OpenSpeak.net

User Tools

Site Tools

Trace: la_slapd_l4 la_slapd_l3
classes:la_slapd_l3

This is an old revision of the document!

Client: Configure PAM authentication to use LDAP

Now that we have our OpenLDAP server configured and populated with users, we can move on to configuring our linux workstation to authenticate using our LDAP directory.

Logon to the client system (ssh user@cls-kvm2) and install required dependencies: 

sudo apt-get -y install ldap-auth-client nscd autofs

Configure ldap-auth-config: 

sudo dpkg-reconfigure ldap-auth-config

Include the following settings: 

LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu
Distinguised name of the search base: dc=itsm,dc=unt,dc=edu
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP require login: No
LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=edu
LDAP root account password

Configure NSS authentication client for LDAP: 

sudo auth-client-config -t nss -p lac_ldap

Update PAM configuration: 

sudo pam-auth-update

Ensure the following are checked and choose Ok: 

PAM profiles to enable:
 * Unix authentication
 * LDAP Authentication
 * Register user sessions in the systemd control group hierarchy

Restart the NSCD service: 

sudo service nscd restart

Edit /etc/pamd.d/common-password to remove the use_authok from the password entry: 

#password       [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass

Confirm the client sees the LDAP accounts as available for authentication; look for our LDAP users in the output of getent passwd: 

getent passwd
...
tom:x:5010:9010:tom:/nfs/cls-kvm1/tom:/bin/bash
olive:x:5011:9011:olive:/nfs/cls-kvm1/olive:/bin/bash
kevin:x:5012:9012:kevin:/nfs/cls-kvm1/kevin:/bin/bash

Now that we have the client configured to read authentication data from LDAP, we can create and configure ownership of the exported home directories: 

cd /nfs/cls-kvm1/
sudo mkdir /nfs/cls-kvm1/kevin
sudo chown -R kevin:kevin kevin
sudo mkdir /nfs/cls-kvm1/olive
sudo chown -R olive:olive olive
sudo mkdir /nfs/cls-kvm1/tom
sudo chown -R tom:tom tom

Test authentication using su - kevin or su - olive: 

su - kevin
Password: 
No directory, logging in with HOME=/
groups: cannot find name for group ID 9012
kevin@cls-kvm2:/$

In the next step we will resolve the No directory, logging in with HOME=/ error message by configuring autofs mounted home directories.

classes/la_slapd_l3.1481860639.txt.gz · Last modified: 2016/12/15 19:57 by curry_searle