Search This Blog

Debian LDAP Client Setup

 

  1. Make sure FQDN of the ldap server is either in /etc/hosts or DNS resolvable.
  2. Copy CA certificate from the ldap server to the client computer:
    • mkdir /etc/ldap/certs; scp root@ldap-server:/etc/ldap/certs/cacert.pem /etc/ldap/certs/
  3. Install required software packages
    • aptitude install libnss-db libnss-ldap libpam-ldap nscd nss-updatedb
      • Configuring libnss-ldap
        • LDAP server Uniform Resource Identifier: ldap://ldap-server.example.org.au
        • Distinguished name of the search base: dc=example,dc=org,dc=au
        • LDAP version to use: 3
        • Does the LDAP database require login? No
        • Special LDAP privileges for root? Yes
        • Make the configuration file readable/writeable by its owner only? No
        • LDAP account for root: cn=admin,dc=example,dc=org,dc=au
        • LDAP root account password: XXXXXXXX
      • Configuring libpam-ldap
        • Make local root Database admin. Yes
        • Does the LDAP database require login? No
        • LDAP account for root: cn=admin,dc=example,dc=org,dc=au
        • LDAP root account password: XXXXXXXX
        • Local crypt to use when changing passwords: md5
  4. Enable TLS
    • vim /etc/libnss-ldap.conf
      • ssl start_tls
      • tls_cacertfile /etc/ldap/certs/cacert.pem
  5. Configure /etc/nsswitch.conf
    • vim /etc/nsswitch.conf
      • passwd: files ldap [NOTFOUND=return] db
      • group files ldap [NOTFOUND=return] db
      • shadow files ldap [NOTFOUND=return] db
      • OR
      • passwd: ldap compat
      • group: ldap compat
      • shadow: ldap compat
  6. Test:
    • getent passwd
      • should return list of password entries from LDAP server
    • nss_updatedb ldap
      • should succeed.
  7. Enable cron job to update local nss database
    • touch /etc/cron.hourly/nss_updatedb-ldap.sh
    • echo "#!/bin/bash" > /etc/cron.hourly/nss_updatedb-ldap.sh
    • echo "/usr/sbin/nss_updatedb ldap" » /etc/cron.hourly/nss_updatedb-ldap.sh
    • chmod +x /etc/cron.hourly/nss_updatedb-ldap.sh
  8. Configure pam.d
    • vi /etc/pam.d/common-auth
      • auth sufficient pam_ldap.so
      • auth required pam_unix.so nullok_secure use_first_pass
    • vi /etc/pam.d/common-account
      • account sufficient pam_ldap.so
      • account required pam_unix.so
    • vi /etc/pam.d/common-password
      • password sufficient pam_ldap.so
      • password required pam_unix.so nullok obscure min=4 max=8 md5
    • vi /etc/pam.d/common-session
      • session required pam_unix.so
      • session required pam_mkhomedir.so skel=/etc/skel/
      • session optional pam_ldap.so
      • session optional pam_foreground.so
  9. Troubleshooting:
    • Config files needs to look at:
      • /etc/pam_ldap.conf
      • /etc/pam_ldap.secret (Note: if you have change the rootpw, you will have to update this file)
      • /etc/libnss-ldap.conf
      • /etc/libnss-ldap.secret (Note: if you have change the rootpw, you will have to update this file)

No comments:

Post a Comment