Linux LDAP client configuration
The simplest way to configure LDAP client in Linux is to use some kind of tool delivered with system. SuSE has yast (yast2), RedHat family has authconfig (authconfig-tui). This should install required packages like: nss-pam-ldapd, nscd, pam_ldap, ldapclient etc. Unfortunatelly I don’t remember list of packages for particular distributions, because I configured it on SuSE, RHEL and CentOS.
It is hard to describe here LDAP configuration for each particular Linux distribution, so my advice is to use “vendor” documentation as I did. From my side, I would like to add here the list of configuration files (with examples), which one should review or fix in case of wizards failure, because nowadays is getting harder to find documentation for real Admins operating directly on files from console (CLI).
RedHat/CentOS: /etc/nslcd.conf (examplary configuration)
uri ldap://ldapsrvp01/ ldap://ldapsrvp02/ ldap_version 3 base dc=mycompany,dc=com scope sub base group ou=Groups,o=mycompany,dc=mycompany,dc=com base passwd ou=people,o=mycompany,dc=mycompany,dc=com base passwd ou=people,o=customer,dc=mycompany,dc=com base shadow ou=people,o=mycompany,dc=mycompany,dc=com base shadow ou=people,o=customer,dc=mycompany,dc=com scope group onelevel ssl start_tls tls_reqcert demand tls_cacertfile /etc/openldap/certs/cacert.pem filter passwd (objectClass=posixAccount) filter shadow (objectClass=shadowAccount)
I have not found also information how to configure more advanced queries, which can search more than one branch in LDAP tree, e.g.:
(&(objectClass=posixAccount)(|(ou=people,o=mycompany,dc=mycompany,dc=com)(ou=people,o=customer,dc=mycompany,dc=com)))
that’s why I need to test it by myself, and in conclusion I found that attributes (like “base passwd”) can be defined more than once (see above).
SuSE: /etc/ldap.conf – LDAP client configuration, similar like /etc/nslcd.conf in RedHat/CentOS, but here we have queries more like LDAP convention, e.g.:
base dc=mycompany,dc=com scope sub nss_schema rfc2307bis nss_map_attribute uniqueMember member uri ldap://ldapsrvp01 ldap://ldapsrvp02 ldap_version 3 pam_filter objectClass=posixAccount nss_base_passwd ou=people,o=mycompany,dc=mycompany,dc=com?sub?|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(memberof=cn=customer-test,ou=groups,o=mycompany,dc=mycompany,dc=com) nss_base_shadow ou=people,o=mycompany,dc=mycompany,dc=com?sub?|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(memberof=cn=customer-test,ou=groups,o=mycompany,dc=mycompany,dc=com) nss_base_group ou=Groups,o=mycompany,dc=mycompany,dc=com nss_base_automount ou=services,dc=mycompany,dc=com tls_cacertfile /etc/ssl/ldap-ca.pem ssl start_tls tls_cacertdir /etc/ssl
/etc/nscd.conf (here you should disable cache for passwd and group)
enable-cache passwd no
...
enable-cache group no
there is also ‘debug-level’ which can be useful during troubleshooting
debug-level 0
/etc/openldap/ldap.conf (somewhere /etc/ldap/ldap.conf) – LDAP client configuration – general
BASE dc=mycompany,dc=com URI ldap://ldapsrvp01 ldap://ldapsrvp02 #TLS_CACERT /etc/openldap/certs/cacert.pem TLS_CACERT /etc/ssl/ldap-ca.pem TLS_REQCERT demand
/etc/nsswitch.conf – repository configuration for users, groups and services
passwd: compat group: files ldap hosts: files dns networks: files dns services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files ldap aliases: files ldap passwd_compat: ldap
/etc/ssl/ldap-ca.pem or /etc/openldap/certs/cacert.pem or other path to CA certificate file by which LDAP server certificate is signed. In most cases you will not be able to configure encrypted connection between LDAP client and server. In most cases this is also first point where you should start troubleshooting: check if your configuration is working fine when you disable TLS/SSL – if yes, verify your certificates – if no, you can proceed to next steps.
