How-To set up a LDAP server and its clients — page 2

1 minute read

2. Configuring the clients

Each client will need a set of packages. So, now that you are logged on one of your clients, install:

# apt-get install libnss-ldap libpam-ldap nscd
LDAP Account for root: cn=admin,dc=debuntu,dc=local
Password: XXXX
Make local root database admin: yes
Database require logging in: No
Root login account: cn=admin,dc=debuntu,dc=local
Root login password: XXXX

libnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won’t be questionned any time the authentication as to be done.

Now, let’s edit the files and make sure you get the following setting. Starting with /etc/libnss-ldap.conf

host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local

and the secret in /etc/libnss-ldap.secret

XXXXX

Then /etc/pam_ldap.conf:

host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local

and /etc/pam_ldap.secret:

XXXXX

pam configuration files need to be modfied a bit like:

/etc/pam.d/common-account:

account sufficient pam_ldap.so
account required pam_unix.so
# if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent

/etc/pam.d/common-auth:

auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password:

password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5

/etc/pam.d/common-session:

session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.so

Finally, let’s edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.

/etc/nsswitch.conf:

passwd: files ldap
group: files ldap
shadow: files ldap

With this settings, login is going to be tried agains the local system users first. If it cannot find a match, it will then try to authenticate against the ldap server.

Now, you should be able to connect on any client by using any LDAP user details.

This tutorial is far from being complete, but you should be able to get started :).