Now that we have our OpenLDAP server configured and populated with users, we can move on to configuring our linux workstation to authenticate using our LDAP directory.
Logon to the client system (ssh user@cls-kvm2) and install required dependencies:
sudo apt-get install ldap-auth-client nscd autofs
Include the following settings:
LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu Distinguised name of the search base: dc=itsm,dc=unt,dc=edu LDAP version to use: 3 Make local root Database admin: Yes Does the LDAP require login: No LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=edu LDAP root account password
Configure ldap-auth-config using the answers below:
sudo dpkg-reconfigure ldap-auth-config
Should debconf manage LDAP configuration: Yes LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu DN of search base: dc=itsm,dc=unt,dc=edu Make local root DB admin: Yes Does the LDAP DB require login: No LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=ed LDAP root account password: 1234567 Ok MD5
Configure NSS authentication client for LDAP:
sudo auth-client-config -t nss -p lac_ldap
Update PAM configuration:
sudo pam-auth-update
Ensure the following are checked and choose Ok:
PAM profiles to enable: * Unix authentication * LDAP Authentication * Register user sessions in the systemd control group hierarchy
Restart the NSCD service:
sudo service nscd restart
Edit /etc/pam.d/common-password to remove the use_authok from the password entry:
#password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
Confirm the client sees the LDAP accounts as available for authentication; look for our LDAP users in the output of getent passwd:
getent passwd ... tom:x:5010:9010:tom:/nfs/cls-kvm1/tom:/bin/bash olive:x:5011:9011:olive:/nfs/cls-kvm1/olive:/bin/bash kevin:x:5012:9012:kevin:/nfs/cls-kvm1/kevin:/bin/bash
Now that PAM is configured to retrieve user information from the LDAP directory, we can move on to the next lesson.