This is a multi-part article where I will cover different areas of configuration of OpenLDAP server in CentOS 7 Linux node. You can use below links to refer different parts of this tutorial

Basics LDAP Tutorial for Beginners – Understanding Terminologies & Usage
Step-by-Step Tutorial: Install and Configure OpenLDAP
Step-by-Step Tutorial: Configure OpenLDAP with TLS certificates
Step-by-Step Tutorial: Configure LDAP client to authenticate with LDAP server

 

Step-by-Step Tutorial: Configure LDAP client to authenticate with LDAP server

 

Configure LDAP client to authenticate with LDAP server using TUI

Configuring a client system to use an LDAP directory for user authentication is as easy as pie on a Fedora or RHEL system. Fedora has command-line utilities as well as GUI tools (for example, system-config-authentication, authconfig-gtk) that make it easy.

  • One of the command-line tools is provided by the package authconfig. Make sure the package is installed along with other pre-requisites by running the following:
[root@ldap-client ~]# yum install openldap-clients pam_ldap nss-pam-ldapd authconfig
  • Next copy /etc/openldap/cacerts/ca.key.pem from the ldap-server to ldap-client in the same location under /etc/openldap/cacerts/ca.key.pem. This key will be referred by the authconfig tool
  • To launch the tool from the command line, type the following:
[root@ldap-client ~]# authconfig-tui
  • A screen similar to the one shown next will appear:

Step-by-Step Tutorial: Configure LDAP client to authenticate with LDAP server

  • In the Authentication Configuration screen, navigate to (using TAB on your keyboard) and then select (using SPACEBAR on your keyboard) the following:
    Use LDAP → Under the User Information section
    Use LDAP Authentication → Under the Authentication section
  • Navigate to the Next button and press ENTER to select it.

Step-by-Step Tutorial: Configure LDAP client to authenticate with LDAP server

  • Use the following information to complete the fields in the ensuing LDAP Settings screen:
    Server: ldap://10.0.2.20/
    Base DN: dc=example,dc=com

 

NOTE:
Here 10.0.2.20 is the IP address of my ldap-server, replace it with your server details
  • When we click OK, this will automatically change a series of files that otherwise would have to be changed by hand. For example, it will add the following lines to the /etc/openldap/ldap.conf file:
URI ldap://10.0.2.20/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
NOTE:
Here comment out TLS_CACERTDIR and add TLS_REQCERT never

 

Configure LDAP client to authenticate with LDAP server using CLI

You can also configure ldap on the client using authconfig as shown below

[root@ldap-client ~]# authconfig --enableldap --enableldapauth --ldapserver=10.0.2.20 --ldapbasedn="dc=example,dc=com" --enableldaptls --update
NOTE:
If you have already configured your client using authconfig-tui, you can skip the configuration using authconfig.

 

Create LDAP user

In order to authenticate as an LDAP user, when we create the user, we have to include a series of fields, such as shell, uid, gid, etc. As an example, let’s add the user testuser1. We begin by creating the testuser1.ldif file, with the following content:

[root@ldap-client ~]# cat testuser1.ldif
dn: uid=testuser1,ou=users,dc=example,dc=com
uid: testuser1
cn: testuser1
objectClass: shadowAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword: {SSHA}5rMM/3f8Ki13IyarGTtwzieoTu7KMgwc
shadowLastChange: 17016
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/testuser1
sn: testuser1
mail: testuser1@example.com
NOTE:
Here I have already created an encrypted password for testuser1 using slappasswd on ldap-server node. My password for testuser1 is test

 

Create LDAP group

Also we will need a group for this testuser1 so I will add it to our existing OUusers

[root@ldap-client ~]# cat groups.ldif
dn: cn=testuser1,ou=users,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: testuser1
userPassword: {crypt}x
gidNumber: 1001

 

Add user and group to LDAP database

Add the users and groups to the ldap directory using the below commands

[root@ldap-client ~]# ldapadd -f testuser1.ldif -x -D cn=admin,dc=example,dc=com -w redhat
adding new entry "uid=testuser1,ou=users,dc=example,dc=com"

[root@ldap-client ~]# ldapadd -x -D cn=admin,dc=example,dc=com -f groups.ldif -w redhat
adding new entry "cn=testuser1,ou=users,dc=example,dc=com"

 

Validate the new user and group

Run the ldapsearch command again and verify users and groups are listed under the base DN to complete the configuration.

[root@ldap-client ~]# ldapsearch -x -D cn=admin,dc=example,dc=com -b dc=example,dc=com -w redhat
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: example

# users, example.com
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users

# scientists, users, example.com
dn: cn=scientists,ou=users,dc=example,dc=com
cn: scientists
objectClass: groupOfNames
member: cn=Archimedes of Syracuse,ou=users,dc=example,dc=com

# testuser1, users, example.com
dn: uid=testuser1,ou=users,dc=example,dc=com
uid: testuser1
cn: testuser1
objectClass: shadowAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: e1NTSEF9NXJNTS8zZjhLaTEzSXlhckdUdHd6aWVvVHU3S01nd2M=
shadowLastChange: 17016
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/testuser1
sn: testuser1
mail: testuser1@example.com

# testuser1, users, example.com
dn: cn=testuser1,ou=users,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: testuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 1001

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

 

Install SSSD

To ease the process of authentication, we should also install sssd.

[root@ldap-client ~]# yum -y install sssd

 

Activate the changes

Next restart the below daemons to reflect our changes on the system

[root@ldap-client ~]# systemctl restart nslcd
[root@ldap-client ~]# systemctl restart nscd

Validate the new users we have created with ldap

[root@ldap-client ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
libstoragemgmt:x:998:996:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
chrony:x:997:995::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
ceph:x:1000:1000::/home/ceph:/bin/bash
nagios:x:996:994::/var/spool/nagios:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nrpe:x:995:992:NRPE user for the NRPE service:/var/run/nrpe:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nslcd:x:65:55:LDAP Client User:/:/sbin/nologin
sssd:x:994:991:User for sssd:/:/sbin/nologin
testuser1:x:1001:1001:testuser1:/home/testuser1:/bin/bash

 

Create home directory for LDAP user

Manually create the home directory of the ldap user

[root@ldap-client ~]# mkdir /home/testuser1

Copy the skel content to the user’s home directory

[root@ldap-client ~]# cp -a /etc/skel/.bash* /home/testuser1/

 

Connect via LDAP User

Now we’ll be able to authenticate with an LDAP user

login as: testuser1
testuser1@10.0.2.13's password:
[testuser1@ldap-client ~]$

 

References:
Learn CentOS Linux Network Services

 

Lastly I hope the steps from the article to Configure LDAP client to authenticate with LDAP server on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

2 Comments

  1. – Step-by-Step Tutorial: Configure OpenLDAP with TLS certificates CentOS 7 Linux
    [root@ldap-server CA]# cp -v certs/ca.cert.pem /etc/openldap/cacerts/
    ‘certs/ca.cert.pem’ -> ‘/etc/openldap/cacerts/ca.cert.pem’

    – Step-by-Step Tutorial: Configure LDAP client to authenticate with LDAP server
    Next copy /etc/openldap/cacerts/ca.key.pem from the ldap-server to ldap-client in the same location under /etc/openldap/cacerts/ca.key.pem.

    Question:
    ‘/etc/openldap/cacerts/ca.cert.pem’ /etc/openldap/cacerts/ca.key.pem

Leave a Reply

Your email address will not be published. Required fields are marked *