ldapd is simpler but newer and libnss-ldap is more mature but more complex. Also libnss-ldap has some known issues with serving host information and lookups during boot which should be addressed in libnss-ldapd. In addition, libnss-ldap breaks setuid programs (su, sudo) when using LDAP+SSL (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579647).

I haven’t run into any issues using libnss-ldapd over libnss-ldap. In fact, it has the obvious immediate benefit of working with sudo when using LDAP+SSL (maybe this is fixed by now).

Was this post helpful? Not helpfulHelpful (+4 rating, 4 votes)
Loading ... Loading ...

Download Linux LDAP Client as PDF