====== LDAP client side setup ====== Several files need editing to enable ldap access, lines or blocks of directives which require changing are shown below, lines which are left alone are not shown for clarity:- [root@inet03 pam.d]# more /etc/ldap.conf # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # host inet02 inet01 # The distinguished name of the search base. #base dc=example,dc=com base dc=prod,dc=company,dc=net [root@inet03 pam.d]# more /etc/nsswitch.conf # # /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns ethers: files netmasks: files networks: files protocols: files ldap rpc: files services: files ldap netgroup: files ldap publickey: nisplus automount: files ldap aliases: files [root@inet03 pam.d]# cat /etc/openldap/ldap.conf #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #URI ldap://127.0.0.1/ URI ldap://inet02 ldap://inet01 #BASE dc=example,dc=com BASE dc=prod,dc=company,dc=net TLS_CACERTDIR /etc/openldap/cacerts [root@inet03 pam.d]# Add the pam module to /etc/pam.d/sshd to auto create home directories:- [root@inet03 pam.d]# cat sshd #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_loginuid.so Also you can add this line to a pam file like /etc/pam.d/sshd:- account required pam_access.so accessfile=/etc/security/access-login.conf Users must additionally be listed in /etc/security/access-login.conf to allow logins. Test LDAP access with ldapsearch -x. ====== Passwordless login with ssh and LDAP ====== [[https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap]]