Connecting Debian based systems to OpenLDAP

Why is LDAP Important?

Most compliance requirements nowadays require that users authenticate to IT resources against some type of centralized authentication store. This is to ensure properly auditing and logging of successful and unsuccessful attempts being made along with standardizing on a given password policy. There are many different ways to accomplish this, one of which is using the Lightweight Directory Access Protocol or LDAP. LDAP got its roots from a developer from the University of Michigan in 1993. Today there are many software platforms for LDAP, one of those being OpenLDAP. OpenLDAP is a free, Open Source platform which provides the features that auditors are looking for when performing compliance audits. This post will guide you through the process of connecting Debian based system (which are Debian, Ubuntu, or Raspberry Pi) to an OpenLDAP centralized authentication server.

OpenLDAP Installation

Installing the OpenLDAP client is a fairly simple process. First you will need to install the following packages by running this command:

sudo apt update
sudo apt-get -y install libnss-ldap libpam-ldap ldap-utils nscd


Once the command is run, it will run you through the following prompts to configure your system to connect to the OpenLDAP server.

Configuring OpenLDAP to Debian Based Systems

Enter IP address or URI of LDAP server – ‘ldap://ldap.example.com’

Enter in your LDAP search base – ‘dc=example,dc=net’

Select version 3 and click ‘Ok’

Select ‘Yes’ to making a local root database

Currently there is no account for making an LDAP bind so select, ‘No’

Enter account credentials for LDAP admin user account

Enter LDAP admin user password

Edit the common-session file located in the /etc/pam.d directory to automatically create a home directory when a new user logs into a server.

sudo vim /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel umask=077

Edit the nsswitch.conf file – sudo vim /etc/nsswitch.conf

Troubleshooting OpenLDAP Configurations

If by change you run into issues after the installation you till need to tail the auth.log file. You may see the following error message:

nss_ldap: failed to bind to LDAP server ldapi://ldap.example.net:389/: Can’t contact LDAP server

If by chance you see that error message, you will need to review the /etc/ldap.conf to ensure that the uri, search base, ldap version, and the rootbinddn settings are properly configured. Once verified, you must restart the service by issuing the following command:
sudo systemctl restart nscd.service

Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.