OpenSpeak.net

User Tools

Site Tools

Trace: la_slapd_l4 the_cathedral_and_the_bazaar la_slapd_l3
classes:la_slapd_l3

This is an old revision of the document!

Client: Configure PAM authentication to use LDAP

Now that we have our OpenLDAP server configured and populated with users, we can move on to configuring our linux workstation to authenticate using our LDAP directory.

Logon to the client system (ssh user@cls-kvm2) and install required dependencies: 

sudo apt-get install ldap-auth-client nscd autofs

Include the following settings: 

LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu
Distinguised name of the search base: dc=itsm,dc=unt,dc=edu
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP require login: No
LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=edu
LDAP root account password

Configure ldap-auth-config using the answers below: 

sudo dpkg-reconfigure ldap-auth-config
Should debconf manage LDAP configuration: Yes
LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu
DN of search base: dc=itsm,dc=unt,dc=edu
Make local root DB admin: Yes
Does the LDAP DB require login: No
LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=ed
LDAP root account password: 1234567
Ok
MD5

Configure NSS authentication client for LDAP: 

sudo auth-client-config -t nss -p lac_ldap

Update PAM configuration: 

sudo pam-auth-update

Ensure the following are checked and choose Ok: 

PAM profiles to enable:
 * Unix authentication
 * LDAP Authentication
 * Register user sessions in the systemd control group hierarchy

Restart the NSCD service: 

sudo service nscd restart

Edit /etc/pam.d/common-password to remove the use_authok from the password entry: 

#password       [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass

Confirm the client sees the LDAP accounts as available for authentication; look for our LDAP users in the output of getent passwd: 

getent passwd
...
tom:x:5010:9010:tom:/nfs/cls-kvm1/tom:/bin/bash
olive:x:5011:9011:olive:/nfs/cls-kvm1/olive:/bin/bash
kevin:x:5012:9012:kevin:/nfs/cls-kvm1/kevin:/bin/bash

Now that we have the client configured to read authentication data from LDAP, we can create and configure ownership of the exported home directories: 

cd /nfs/cls-kvm1/
sudo mkdir /nfs/cls-kvm1/kevin
sudo chown -R kevin:kevin kevin
sudo mkdir /nfs/cls-kvm1/olive
sudo chown -R olive:olive olive
sudo mkdir /nfs/cls-kvm1/tom
sudo chown -R tom:tom tom

Test authentication using su - kevin or su - olive: 

su - kevin
Password: 
kevin@cls-kvm2:~$

You can confirm your home directory location using the pwd command: 

kevin@cls-kvm2:~$ pwd
/nfs/cls-kvm1/kevin
kevin@cls-kvm2:~$
classes/la_slapd_l3.1481861816.txt.gz · Last modified: 2016/12/15 20:16 by curry_searle