LDAP client side setup

Several files need editing to enable ldap access, lines or blocks of directives which require changing are shown below, lines which are left alone are not shown for clarity:-

[root@inet03 pam.d]# more /etc/ldap.conf
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
host inet02 inet01

# The distinguished name of the search base.
#base dc=example,dc=com
base dc=prod,dc=company,dc=net
[root@inet03 pam.d]# more /etc/nsswitch.conf
#
# /etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns


ethers:     files
netmasks:   files
networks:   files
protocols:  files ldap
rpc:        files
services:   files ldap

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files
[root@inet03 pam.d]# cat /etc/openldap/ldap.conf
#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
#URI ldap://127.0.0.1/
URI ldap://inet02 ldap://inet01

#BASE dc=example,dc=com
BASE dc=prod,dc=company,dc=net

TLS_CACERTDIR /etc/openldap/cacerts
[root@inet03 pam.d]#

Add the pam module to /etc/pam.d/sshd to auto create home directories:-

[root@inet03 pam.d]# cat sshd
#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    required     pam_loginuid.so

Also you can add this line to a pam file like /etc/pam.d/sshd:-

account    required     pam_access.so accessfile=/etc/security/access-login.conf

Users must additionally be listed in /etc/security/access-login.conf to allow logins.

Test LDAP access with ldapsearch -x.


rb/ldapclientsidesetup.txt · Last modified: 24/07/2019 17:09 by andrew