How to configure the LDAP Client

RHEL 5

Install the required packages

yum install openldap nss_ldap nscd

Configure nslcd

authconfig --enableldap --enableldapauth --ldapserver="ldap://192.168.100.22" --ldapbasedn="dc=corneschi,dc=ro" --enablemkhomedir --update

or

authconfig-tui

RHEL 6

Client side configuration can be done either using:

  • nslcd - /etc/nslcd.conf & /etc/pam_ldap.conf file (authconfig updates both automatically)
  • sssd - /etc/sssd/sssd.conf (does not support authentication over an unencrypted channel)

Configuring LDAP client using nslcd

Install the required packages

yum install nss-pam-ldapd pam_ldap

Configure nslcd

authconfig --enableldap --enableldapauth --ldapserver="ldap://192.168.100.22" --ldapbasedn="dc=corneschi,dc=ro" --enableforcelegacy --enablemkhomedir --update

  • --update - Only the files affected by the configuration changes are overwritten
  • --updateall - All configuration files are written

PAM configuration

vi /etc/pam.d/system-auth

auth        sufficient    pam_ldap.so use_first_pass
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022

/etc/init.d/nslcd restart

Configuring a netgroup backend

  • Method 1

vi /etc/nsswitch.conf

passwd:         compat
passwd_compat:  ldap
shadow:         files ldap
group:          files ldap
netgroup:       ldap

vipw

+@family

getent netgroup family

  • Method 2

Edit /etc/nsswitch.conf

vi /etc/nsswitch.conf

netgroup: files ldap

Edit /etc/security/access.conf

vi /etc/security/access.conf

+:root:LOCAL
+:@family:ALL
-:ALL:ALL

Enable pam_access.so module

authconfig --enablepamaccess --update

Useful comamands

  • Disable pam_access.so module: authconfig --disablepamaccess --update
  • Print configuration settings: authconfig --test
  • Save all files which authconfig modifies: authconfig --savebackup=/tmp/ldap_backup
  • Restore the last configuration: authconfig --restorelastbackup
  • List all LDAP users: ldapsearch -H ldap://192.168.100.22 -x -LLL uid=*
  • Delete an LDAP user: ldapdelete -x -W -D -v "cn=Manager,dc=corneschi,dc=ro" "uid=daniel,ou=People,dc=corneschi,dc=ro"
  • Delete an LDAP group: ldapdelete -x -W -D -v "cn=Manager,dc=corneschi,dc=ro" "cn=daniel,ou=Groups,dc=corneschi,dc=ro"
  • Delete an LDAP netgrou: ldapdelete -x -W -D -v "cn=Manager,dc=corneschi,dc=ro" "cn=family,ou=Netgroup,dc=corneschi,dc=ro"
  • Change password for a user: ldappasswd -H ldap://localhost -x -W -S -D "cn=Manager,dc=corneschi,dc=ro" "uid=daniel,ou=People,dc=corneschi,dc=ro"
  • Generate a password for "userPassword": slappasswd
  • Read the manuals: man nslcd and man nslcd.conf
  • Shows LDAP users on a system: getent passwd
  • Shows LDAP groups on a system: getent group
  • Shows users from a netgroup on a system: getent netgroup family