Security

How to authenticate a Linux client with LDAP server

With OpenLDAP, you can manage users on a centralized directory server and then configure each desktop to authenticate to that server.

If you exist primarily on a Microsoft environment, you probably work with Active Directory to authenticate your desktop and server machines to a centralized directory. This set up makes it incredibly easy to manage users and allow anyone to log into any desktop (or server), without needing a local account on the machine.

But what about a Linux environment? If you have a number of desktops and servers on a network, what can you do to create such a system? You can turn to OpenLDAP. With OpenLDAP, you can manage users on a centralized directory server and then configure each desktop to authenticate to that server. Let me show you how.

SEE: Linux distribution comparison chart (Tech Pro Research)

What you need

The first thing you'll need is a server running OpenLDAP (See: How to install OpenLDAP on Ubuntu 18.04). I'll assume you have that up and properly configured. I highly recommend using LDAP Account Manager to add your users (See: How to install LDAP Account Manager on Ubuntu 18.04). Next, I will assume you also have Linux desktop clients that authenticate to your LDAP server.

I'll demonstrate with Ubuntu Desktop 18.04.

Installing the client

With your server configured and running, you only need to work on the client machines. Log into one of your clients (you have to take care of these steps on all clients) and install the necessary software with the following command:

sudo apt-get install libnss-ldap libpam-ldap ldap-utils nscd -y

During the installation, you will be asked to define the LDAP server URI (Figure A). The URI address should be in the form ldap://SERVER_IP (Where SERVER_IP is the IP address of your OpenLDAP server - Figure A).

Figure A

Figure A

Configuring the server URI.


Next, you must specify the distinguished name (DN) of your LDAP search base (Figure B). This will be in the form dc=example,dc=com.

Figure B

Figure A

Configuring the distinguished name for your OpenLDAP server.


If you're not sure what the DN of your OpenLDAP server is, log into LDAP Account Manager, click Tree View, and you'll see it listed in the left pane (Figure C).

Figure C

Figure C

The DN of an OpenLDAP server.


The next screens in the installation ask:

  • Specify LDAP version (select 3)
  • Make local root Database admin (select Yes)
  • Does the LDAP database require login (select No)
  • Specify LDAP admin account suffice (this will be in the form cn=admin,dc=example,dc=com)
  • Specify password for LDAP admin account (this will be the password for the LDAP admin user)

That's it for the installation.

Configuring the client

Now we must configure our client to be able to authenticate against the OpenLDAP server. On the client, open a terminal window and issue the command:

sudo nano /etc/nsswitch.conf

In that file, add ldap at the end of the following entries:

passwd: compat systemd
group: compat systemd
shadow: files 

These should now look like:

passwd: compat systemd ldap
group: compat systemd ldap
shadow: files ldap

At the end of that first section, add the following line:

gshadow files

Save and close that file.

Next, issue the command:

sudo nano /etc/pam.d/common-password

Remove use_authtok from the following line:

password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass

Save and close that file.

Issue the command:

sudo nano /etc/pam.d/common-session

At the end of that file, add the following:

session optional pam_mkhomedir.so skel=/etc/skel umask=077

Save and close that file. The above line will create the default home directory for any LDAP user that doesn't have a local account on the client.

Reboot the client machine and then, when the log-in screen is presented, attempt to log in with a user on your OpenLDAP server. It should authenticate and all is well. Make sure to configure all of your clients in the same fashion, so they can make use of the OpenLDAP directory services.

Also see

ldaphero.jpg
Image: Jack Wallen

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox