{"id":11742,"date":"2019-03-16T04:18:35","date_gmt":"2019-03-16T04:18:35","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=11742"},"modified":"2019-03-16T04:18:35","modified_gmt":"2019-03-16T04:18:35","slug":"how-to-configure-ldap-client-to-connect-external-authentication","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/16\/how-to-configure-ldap-client-to-connect-external-authentication\/","title":{"rendered":"How to Configure LDAP Client to Connect External Authentication"},"content":{"rendered":"

LDAP<\/strong>\u00a0(short for\u00a0Lightweight Directory Access Protocol<\/strong>) is an industry standard, widely used set of protocols for accessing directory services.<\/p>\n

A directory service in simple terms is a centralized, network-based database optimized for read access. It stores and provides access to information that must either be shared between applications or is highly distributed.<\/p>\n

Directory services play an important role in developing intranet and Internet applications by helping you share information about users, systems, networks, applications, and services throughout the network.<\/p>\n

A typical use case for\u00a0LDAP<\/strong>\u00a0is to offer a centralized storage of usernames and passwords. This allows various applications (or services) to connect to the LDAP server to validate users.<\/p>\n

After setting up a working\u00a0LDAP<\/strong>\u00a0server, you will need to install libraries on the client for connecting to it. In this article, we will show how to configure an LDAP client to connect to an external authentication source.<\/p>\n

I hope you already having a working LDAP server environment, if not\u00a0setup Up LDAP Server for LDAP-based Authentication<\/a>.<\/p>\n

How to Install and Configure LDAP Client in Ubuntu and CentOS<\/h3>\n

On the client systems, you will needs to install a few necessary packages to make authentication mechanism function correctly with an LDAP server.<\/p>\n

Configure LDAP Client in Ubuntu 16.04 and 18.04<\/h4>\n

First start by installing the necessary packages by running the following command.<\/p>\n

