Enable Linux Logins Using LDAP Credentials
These instructions apply to RedHat/CentOS, Debian/Ubuntu and SuSE.
Start by adding the following to /opt/symas/etc/openldap/ldap.conf located on the LDAP server
sudo vi /opt/symas/etc/openldap/ldap.conf
BASE dc=example,dc=com
URI ldapi:///
TLS_CACERT /opt/symas/ssl/CACert.pem
Note: The TLS_CACERT is unnecessary if not using SSL Certificate/Key pairs for encrypted connectivity.
The settings in the ldap.conf file are global for all connections to the LDAP server.
Configure nsswitch.conf
Next, update the /etc/nsswitch.conf file with the following:
sudo vi /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
gshadow: files
hosts: files dns hostname
# mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If the user is not in the LDAP database, /etc/passwd will be used instead.
Install nslcd and nscd
Install Commands
Run the follow commands as sudo.
RedHat Linux and CentOS
yum nss-pam-ldapd nscd -y
Debian and Ubuntu
apt-get install nslcd nscd --y
SUSE
zypper nss-pam-ldapd nscd
Configure nscd and nslcd
NSCD
The defaults in /etc/nscd.conf are acceptable. No changes are required
NSLCD
Configure /etc/nslcd.conf as follows:
sudo vi /etc/nslcd.conf
Add/Modify:
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable. If this is the local box
# this can be the ldapi:///
uri ldap://ldapserver.example.com
# The search base that will be used for all queries.
base dc=example,dc=com
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups. Do not binddn
uid=system-authority,ou=applications,dc=example,dc=com bindpw <This
password must be plain text. Protect this file.>
# The DN used for password modifications by root. (Optional)
#rootpwmoddn dc=example,dc=com
#rootpwmodpw <This password must be plain text. Protect this file.>
# SSL options (optional)
#ssl off
#tls_reqcert try
tls_cacertfile /etc/ssl/certs/<ldap server CA>.crt
# The search scope.
scope sub
nss_initgroups_ignoreusers ALLLOCAL
CA Certificate
Copy the CA.crt file from the LDAP server to /etc/ssl/certs/ on the local client.
Enable NSLCD Service
update-rc.d nslcd enable
Restart NSCD & NSLCD Services
/etc/init.d/nscd restart
Test Connectivity
Use the getent command to test local connectivity using ldap credentials:
getent passwd
You should get the result twice. If so the nsswitch works fine. See my responses below as an example:
jdoe:x:1000:1000:Jane Doe,,,:/home/jdoe:/bin/bash
jdoe:x:2029:2029:Jane Doe:/home/jdoe:/bin/bash