Set Up LDAP Client

These client programs will need to be installed on each workstation that will access the LDAP server.

 Lesson 7 / Lesson 9

yum install openldap-clients

PAM
PAM or Pluggable Authentication Modules are used to centralize authentication of programs on the system.  The pam_ldap module  is used to connect LDAP with console logins, POP, IMAP and Samba.  This module will allow users to have access to everything on the network which they have rights to including a proxy server connection.  Pam advantages include a common authentication process, flexible options for authentication and a library that allows additional development.

If you want to have standard PAM-enabled application sto use LDAP authentication you will need to enable LDAP support using the authconfig-tui.

Execute the authconfig-tui from the command line:

Select the Use of LDAP and then “Next”.

Set up the Server IP Address and the the Base DN.

The great thing about authconfig-tui is that it will modify the /etc/pam.d/system-auth and from this configuration file add a line to each of the other file so that you do not need to make modifications manually.

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Notice how in this example one line is included so it works with the system-auth which is set up for LDAP.
/etc/pam.d/sshd
#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

You will not need to edit the nsswitch.conf file and add ldap to the programs listened to for passwords as this will be done by authconfig-tui.  Here is the default:
passwd:     files
shadow:     files
group:      files
Look for these lines in the /etc/nsswitch.conf file and note the ldap that is added..  Here the files allows for a check of the password in /etc/passwd first and then to check in LDAP.
passwd:     files  ldap
shadow:     files  ldap
group:      files  ldap

There are several important configuration files you will need to know the location of.

/etc/openldap/ldap.conf - all client applications are configured here

# LDAP Defaults
#
 # See ldap.conf(5) for details
# This file should be world readable but not world writable.
 BASE    dc=linux,dc=local
URI     ldap://192.168.5.102
 #SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

If this is working correctly when you use this command:
getent passwd

You should see similar /etc/passwd like output:
---cut---
mike:x:1000:1000:mike,,,:/home/mike:/bin/bash
snort:x:112:124:Snort IDS:/var/log/snort:/bin/false
postfix:x:113:125::/var/spool/postfix:/bin/false
It should list the accounts in /etc/passwd first and then any posixAccount objects.

Testing with ldapsearch
You should be able to run a ldapsearch command and get a return from the LDAP server of the information that you request.
# ldapsearch -x -b "dc=linux,dc=local" 'uid=bob'
# extended LDIF
#
# LDAPv3
# base <dc=linux,dc=local> with scope subtree
# filter: uid=bob
# requesting: ALL
#
 
# bob, linux.local
dn: uid=bob,dc=linux,dc=local
cn: Bob Green
uid: bob
uidNumber: 504
loginShell: /bin/sh
homeDirectory: /home/bob
gidNumber: 100
userPassword:: e2NyeXB0fU5EMlZYZWNlV1lEaWM=
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
shadowLastChange: 14423
gecos: Bob Green
sn: Bob Green
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1

Troubleshooting a Non-booting Client

With Centos when you have the LDAP client set up you may see the client stop at:

Starting system message bus :dbus

If this occurs edit the /etc/ldap.conf file and modify the bind_policy to soft.

bind_policy soft

It will start slow but it will boot.