«

Aug 23

LDAP Installation and Configuration for User Authentication

Installation of LDAP Server LDAP

(Lightweight Directory Access Protocol) allows central user, group, domain….. authentication, information storage … Using LDAP in a local network, you can allow your users to login and authenticate from anywhere on your network. This tutorial will be split in 2 parts. In the first part, I will explain how-to install, configure the LDAP server, add a few users and group, in the second part, we will set up Linux client to authenticate through LDAP if the user does not exist on the local filesystem. In this tutorial, I will suppose that our LDAP server is located at 192.168.1.4. All machines in the network can resolve the host name ldap to 192.168.1.4. The LDAP server is going to manage domain debuntu.local. The server runs Debian 6.03


LDAP Installation?

#apt-get install slapd ldap-utils migrationtools
#apt-get install ssh nmap

check whether Ldap is running or not.

#nmap -p 389 localhost
#slapcat

Restart ldap server

#/etc/init.d/slapd restart
#ldapsearch -x -h localhost -b ‘dc=wakhok,dc=ac,dc=jp’

Inserting User information in Ldap database

Frist of all create a entry named People and Group. create a file people.ldif

vi people.ldif
dn: ou=people,dc=wakhok,dc=ac,dc=jp
objectClass: top
objectClass: organizationalUnit
ou: People

Similarly create a file group.ldif

vi group.ldif
dn: ou=Group,dc=wakhok,dc=ac,dc=jp
objectClass: top
objectClass: organizationalUnit
ou: Group

Add to ldap Database

ldapadd -x -h localhost -D ‘cn=admin,dc=wakhok,dc=ac,dc=jp’ -W -f people.ldif
ldapadd -x -h localhost -D ‘cn=admin,dc=wakhok,dc=ac,dc=jp’ -W -f group.ldif

Now we must enter linux user information to Ldap database. Lets make a file data.ldif so that we can add to database using this file

dn: uid=gopal,ou=people,dc=wakhok,dc=ac,dc=jp
objectClass:top
objectClass:person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: extensibleObject
#objectClass: inetOrgperson
uid: gopal
cn: gopal
sn: gopal
uidNumber: 1009
gidNumber: 1000
loginshell: /bin/bash
homeDirectory: /home/gopal
userPassword:{CRYPT}ZH5o9CHpZ.gZ.
gecos: gopal
givenName: gopal
telephoneNumber: 090-8429-402
emailAddress: gopal@wakhok.ac.jp

Add to database using following command

#ldapadd -x -h localhost -D ‘cn=admin,dc=wakhok,dc=ac,dc=jp’ -W -f data.ldif

Use the following command to generate the ‘Userpassword’ entry and copy-paste in the file.

# /usr/sbin/slappasswd -h ‘{CRYPT}’
New password:
Re-enter new password:
{CRYPT}nTFiW2Pu7XqUI

LDAP client configuration


Install nss-ldap

apt-get install libnss-ldap

you will have to enter the URI of Ldap server, base value of Ldap server and Ldap V3 in the series of screens that appear The message which says that nsswitch.conf cannot be configured automatically will be displayed. Inorder to check the configuration, check the file /etc/libnss-ldap.conf

In line 24:

base dc=wakhok,dc=ac,dc=jp

In line 27:

uri ldap: //IP_ADDRESS_OF_lDAP_SERVER/

In line 53:

rootbinddn cn=admin,dc=wakhok,dc=ac,dc=jp

Now edit the file /etc/nsswitch.conf which must be as :

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference’ and `info’ packages installed, try:
# `info libc “Name Service Switch”‘ for information about this file.#passwd: compat ldap
#group: compat ldappasswd: files ldap
shadow: files ldap
group: files ldaphosts: files dns ldap
networks: files ldap

protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: ldap


Install pam-ldap

apt-get install libpam-ldap

you will be asked two questions both the answers should be ‘NO’
Edit the file /etc/pam.d/common-auth

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.soauth require pam_permit.so
auth optional pam_cap.so

Edit the file /etc/pam.d/common-account

account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so

edit the file /etc/pam.d/common-password

password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so se_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so

edit the file /etc/pam.d/common-session

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_ck_connector.so nox11 session
required pam_mkhomedir.so

edit the file /etc/pam.d/common-session-non-interactive

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so

Now restart the nscd server at client

/etc/init.d/nscd restart

Cheeers !!

Written by: Dibesh Shrestha

Leave a Reply