Set Up LDAP Client
Server Training - Server Management

These client programs will need to be installed on each workstation that will access the LDAP server.

 Lesson 7 / Lesson 9


yum install openldap-clients

PAM or Pluggable Authentication Modules are used to centralize authentication of programs on the system.  The pam_ldap module  is used to connect LDAP with console logins, POP, IMAP and Samba.  This module will allow users to have access to everything on the network which they have rights to including a proxy server connection.  Pam advantages include a common authentication process, flexible options for authentication and a library that allows additional development.

If you want to have standard PAM-enabled application sto use LDAP authentication you will need to enable LDAP support using the authconfig-tui.

Execute the authconfig-tui from the command line:


Select the Use of LDAP and then “Next”.

ldap client

Set up the Server IP Address and the the Base DN.

The great thing about authconfig-tui is that it will modify the /etc/pam.d/system-auth and from this configuration file add a line to each of the other file so that you do not need to make modifications manually.

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass
auth        required
account     required broken_shadow
account     sufficient uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required
password    requisite try_first_pass retry=3
password    sufficient md5 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required
session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required
session     optional

Notice how in this example one line is included so it works with the system-auth which is set up for LDAP.
auth       include      system-auth
account    required
account    include      system-auth
password   include      system-auth
session    optional force revoke
session    include      system-auth
session    required

You will not need to edit the nsswitch.conf file and add ldap to the programs listened to for passwords as this will be done by authconfig-tui.  Here is the default:
passwd:     files
shadow:     files
group:      files
Look for these lines in the /etc/nsswitch.conf file and note the ldap that is added..  Here the files allows for a check of the password in /etc/passwd first and then to check in LDAP.
passwd:     files  ldap
shadow:     files  ldap
group:      files  ldap

There are several important configuration files you will need to know the location of.

/etc/openldap/ldap.conf - all client applications are configured here

# LDAP Defaults
 # See ldap.conf(5) for details
# This file should be world readable but not world writable.
 BASE    dc=linux,dc=local
URI     ldap://
 #SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

If this is working correctly when you use this command:
getent passwd

You should see similar /etc/passwd like output:
snort:x:112:124:Snort IDS:/var/log/snort:/bin/false
It should list the accounts in /etc/passwd first and then any posixAccount objects.

Testing with ldapsearch
You should be able to run a ldapsearch command and get a return from the LDAP server of the information that you request.
# ldapsearch -x -b "dc=linux,dc=local" 'uid=bob'
# extended LDIF
# LDAPv3
# base <dc=linux,dc=local> with scope subtree
# filter: uid=bob
# requesting: ALL
# bob, linux.local
dn: uid=bob,dc=linux,dc=local
cn: Bob Green
uid: bob
uidNumber: 504
loginShell: /bin/sh
homeDirectory: /home/bob
gidNumber: 100
userPassword:: e2NyeXB0fU5EMlZYZWNlV1lEaWM=
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
shadowLastChange: 14423
gecos: Bob Green
sn: Bob Green
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Troubleshooting a Non-booting Client

With Centos when you have the LDAP client set up you may see the client stop at:

Starting system message bus :dbus

If this occurs edit the /etc/ldap.conf file and modify the bind_policy to soft.

bind_policy soft

It will start slow but it will boot.


Copyright by CyberMontana Inc.
Cannot be reproduced without written permission.  Box 1262 Trout Creek, MT 59874