Date: 01-17-2022

These instructions apply to: RedHat/CentOS, Debian/Ubuntu and SuSE.

This guide walks you through enabling Linux logins using LDAP credentials. It covers configuring LDAP settings, updating NSS (Name Service Switch), and installing necessary services.

Step 1: Configure ldap.conf

Open /opt/symas/etc/openldap/ldap.conf on your LDAP server:

sudo vi /opt/symas/etc/openldap/ldap.conf

Add the following configuration:

BASE dc=example,dc=com
URI ldapi:///
TLS_CACERT /opt/symas/ssl/CACert.pem

 The TLS_CACERT setting is required only if using SSL certificates for encrypted connections.

The ldap.conf file is global and affects all LDAP server connections.

Step 2: Update nsswitch.conf

Edit the /etc/nsswitch.conf file to configure NSS to use LDAP:

sudo vi /etc/nsswitch.conf

Add ldap as follows:

passwd:          compat ldap 
group:           compat ldap 
shadow:          compat ldap 
gshadow:         files
hosts:           files dns myhostname
networks:        files
protocols:       db files
services:        db files
ethers:          db files
rpc:             db files
netgroup:        nis

This configuration prioritizes the local /etc/passwd file if a user is not found in LDAP.

Step 3: Install nslcd and nscd

Install the nslcd and nscd services as follows:

RedHat Linux and CentOS:

sudo yum install nss-pam-ldapd nscd -y

Debian and Ubuntu:

sudo apt-get install nslcd nscd -y

SUSE:

sudo zypper install nss-pam-ldapd nscd

Step 4: Configure nslcd.conf

The nslcd configuration file, /etc/nslcd.conf, defines connection settings for LDAP.

Open /etc/nslcd.conf:

sudo vi /etc/nslcd.conf

Update it with the following settings:

# Run as user and group nslcd
uid nslcd
gid nslcd
# Specify the LDAP server URI
uri ldap://ldapserver.example.com
# Set the search base
base dc=example,dc=com
# Use LDAP protocol version 3
ldap_version 3
# Bind DN and password for lookups (ensure this file is protected)
binddn uid=system-authority,ou=applications,dc=example,dc=com
bindpw <plaintext_password>
# SSL options (if using SSL)
tls_cacertfile /etc/ssl/certs/<ldap server CA>.crt
# Set search scope
scope sub
# Ignore local users in NSS group queries
nss_initgroups_ignoreusers ALLLOCAL

Step 5: Install the CA Certificate

Copy the CA.crt file from your LDAP server to the client’s SSL certificate directory:

sudo cp /path/to/CA.crt /etc/ssl/certs/

Step 6: Enable nslcd Service

On Debian-based systems, enable nslcd to start on boot:

sudo update-rc.d nslcd enable

Step 7: Restart Services

After configuration, restart both nscd and nslcd:

sudo systemctl restart nscd
sudo systemctl restart nslcd

Step 8: Test Connectivity

Use the getent command to test LDAP connectivity and verify user information:

getent passwd | grep <ldap uid>

If the configuration is correct, the command will display the LDAP user entry.

Example Output:

jtrupp:x:1000:1000:Jason Trupp,,,:/home/jtrupp:/bin/bash
jtrupp:x:2029:2029:Jason Trupp:/home/jtrupp:/bin/bash