$ sudo apt update && sudo apt install libnss-ldap libpam-ldap ldap-utils nscd\r\n<\/pre>\n
During the installation, you will be prompted for details of your\u00a0LDAP<\/strong>\u00a0server (provide the values according to your environment). Note that the\u00a0ldap-auth-config<\/strong>\u00a0package which is auto-installed does the most of the configurations based on the inputs you enter.<\/p>\n
\n
\"Enter<\/a><\/p>\n
Enter LDAP Server URI<\/p>\n<\/div>\n
Next, enter the name of the LDAP search base, you can use the components of their domain names for this purpose as shown in the screenshot.<\/p>\n
\n
\"Enter<\/a><\/p>\n
Enter LDAP Search Base<\/p>\n<\/div>\n
Also choose the LDAP version to use and click\u00a0Ok<\/strong>.<\/p>\n
\n
\"Select<\/a><\/p>\n
Select LDAP Version<\/p>\n<\/div>\n
Now configure the option to allow you to make password utilities that use\u00a0pam<\/strong>\u00a0to behave like you would be changing local passwords and click\u00a0Yes<\/strong>\u00a0to continue..<\/p>\n
\n
\"Make<\/a><\/p>\n
Make Local Root Database Admin<\/p>\n<\/div>\n
Next, disable login requirement to the LDAP database using the next option.<\/p>\n
\n
\"Disable<\/a><\/p>\n
Disable Login to LDAP Database<\/p>\n<\/div>\n
Also define LDAP account for root and click Ok.<\/p>\n
\n
\"Define<\/a><\/p>\n
Define LDAP Account for Root<\/p>\n<\/div>\n
Next, enter the password to use when\u00a0ldap-auth-config<\/strong>\u00a0tries to login to the LDAP directory using the LDAP account for root.<\/p>\n
\n
\"Enter<\/a><\/p>\n
Enter LDAP Root Password<\/p>\n<\/div>\n
The results of the dialog will be stored in the file\u00a0\/etc\/ldap.conf<\/strong>. If you want to make any alterations, open and edit this file using your favorite command line editor.<\/p>\n
Next, configure the LDAP profile for NSS by running.<\/p>\n
$ sudo auth-client-config -t nss -p lac_ldap\r\n<\/pre>\n
Then configure the system to use LDAP for authentication by updating\u00a0PAM configurations<\/a>. From the menu, choose LDAP and any other authentication mechanisms you need. You should now be able to log in using LDAP-based credentials.<\/p>\n
$ sudo pam-auth-update\r\n<\/pre>\n
\n
\"Configure<\/a><\/p>\n
Configure PAM Authentication Mechanism<\/p>\n<\/div>\n
In case you want the home directory of the user to be created automatically, then you need to perform one more configuration in the common-session PAM file.<\/p>\n
$ sudo vim \/etc\/pam.d\/common-session\r\n<\/pre>\n
Add this line in it.<\/p>\n
session required pam_mkhomedir.so skel=\/etc\/skel umask=077\r\n<\/pre>\n
Save the changes and close the file. Then restart the\u00a0NCSD<\/strong>\u00a0(Name Service Cache Daemon<\/strong>) service with the following command.<\/p>\n
$ sudo systemctl restart nscd\r\n$ sudo systemctl enable nscd\r\n<\/pre>\n
Note<\/strong>: If you are using replication, LDAP clients will need to refer to multiple servers specified in\u00a0\/etc\/ldap.conf<\/strong>. You can specify all the servers in this form:<\/p>\n
uri ldap:\/\/ldap1.example.com  ldap:\/\/ldap2.example.com\r\n<\/pre>\n
This implies that the request will time out and if the\u00a0Provider<\/strong>\u00a0(ldap1.example.com<\/strong>) becomes unresponsive, the\u00a0Consumer<\/strong>\u00a0(ldap2.example.com<\/strong>) will attempt to be reached to process it.<\/p>\n
To check the LDAP entries for a particular user from the server, run the\u00a0getent command<\/strong>, for example.<\/p>\n
$ getent passwd tecmint\r\n<\/pre>\n
If the above command displays details of the specified user from the\u00a0\/etc\/passwd<\/strong>\u00a0file, your client machine is now configured to authenticate with the LDAP server, you should be able to log in using LDAP-based credentials.<\/p>\n
Configure LDAP Client in CentOS 7<\/h3>\n
To install the necessary packages, run the following command. Note that in this section, if you are operating the system as a non-root administrative user, use the\u00a0sudo command<\/strong>\u00a0to run all commands.<\/p>\n
# yum update && yum install openldap openldap-clients nss-pam-ldapd\r\n<\/pre>\n
Next, enable the client system to authenticate using LDAP. You can use the\u00a0authconfig<\/strong>\u00a0utility, which is an interface for configuring system authentication resources.<\/p>\n
Run the following command and replace\u00a0example.com<\/strong>\u00a0with your domain and\u00a0dc=example,dc=com<\/strong>\u00a0with your LDAP domain controller.<\/p>\n
# authconfig --enableldap --enableldapauth --ldapserver=ldap.example.com --ldapbasedn=\"dc=example,dc=com\" --enablemkhomedir --update\r\n<\/pre>\n
In the above command, the\u00a0--enablemkhomedir<\/code>\u00a0option creates a local user home directory at the first connection if none exists.<\/p>\n
Next, test if the LDAP entries for a particular user from the server, for example user\u00a0tecmint<\/strong>.<\/p>\n
$ getent passwd tecmint\r\n<\/pre>\n
The above command should display details of the specified user from the\u00a0\/etc\/passwd<\/strong>\u00a0file, which implies that the client machine is now configured to authenticate with the LDAP server.<\/p>\n
Important<\/strong>: If\u00a0SELinux is enabled on your system<\/a>, you need to add a rule to allow creating home directories automatically by\u00a0mkhomedir<\/strong>.<\/p>\n
\n
For more information, consult the appropriate documentation from\u00a0OpenLDAP Software document catalog<\/a>.<\/p>\n
Summary<\/h5>\n
LDAP<\/strong>, is a widely used protocol for querying and modifying a directory service. In this guide, we have shown how to configure an LDAP client to connect to an external authentication source, in Ubuntu and CentOS client machines. You can leave any questions or comments you may have using the feedback form below.<\/p>\n
Source<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
LDAP\u00a0(short for\u00a0Lightweight Directory Access Protocol) is an industry standard, widely used set of protocols for accessing directory services. A directory service in simple terms is a centralized, network-based database optimized for read access. It stores and provides access to information that must either be shared between applications or is highly distributed. Directory services play an … <\/p>\n
Continue reading “How to Configure LDAP Client to Connect External Authentication”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11742","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=11742"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11742\/revisions"}],"predecessor-version":[{"id":11743,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11742\/revisions\/11743"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=11742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=11742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=11742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}