Symas OpenLDAP Knowledge Base

Enable Linux Logins Using LDAP Credentials

These instructions apply to RedHat/CentOS, Debian/Ubuntu and SuSE.

Start by adding the following to /opt/symas/etc/openldap/ldap.conf located on the LDAP server

    sudo vi /opt/symas/etc/openldap/ldap.conf
    BASE dc=example,dc=com
    URI ldapi:///
    TLS_CACERT /opt/symas/ssl/CACert.pem

Note: The TLS_CACERT is unnecessary if not using SSL Certificate/Key pairs for encrypted connectivity.

The settings in the ldap.conf file are global for all connections to the LDAP server.

Configure nsswitch.conf

Next, update the /etc/nsswitch.conf file with the following:

        sudo vi /etc/nsswitch.conf
    passwd:          compat ldap 
    group:           compat ldap 
    shadow:          compat ldap 
    gshadow:         files
    
    hosts:           files dns hostname
    # mdns4_minimal [NOTFOUND=return] dns myhostname 
    networks:        files
    
    protocols:       db files
    services:        db files
    ethers:          db files
    rpc:             db files
    
    netgroup:        nis

If the user is not in the LDAP database, /etc/passwd will be used instead.

Install nslcd and nscd

Install Commands

Run the follow commands as sudo.

RedHat Linux and CentOS

        yum nss-pam-ldapd nscd -y

Debian and Ubuntu

        apt-get install nslcd nscd --y

SUSE

        zypper nss-pam-ldapd nscd

Configure nscd and nslcd

NSCD

The defaults in /etc/nscd.conf are acceptable. No changes are required

NSLCD

Configure /etc/nslcd.conf as follows:

        sudo vi /etc/nslcd.conf

Add/Modify:

        # The user and group nslcd should run as.
        uid nslcd
        gid nslcd
        
        # The location at which the LDAP server(s) should be reachable. If this is the local box
        # this can be the ldapi:///
        uri ldap://ldapserver.example.com
        
        # The search base that will be used for all queries.
        base dc=example,dc=com
        
        # The LDAP protocol version to use.
        ldap_version 3
        
        # The DN to bind with for normal lookups. Do not binddn
        uid=system-authority,ou=applications,dc=example,dc=com bindpw <This
        password must be plain text. Protect this file.>
        
        # The DN used for password modifications by root. (Optional)
        #rootpwmoddn dc=example,dc=com
        #rootpwmodpw <This password must be plain text. Protect this file.>
        
        # SSL options (optional)
        #ssl off
        #tls_reqcert try
        tls_cacertfile /etc/ssl/certs/<ldap server CA>.crt
        
        # The search scope.
        scope sub
        
        nss_initgroups_ignoreusers ALLLOCAL

CA Certificate

Copy the CA.crt file from the LDAP server to /etc/ssl/certs/ on the local client.

Enable NSLCD Service

        update-rc.d nslcd enable

Restart NSCD & NSLCD Services

        /etc/init.d/nscd restart

Test Connectivity

Use the getent command to test local connectivity using ldap credentials:

        getent passwd

You should get the result twice. If so the nsswitch works fine. See my responses below as an example:

        jdoe:x:1000:1000:Jane Doe,,,:/home/jdoe:/bin/bash
        jdoe:x:2029:2029:Jane Doe:/home/jdoe:/bin/bash