=== Client: Configure PAM authentication to use LDAP ===

Now that we have our OpenLDAP server configured and populated with users, we can move on to configuring our linux workstation to authenticate using our LDAP directory.

Logon to the client system (''ssh user@cls-kvm2'') and install required dependencies:
<code>
sudo apt-get install ldap-auth-client nscd autofs
</code>

Include the following settings:
<code>
LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu
Distinguised name of the search base: dc=itsm,dc=unt,dc=edu
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP require login: No
LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=edu
LDAP root account password
</code>

Configure ldap-auth-config using the answers below:
<code>
sudo dpkg-reconfigure ldap-auth-config
</code>

<code>
Should debconf manage LDAP configuration: Yes
LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu
DN of search base: dc=itsm,dc=unt,dc=edu
Make local root DB admin: Yes
Does the LDAP DB require login: No
LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=ed
LDAP root account password: 1234567
Ok
MD5
</code>

Configure NSS authentication client for LDAP:
<code>
sudo auth-client-config -t nss -p lac_ldap
</code>

Update PAM configuration:
<code>
sudo pam-auth-update
</code>
Ensure the following are checked and choose Ok:
<code>
PAM profiles to enable:
 * Unix authentication
 * LDAP Authentication
 * Register user sessions in the systemd control group hierarchy
</code>

Restart the NSCD service:
<code>
sudo service nscd restart
</code>

Edit ''/etc/pam.d/common-password'' to remove the ''use_authok'' from the ''password'' entry:
<code>
#password       [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass
</code>

Confirm the client sees the LDAP accounts as available for authentication; look for our LDAP users in the output of ''getent passwd'':
<code>
getent passwd
...
tom:x:5010:9010:tom:/nfs/cls-kvm1/tom:/bin/bash
olive:x:5011:9011:olive:/nfs/cls-kvm1/olive:/bin/bash
kevin:x:5012:9012:kevin:/nfs/cls-kvm1/kevin:/bin/bash
</code>

Now that PAM is configured to retrieve user information from the LDAP directory, we can move on to the next lesson.