LFCS – Client OpenLDAP Authentication

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
340
Reaction score
367
Credits
11,754
We previously set up OpenLDAP servers for both CentOS7 and Ubuntu 18.04.9 Even though the setup of OpenLDAP is not on the LFCS exam, setting up a client is on the exam.

Make sure you have two systems you can use for setting up and testing authentication. The systems can be virtual, like VirtualBox.

First, let’s look at some basic setup for both Operating Systems. Then we’ll look at CentOS before we look at Ubuntu, depending on the test OS you are taking or more concerned with learning.

Basic Setup

Before we start installing the OpenLDAP Client, we need to be sure that the system we are working on can see ‘Server1’. As I set my server up, I used the Fully Qualified Domain Name (FQDN) of ‘server1.linux.org’. My second system will be ‘server2.linux.org’. Server1 has an IP Address of 192.168.56.103 and Server2 is 192.168.56.104.

On Server2, I will add the following lines to ‘/etc/hosts’.

192.168.56.104server2.linux.orgserver2
192.168.56.103server1.linux.orgserver1


NOTE: For my section on Ubuntu authentication, my server information is:

192.168.56.123server2-u.linux.orgserver2
192.168.56.124 server1-u.linux.org server1


When you type the command ‘hostname -f’ you should get the FQDN you set in the ‘hosts’ file. If the FQDN is not the response, you need to reboot your system.

You should now be able to ‘ping server1’ or ‘ping server1.linux.org’ and get a response. Of course, you will need to change your system names and IP Addresses to match your systems.

CENTOS7 Client Setup

On a CentOS system from a Terminal, you need to perform the following installation steps:

yum install openldap-clients.x86_64 nss-pam-ldapd oddjob oddjob-mkhomedir.i686

The ‘openldap-clients.x86_64’ is the client we are needing to be authenticated for LDAP. The last three packages we are installing are for PAM, which you can read about here. We need PAM to create our Home directories for network users that log onto a system.

To enable PAM, we use two commands to start the service and then cause it to be started when the system is booted:

systemctl start oddjobd
systemctl enable oddjobd


You should be asked to enter your password for performing the actions with elevated privileges.

Next, change to the Root account with ‘sudo su’. Issue the command ‘authconfig-tui’ from a terminal. You should see a basic GUI that is similar to ASCII used in DOS. Use the arrow keys to move down to the option for ‘Use LDAP’ and press the Space Bar to select it. Press TAB a few times to move to the right column. In the right-column, you need to only have selected ‘Use Shadow Password’, ‘Use LDAP Authentication’, and ‘Local authorization is sufficient’. Only select the three options and deselect any others that may be marked. Use TAB until you get to ‘Next’ and press the Space Bar.

On the next screen, arrow down once and change the second line. Change ‘ldap://127.0.0.1/’ to your FQDN of your LDAP server. In my case, the line would then become ‘ldap://server1.linux.org/’. The third line should have the ‘dc=example,dc=com’ changed to your domain name suffix. My entry would be ‘dc=linux,dc=org’. Tab to ‘OK’ and press the Space Bar.

At a prompt, enter the following line to enable the auto creation of Home folders for new users logging in from LDAP:

authconfig --enablemkhomedir --update

Now, the current system is accessing the local accounts as well as the LDAP user and group accounts on server1. To test this, we can issue the command ‘getent passwd’. A list of users should be listed from the local ‘passwd’ file as well as the LDAP ‘passwd’ file. You should see at the end of the list the accounts you set up when LDAP was set up on server1.

You can log in as one of your test users created for LDAP with the command ‘su - <user>’. After you enter the password, the home folder should be created and you were authenticated by LDAP.

Ubuntu 18.04 Client Setup

From a Terminal, you need to enter the following command on Server2 (server2-u):

sudo apt install libnss-ldapd libpam-ldap ldap-utils nscd

During the install of the new files, you will be prompted to enter valid information about the LDAP Server (server1-u).

ldapi://server1-u.linux.org:389
dc=linux,dc=org
LDAP Version: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=linux,dc=org
LDAP root account password: (use password when setting up LDAP – make sure you spell it right, there is no confirmation query)


If you make a mistake, run the configuration again with the command ‘sudo dpkg-reconfigure ldap-auth-config’.

Now, we need to get the system to use the NSS authentication to the LDAP Server (server1-u). Use the command:

sudo auth-client-config -t nss -p lac_ldap

We need to enable PAM to set up the home directories for users that log in using LDAP. This will create a local home folder and not a centralized folder.

sudo pam-auth-update

Arrow down and select ‘Create home directory on login’ with the space bar. Use TAB to move to ‘OK’ and press the spacebar.

One more configuration setting needs set to auto create home folders. Edit the file ‘/etc/pam.d/common-session’. Add the following line:

session required pam_makehomedir.so skel=/etc/skel umask=077

Save the file and close your editor. Run the next two commands to enable the changes:

sudo systemctl restart nscd
sudo systemctl enable nscd


Edit the file ‘/etc/ldap/ldap.conf’ and remove the hash (#) before the lines ‘BASE’ and ‘URI’. Change the information on the lines to match your LDAP server and FQDN.

Edit the file ‘/etc/nsswitch.conf’ and change the following:

paswd:compat systemd ldap
group:compat systemd ldap
shadow:compat


A portion of a line in ‘/etc/pam.d/common-password’ needs to be removed. Around line 26, remove the section ‘use_authtok’.

There is also a line in ‘/etc/pam.d/common-session’ that needs to be added to to make ‘session required pam_mkhomedir.so skel=/etc/skel umask=077’.

You may want to reboot your system and use the command ‘getent passwd’. You should see a listing of the local users as well as the LDAP users you added to the database when you installed LDAP on Server1. You might be able to log in as an LDAP user with the command ‘su - test’, or whatever user you added to the LDAP Database. On some systems I get an authentication error.

To really see the LDAP structure, you can install a Java program, which also installs Java, with the command ‘sudo apt install jxplorer’. Once done, start the program from a command-line with the command ‘jxplorer’. Once it starts,click on the first icon in the top left of the icon bar, it looks like two plugs connected. You should now see a window to set up a connection to your LDAP server. For ‘Host’ type in your server name, mine is ‘Server1’. Make sure the port is set to 389. Leave the protocol at ‘LDAP v3’. For ‘Security Level’ select ‘User + Password’. For ‘User DN’ type in ‘cn=admin,dc=linux,dc=org’. Change your organization name to match what you have been using. For ‘Password’ type in the admin password you set for LDAP. At the bottom left, click on ‘Save’ and give it a name when prompted. The next time you open jxplorer, you need only select the name you gave the saved information in the box next to ‘Save’. This will load all the settings you selected and typed except for ‘Password’. Through jxplorer, you can add or edit users and groups. Remember to select ‘Submit’ at the bottom of the screen, you may need to scroll down, for changes to be saved. When done, select the second icon, the two plugs apart from each other, to disconnect from the database.

Again, keep in mind that you can see the LDAP database, but you cannot log into the ‘Active Directory’ network under Ubuntu. It seems there are bugs in OpenLDAP, but this is the way to do it all for the exam. Maybe at some point, the bugs will be fixed and it will work. If anyone can find a workaround, please leave the method in the comments below.

Conclusion

LDAP can be very useful for a large network that needs centralized administration.

The process is not a hard one, and I hope you can perform these tasks easily and they work for you.
 

Members online


Top