Adding Linux client to LDAP

Brandon Hart -

Using CentOS 6.2 and openldap 2.4-23

1) Install packages

#> yum -y install openldap-clients nss-pam-ldapd

2) Configure the ldap.conf configure file

#> vi /etc/openldap/ldap.conf

# add at the last line
# LDAP server's URI
URI ldap:///
# specify Suffix
BASE dc=mycompany,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

3) Configure the nslcd.conf configure file

#> vi /etc/nslcd.conf

# line 131: specify URI, Suffix
uri ldap:///
base dc=mycompany,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts

4) Configure the pam_ldap.conf configure file

#> vi /etc/pam_ldap.conf

# line 17: make it comment
#host 127.0.0.1
# line 20: specify Suffix
base dc=mycompany,dc=com
# add at the last line
uri ldap:///
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

5) Configure the system-auth configure file

#> vi /etc/pam.d/system-auth

# add like follows

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
# add if you need ( create home directory automatically if it's none )

session optional pam_mkhomedir.so skel=/etc/skel umask=077

6) Configure the msswitch.conf configure file

#> vi /etc/nsswitch.conf

passwd:files ldap# line 33: add
shadow:files ldap# add

group:files ldap
# addnetgroup:ldap
# line 57: change
automount: files ldap
# line 61: change

7) Configure the authconfig configure file

#> vi /etc/sysconfig/authconfig

# line 18: change
USELDAP=yes

8) Add and restart services

#> chkconfig nslcd on
#> shutdown -r now

Have more questions? Submit a request

0 Comments

Article is closed for comments.