Linux LDAP client configuration

The simplest way to configure LDAP client in Linux is to use some kind of tool delivered with system. SuSE has yast (yast2), RedHat family has authconfig (authconfig-tui). This should install required packages like: nss-pam-ldapd, nscd, pam_ldap, ldapclient etc. Unfortunatelly I don’t remember list of packages for particular distributions, because I configured it on SuSE, RHEL and CentOS.
It is hard to describe here LDAP configuration for each particular Linux distribution, so my advice is to use “vendor” documentation as I did. From my side, I would like to add here the list of configuration files (with examples), which one should review or fix in case of wizards failure, because nowadays is getting harder to find documentation for real Admins operating directly on files from console (CLI).

RedHat/CentOS: /etc/nslcd.conf (examplary configuration)

uri ldap://ldapsrvp01/ ldap://ldapsrvp02/
ldap_version 3
base dc=mycompany,dc=com
scope sub
base   group  ou=Groups,o=mycompany,dc=mycompany,dc=com
base   passwd ou=people,o=mycompany,dc=mycompany,dc=com
base   passwd ou=people,o=customer,dc=mycompany,dc=com
base   shadow ou=people,o=mycompany,dc=mycompany,dc=com
base   shadow ou=people,o=customer,dc=mycompany,dc=com
scope  group  onelevel
ssl start_tls
tls_reqcert demand
tls_cacertfile /etc/openldap/certs/cacert.pem
filter  passwd (objectClass=posixAccount)
filter  shadow (objectClass=shadowAccount)

I have not found also information how to configure more advanced queries, which can search more than one branch in LDAP tree, e.g.:

(&(objectClass=posixAccount)(|(ou=people,o=mycompany,dc=mycompany,dc=com)(ou=people,o=customer,dc=mycompany,dc=com)))

that’s why I need to test it by myself, and in conclusion I found that attributes (like “base passwd”) can be defined more than once (see above).

SuSE: /etc/ldap.conf – LDAP client configuration, similar like /etc/nslcd.conf in RedHat/CentOS, but here we have queries more like LDAP convention, e.g.:

base    dc=mycompany,dc=com
scope   sub

nss_schema      rfc2307bis
nss_map_attribute       uniqueMember member

uri     ldap://ldapsrvp01 ldap://ldapsrvp02
ldap_version    3
pam_filter      objectClass=posixAccount
nss_base_passwd ou=people,o=mycompany,dc=mycompany,dc=com?sub?|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(memberof=cn=customer-test,ou=groups,o=mycompany,dc=mycompany,dc=com)
nss_base_shadow ou=people,o=mycompany,dc=mycompany,dc=com?sub?|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(memberof=cn=customer-test,ou=groups,o=mycompany,dc=mycompany,dc=com)
nss_base_group  ou=Groups,o=mycompany,dc=mycompany,dc=com
nss_base_automount      ou=services,dc=mycompany,dc=com

tls_cacertfile  /etc/ssl/ldap-ca.pem
ssl     start_tls
tls_cacertdir   /etc/ssl

/etc/nscd.conf (here you should disable cache for passwd and group)

        enable-cache            passwd          no
...
        enable-cache            group           no

there is also ‘debug-level’ which can be useful during troubleshooting

        debug-level             0

/etc/openldap/ldap.conf (somewhere /etc/ldap/ldap.conf) – LDAP client configuration – general

BASE dc=mycompany,dc=com
URI ldap://ldapsrvp01 ldap://ldapsrvp02
#TLS_CACERT /etc/openldap/certs/cacert.pem
TLS_CACERT /etc/ssl/ldap-ca.pem
TLS_REQCERT demand

/etc/nsswitch.conf – repository configuration for users, groups and services

passwd: compat
group:  files ldap

hosts:  files dns
networks:       files dns

services:       files ldap
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files ldap
publickey:      files

bootparams:     files
automount:      files ldap
aliases:        files ldap
passwd_compat:  ldap

/etc/ssl/ldap-ca.pem or /etc/openldap/certs/cacert.pem or other path to CA certificate file by which LDAP server certificate is signed. In most cases you will not be able to configure encrypted connection between LDAP client and server. In most cases this is also first point where you should start troubleshooting: check if your configuration is working fine when you disable TLS/SSL – if yes, verify your certificates – if no, you can proceed to next steps.

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.