The simplest way to configure LDAP client in Linux is to use some kind of tool delivered with system. SuSE has yast (yast2), RedHat family has authconfig (authconfig-tui). This should install required packages like: nss-pam-ldapd, nscd, pam_ldap, ldapclient etc. Unfortunatelly I don’t remember list of packages for particular distributions, because I configured it on SuSE, RHEL and CentOS.
\nIt is hard to describe here LDAP configuration for each particular Linux distribution, so my advice is to use “vendor” documentation as I did. From my side, I would like to add here the list of configuration files (with examples), which one should review or fix in case of wizards failure, because nowadays is getting harder to find documentation for real Admins operating directly on files from console (CLI).<\/p>\n
RedHat\/CentOS: \/etc\/nslcd.conf (examplary configuration)<\/p>\n
\r\nuri ldap:\/\/ldapsrvp01\/ ldap:\/\/ldapsrvp02\/\r\nldap_version 3\r\nbase dc=mycompany,dc=com\r\nscope sub\r\nbase group ou=Groups,o=mycompany,dc=mycompany,dc=com\r\nbase passwd ou=people,o=mycompany,dc=mycompany,dc=com\r\nbase passwd ou=people,o=customer,dc=mycompany,dc=com\r\nbase shadow ou=people,o=mycompany,dc=mycompany,dc=com\r\nbase shadow ou=people,o=customer,dc=mycompany,dc=com\r\nscope group onelevel\r\nssl start_tls\r\ntls_reqcert demand\r\ntls_cacertfile \/etc\/openldap\/certs\/cacert.pem\r\nfilter passwd (objectClass=posixAccount)\r\nfilter shadow (objectClass=shadowAccount)\r\n<\/pre>\nI have not found also information how to configure more advanced queries, which can search more than one branch in LDAP tree, e.g.:<\/p>\n
\r\n(&(objectClass=posixAccount)(|(ou=people,o=mycompany,dc=mycompany,dc=com)(ou=people,o=customer,dc=mycompany,dc=com)))\r\n<\/pre>\nthat’s why I need to test it by myself, and in conclusion I found that attributes (like “base passwd”) can be defined more than once (see above).<\/p>\n
SuSE: \/etc\/ldap.conf – LDAP client configuration, similar like \/etc\/nslcd.conf in RedHat\/CentOS, but here we have queries more like LDAP convention, e.g.:<\/p>\n
\r\nbase dc=mycompany,dc=com\r\nscope sub\r\n\r\nnss_schema rfc2307bis\r\nnss_map_attribute uniqueMember member\r\n\r\nuri ldap:\/\/ldapsrvp01 ldap:\/\/ldapsrvp02\r\nldap_version 3\r\npam_filter objectClass=posixAccount\r\nnss_base_passwd ou=people,o=mycompany,dc=mycompany,dc=com?sub?|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(memberof=cn=customer-test,ou=groups,o=mycompany,dc=mycompany,dc=com)\r\nnss_base_shadow ou=people,o=mycompany,dc=mycompany,dc=com?sub?|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(memberof=cn=customer-test,ou=groups,o=mycompany,dc=mycompany,dc=com)\r\nnss_base_group ou=Groups,o=mycompany,dc=mycompany,dc=com\r\nnss_base_automount ou=services,dc=mycompany,dc=com\r\n\r\ntls_cacertfile \/etc\/ssl\/ldap-ca.pem\r\nssl start_tls\r\ntls_cacertdir \/etc\/ssl\r\n<\/pre>\n\/etc\/nscd.conf (here you should disable cache for passwd and group)<\/p>\n
\r\n enable-cache passwd no\r\n...\r\n enable-cache group no\r\n<\/pre>\nthere is also ‘debug-level’ which can be useful during troubleshooting<\/p>\n
\r\n debug-level 0\r\n<\/pre>\n\/etc\/openldap\/ldap.conf (somewhere \/etc\/ldap\/ldap.conf) – LDAP client configuration – general<\/p>\n
\r\nBASE dc=mycompany,dc=com\r\nURI ldap:\/\/ldapsrvp01 ldap:\/\/ldapsrvp02\r\n#TLS_CACERT \/etc\/openldap\/certs\/cacert.pem\r\nTLS_CACERT \/etc\/ssl\/ldap-ca.pem\r\nTLS_REQCERT demand\r\n<\/pre>\n\/etc\/nsswitch.conf – repository configuration for users, groups and services<\/p>\n
\r\npasswd: compat\r\ngroup: files ldap\r\n\r\nhosts: files dns\r\nnetworks: files dns\r\n\r\nservices: files ldap\r\nprotocols: files\r\nrpc: files\r\nethers: files\r\nnetmasks: files\r\nnetgroup: files ldap\r\npublickey: files\r\n\r\nbootparams: files\r\nautomount: files ldap\r\naliases: files ldap\r\npasswd_compat: ldap\r\n<\/pre>\n\/etc\/ssl\/ldap-ca.pem or \/etc\/openldap\/certs\/cacert.pem or other path to CA certificate file by which LDAP server certificate is signed. In most cases you will not be able to configure encrypted connection between LDAP client and server. In most cases this is also first point where you should start troubleshooting: check if your configuration is working fine when you disable TLS\/SSL – if yes, verify your certificates – if no, you can proceed to next steps.<\/p>","protected":false},"excerpt":{"rendered":"
