Home HowTos Directory Server Configure OpenLDAP Client on Debian 9 Stretch

Configure OpenLDAP Client on Debian 9 Stretch

2
8802

This articles describes how to configure OpenLDAP client on Debian 9 Stretch. You can check our previous article on how to install and configure OpenLDAP Server on Debian 9 Stretch.

Install and Configure OpenLDAP Client on Debian 9 Stretch

Install the required packages.

apt -y install libnss-ldap libpam-ldap ldap-utils

Configure OpenLDAP client on Debian 9 Stretch

During the installation process, you will receive different configuration prompts.

Define LDAP server’s URI.

Configure OpenLDAP Client on Debian 9 Stretch

Set the distinguished name of the LDAP search base.

Configure OpenLDAP Client on Debian 9 Stretch

Specify LDAP protocol version.

Configure OpenLDAP Client on Debian 9 Stretch

Set the LDAP administrator suffix.

Configure OpenLDAP Client on Debian 9 Stretch

Enter the LDAP admin account password for libnss-ldap LDAP authentication.

Configure OpenLDAP Client on Debian 9 Stretch

On nsswitch configuration, select Ok and press Enter to proceed. We will configure nsswitch later.

Configure OpenLDAP Client on Debian 9 Stretch

Allow LDAP admin account to assume local root behavior. This allows using the usual passwd command for changing passwords stored in the LDAP database.

Configure OpenLDAP Client on Debian 9 Stretch

Disable LDAP database login requirement.

Configure OpenLDAP Client on Debian 9 Stretch

Enter LDAP administrator account suffix.

Configure OpenLDAP Client on Debian 9 Stretch

Set the LDAP administrator account password. Press Enter to complete installation and configuration.

Configure OpenLDAP Client on Debian 9 Stretch

Modify nsswitch.conf to use ldap datasource such that it looks like;.

vim /etc/nsswitch.conf
...
passwd:         compat	ldap
group:          compat	ldap
shadow:         compat	ldap
gshadow:        files
...

Edit the /etc/pam.d/common-password and remove the use_authtok on the highlighted line below. use_authtok  causes the PAM module to use the earlier provided password when changing the password..

vim /etc/pam.d/common-password
...
# here are the per-package modules (the "Primary" block)
password	[success=2 default=ignore]	pam_unix.so obscure sha512
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
...

To enable automatic user home directory creation at first login, add the line session optional pam_mkhomedir.so skel=/etc/skel umask=077 to the /etc/pam.d/common-session between the pam_ldap.so and pam_systemd.so.

vim /etc/pam.d/common-session
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional			pam_ldap.so 
session optional        pam_mkhomedir.so skel=/etc/skel umask=077
session	optional	pam_systemd.so 
# end of pam-auth-update config

Reboot the LDAP client for the changes to take effect. After reboot, try logging in as an LDAP user. See screenshot below.

Configure OpenLDAP Client on Debian 9 Stretch

You have successfully authenticated to Debian 9 Strecth as an LDAP user.

That is all it takes configure OpenLDAP client on Debian 9 Stretch. In our next article, we will discuss how to configure LDAP client to use SSSD for LDAP authentication on Debian 9 stretch.

2 COMMENTS

  1. Hi there,

    thank you for your post.
    Do you know how to allow user to run `sudo` command without configure sssd?
    thank you!

LEAVE A REPLY

Please enter your comment!
Please enter your name here