Using a central authentication service in your organization isn’t just a good idea – it’s a great one. There’s no reason to have different copies of user information on every server.
Using OpenLDAP and PAM can enable clients to authenticate users without having a copy of user information locally.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Install Required Packages
You’re going to need quite a few packages installed to make this server work.
You can install them with the following command:
yum -y install openldap compat-openldap openldap-clients openldap-servers nss-pam-ldapd- Configure LDAP
With the daemon running, now we can set an LDAP password with:
slappasswd -h {SSHA} -s passwordThat will run and print a hash out to the screen. Let’s copy that, and then edit
initial.ldif. Get into the right directory, then into the file:cd LDAP/LDAP vim initial.ldifOn the
olcRootPWline, replace {SHAA} with our hash. The line should look something like this:olcRootPW {SSHA}<OUR_HASH>Save that file, and then run this so that it takes effect:
ldapmodify -Y external -H ldapi:/// -f initial.ldifWe’ve also got to pull in a few other different configuration files, but we can do it in a one-liner here with a
forloop:for i in cosine nis inetorgperson; do ldapadd -Y external -H ldapi:/// -f /etc/openldap/schema/$i.ldif; doneNow we can add the OUs:
ldapadd -x -W -D "cn=ldapadm, dc=la,dc=local" -f ous.ldifWe’ll be prompted for a password, which is going to be the one we set earlier with
slappasswd -h {SSHA} -s password.Now, to add users, run this:
ldapadd -x -W -D "cn=ldapadm, dc=la,dc=local" -f users.ldifWe’ll need our password again, and then we should see users get added.
- Make Sure PAM Authentication Is Correct
We need to set up PAM to authenticate users correctly. On the server, we can run the following command to do the configuration for you.
authconfig --enableldap --enableldapauth --ldapserver=localhost --ldapbasedn="dc=la,dc=local" --enablemkhomedir --updateThen we’ve got to restart the daemon, so that our changes take effect:
systemctl restart nslcdNow let’s test. Run
id tcox, and we should see details on thetcoxuser.tcox, by the way, was one of the users we set up. You might have seen the username in output from one of theldapaddcommands. Runid pineheadto see if that user was added too.Now, we can become
tcoxby runningsu - tcox. We should end up being that user, and sitting in the home directory (we’ll also notice that the directory is created upon thesucommand getting run too),/home/tcox.- Configure the Client
Ok, the server is all set. Now in the client, we need to install some software:
yum install openldap-clients nss-pam-ldapd -yWe’ll run the same kind of
authconfigline we did on the server now, changinglocalhosthere to the server’s actual IP address:authconfig --enableldap --enableldapauth --ldapserver=10.0.1.100 --ldapbasedn="dc=la,dc=local" --enablemkhomedir --updateNow restart the daemon, so that our changes take effect:
systemctl restart nslcdNow if we run
idfortcoxandpineheadlike we did on the server, we should see the same kind of output.- Set a Password and Test
Let’s set a new
pineheadpassword, and test it out. It doesn’t matter if we’re doing this on the client or the server, since both ways will be actually authenticating to the same LDAP server:Now, to add users, run this:
ldappasswd -s password -W -D "cn=ldapadm, dc=la,dc=local" -x "uid=pinehead,ou=People,dc=la,dc=localEnter a new password at the prompt, then try logging in as
pinehead:ssh pinehead@localhostAfter an authenticity prompt, we should see a Creating ‘/home/pinehead’ message and we’re in as
pinehead, sitting in this account’s home directory.
