Connecting Debian based systems to OpenLDAP
Why is LDAP Important?
Most compliance requirements nowadays require that users authenticate to IT resources against some type of centralized authentication store. This is to ensure properly auditing and logging of successful and unsuccessful attempts being made along with standardizing on a given password policy. There are many different ways to accomplish this, one of which is using the Lightweight Directory Access Protocol or LDAP. LDAP got its roots from a developer from the University of Michigan in 1993. Today there are many software platforms for LDAP, one of those being OpenLDAP. OpenLDAP is a free, Open Source platform which provides the features that auditors are looking for when performing compliance audits. This post will guide you through the process of connecting Debian based system (which are Debian, Ubuntu, or Raspberry Pi) to an OpenLDAP centralized authentication server.
Installing the OpenLDAP client is a fairly simple process. First you will need to install the following packages by running this command:
sudo apt update
sudo apt-get -y install libnss-ldap libpam-ldap ldap-utils nscd
Once the command is run, it will run you through the following prompts to configure your system to connect to the OpenLDAP server.
Configuring OpenLDAP to Debian Based Systems
Enter IP address or URI of LDAP server – ‘ldap://ldap.example.com’
Enter in your LDAP search base – ‘dc=example,dc=net’
Select version 3 and click ‘Ok’
Select ‘Yes’ to making a local root database
Currently there is no account for making an LDAP bind so select, ‘No’
Enter account credentials for LDAP admin user account
Enter LDAP admin user password
Edit the common-session file located in the /etc/pam.d directory to automatically create a home directory when a new user logs into a server.
sudo vim /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel umask=077
Edit the nsswitch.conf file – sudo vim /etc/nsswitch.conf
Troubleshooting OpenLDAP Configurations
If by change you run into issues after the installation you till need to tail the auth.log file. You may see the following error message:
nss_ldap: failed to bind to LDAP server ldapi://ldap.example.net:389/: Can’t contact LDAP server
If by chance you see that error message, you will need to review the /etc/ldap.conf to ensure that the uri, search base, ldap version, and the rootbinddn settings are properly configured. Once verified, you must restart the service by issuing the following command:
sudo systemctl restart nscd.service