OpenSpeak.net

User Tools

Site Tools

Trace: la_slapd_l3
classes:la_slapd_l3

Client: Configure PAM authentication to use LDAP

Now that we have our OpenLDAP server configured and populated with users, we can move on to configuring our linux workstation to authenticate using our LDAP directory.

Logon to the client system (ssh user@cls-kvm2) and install required dependencies: 

sudo apt-get install ldap-auth-client nscd autofs

Include the following settings: 

LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu
Distinguised name of the search base: dc=itsm,dc=unt,dc=edu
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP require login: No
LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=edu
LDAP root account password

Configure ldap-auth-config using the answers below: 

sudo dpkg-reconfigure ldap-auth-config
Should debconf manage LDAP configuration: Yes
LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu
DN of search base: dc=itsm,dc=unt,dc=edu
Make local root DB admin: Yes
Does the LDAP DB require login: No
LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=ed
LDAP root account password: 1234567
Ok
MD5

Configure NSS authentication client for LDAP: 

sudo auth-client-config -t nss -p lac_ldap

Update PAM configuration: 

sudo pam-auth-update

Ensure the following are checked and choose Ok: 

PAM profiles to enable:
 * Unix authentication
 * LDAP Authentication
 * Register user sessions in the systemd control group hierarchy

Restart the NSCD service: 

sudo service nscd restart

Edit /etc/pam.d/common-password to remove the use_authok from the password entry: 

#password       [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass

Confirm the client sees the LDAP accounts as available for authentication; look for our LDAP users in the output of getent passwd: 

getent passwd
...
tom:x:5010:9010:tom:/nfs/cls-kvm1/tom:/bin/bash
olive:x:5011:9011:olive:/nfs/cls-kvm1/olive:/bin/bash
kevin:x:5012:9012:kevin:/nfs/cls-kvm1/kevin:/bin/bash

Now that PAM is configured to retrieve user information from the LDAP directory, we can move on to the next lesson.

classes/la_slapd_l3.txt · Last modified: 2016/12/15 20:22 by curry_searle