The simplest way to configure LDAP client in Linux is to use some kind of tool delivered with system. SuSE has yast (yast2), RedHat family has authconfig (authconfig-tui). This should install required packages like:...<\/p>\n","protected":false},"author":1,"featured_media":675,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[115,98],"tags":[6,99],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/10\/linux-logo.jpg?fit=300%2C300&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-aQ","jetpack-related-posts":[{"id":719,"url":"https:\/\/drfugazi.eu.org\/en\/linux-ldap-autofs-client-configuration\/","url_meta":{"origin":672,"position":0},"title":"Linux LDAP autofs client configuration","author":"drfugazi","date":"Wednesday May 10th, 2017","format":false,"excerpt":"There is a plenty of Linux distributions, so there is not my point to describe how to configure autofs in every one of them. This description is based on RedHat\/CentOS, but it can be applied to other distributions with very small changes. If you have local users and their directories\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/10\/linux-logo.jpg?fit=300%2C300&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":729,"url":"https:\/\/drfugazi.eu.org\/en\/sudoers-in-ldap\/","url_meta":{"origin":672,"position":1},"title":"Sudoers in LDAP","author":"drfugazi","date":"Wednesday June 28th, 2017","format":false,"excerpt":"In addition to the standard sudoers file, sudo may be configured via LDAP. This can be especially useful for synchronizing sudoers in a large, distributed environment. You need to have LDAP server and client configured, if you do not have already, see my previous posts. LDAP schema extension for sudo\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2017\/06\/sudo-sudoers-make-me-sandwich.jpg?fit=360%2C299&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":599,"url":"https:\/\/drfugazi.eu.org\/en\/ldap-server-for-solaris-and-linux-clients\/","url_meta":{"origin":672,"position":2},"title":"LDAP server for Solaris and Linux clients","author":"drfugazi","date":"Thursday June 2nd, 2016","format":false,"excerpt":"Few months ago I received a task to set up LDAP authentication for Solaris 10, Solaris 11 and Linux machines in Customer's infrastructure. As LDAP server was chosen OpenLDAP 2.4.x in Master-Slave configuration with SSL\/TLS support. Servers was installed on Virtual Machines with CentOS 6.7. I will not describe LDAP\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"LDAP DIT","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":692,"url":"https:\/\/drfugazi.eu.org\/en\/solaris-ldap-autofs-client-configuration\/","url_meta":{"origin":672,"position":3},"title":"Solaris LDAP autofs client configuration","author":"drfugazi","date":"Thursday December 15th, 2016","format":false,"excerpt":"Last time I wrote about autofs configuration on LDAP server, now it is time to configure autofs client in Solaris. I assume that in DUAConfigProfile, objectClasses and attributes are already defined. You can check this with simply commands: [bash] % ldaplist -l auto_master dn: automountMapName=auto_master,ou=service,dc=mycompany,dc=com automountMapName: auto_master objectClass: automountMap objectClass:\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":641,"url":"https:\/\/drfugazi.eu.org\/en\/solaris-ldap-client-configuration\/","url_meta":{"origin":672,"position":4},"title":"Solaris LDAP client configuration","author":"drfugazi","date":"Tuesday June 21st, 2016","format":false,"excerpt":"Oracle Solaris has native LDAP support built in OS, so there is no need to install third-party software to configure Solaris to use LDAP as users\/groups and other repository. You can use different ways to do this, and I will describe few of them. If secure communication is required, and\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"LDAP DIT","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":685,"url":"https:\/\/drfugazi.eu.org\/en\/autofs-in-ldap-configuration-linux-solaris\/","url_meta":{"origin":672,"position":5},"title":"Autofs in LDAP configuration – for Linux and Solaris","author":"drfugazi","date":"Friday November 25th, 2016","format":false,"excerpt":"If you have LDAP server as user repository it is also good to have NFS server to store their home directories. To avoid autofs map configuration on every host, you can use LDAP service to store maps. I assume that NFS server (NFSHOME) is already installed, LDAP server and client\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"LDAP DIT","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/672"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=672"}],"version-history":[{"count":3,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/672\/revisions"}],"predecessor-version":[{"id":682,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/672\/revisions\/682"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media\/675"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}