linux:ldapclientsidesetup
LDAP client side setup
Several files need editing to enable ldap access, lines or blocks of directives which require changing are shown below, lines which are left alone are not shown for clarity:-
[root@inet03 pam.d]# more /etc/ldap.conf # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # host inet02 inet01 # The distinguished name of the search base. #base dc=example,dc=com base dc=prod,dc=company,dc=net
[root@inet03 pam.d]# more /etc/nsswitch.conf # # /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns ethers: files netmasks: files networks: files protocols: files ldap rpc: files services: files ldap netgroup: files ldap publickey: nisplus automount: files ldap aliases: files
[root@inet03 pam.d]# cat /etc/openldap/ldap.conf #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #URI ldap://127.0.0.1/ URI ldap://inet02 ldap://inet01 #BASE dc=example,dc=com BASE dc=prod,dc=company,dc=net TLS_CACERTDIR /etc/openldap/cacerts [root@inet03 pam.d]#
Add the pam module to /etc/pam.d/sshd to auto create home directories:-
[root@inet03 pam.d]# cat sshd #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_loginuid.so
Also you can add this line to a pam file like /etc/pam.d/sshd:-
account required pam_access.so accessfile=/etc/security/access-login.conf
Users must additionally be listed in /etc/security/access-login.conf to allow logins.
Test LDAP access with ldapsearch -x.
Passwordless login with ssh and LDAP
linux/ldapclientsidesetup.txt · Last modified: by 127.0.0.1