Set up LDAP Authentication with nslcd on CentOS 7

We will configure LDAP authentication on a CentOS 7 server.

Software

Software used in this article:

  1. CentOS 7
  2. nss-pam-ldapd 0.8.13
  3. nscd 2.17

Installation

The nscd package comes as a dependency for the nss-pam-ldapd and can therefore be omitted.

# yum install -y nss-pam-ldapd nscd

The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups.

The file nslcd.conf contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups.

LDAP Authentication Configuration

SELinux is set to enforcing mode.

We are going to use an OpenLDAP server which we set up some time ago. Run the authconfig in a text mode. Note that there is a GUI version of the tool available, look for authconfig-gtk.

# authconfig-tui

Our configuration can be seen below.

We use the ldaps protocol and therefore bind to 636 port directly.

Another option is to use StartTLS (see “Use TLS” above). This, however, requires us to have a plain LDAP port 389 open on the network (which we don’t) as the client needs to establish an unencrypted connection with the directory server first. Also note that to connect to an LDAP server with TLS protocol enabled we need a CA certificate which signed out server’s certificate. It has to be in the PEM format and copied to the directory /etc/openldap/cacerts/.

In a case where a self-signed certificate is used, the following parameter should be set in the file /etc/nslcd.conf to avoid getting “peer’s certificate issuer has been marked as not trusted by the use” error:

tls_reqcert never

Once the configuration is complete, it should all be good really assuming the LDAP server allows anonymous read access. In our case it does not, therefore we have to do one more thing and put some authentication credentials to be able to bind successfully.

Open /etc/nslcd.conf and add the following lines:

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=guest,dc=top

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
bindpw passwd

Restart the nslcd service:

# systemctl restart nslcd

Try to login with an LDAP user:

# su - ldapuser1
Last login: Sat Mar 19 18:38:42 GMT 2016 on pts/1
su: warning: cannot change directory to /home/ldapuser1: No such file or directory
id: cannot find name for group ID 2001
-bash-4.2$

We can ignore warnings.

$ id
uid=2001(ldapuser1) gid=2001 groups=2001 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

These below are purely for future references.

# grep -ve "^$" -ve "^#" /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
SASL_NOCANON    on
URI ldaps://ldap.lisenet.com
BASE ou=Users,dc=lisenet.com,dc=top
# grep -ve "^$" -ve "^#" /etc/nslcd.conf
uid nslcd
gid ldap
uri ldaps://ldap.lisenet.com
base ou=Users,dc=lisenet.com,dc=top
binddn cn=guest,dc=top
bindpw passwd
base group ou=Groups,dc=lisenet.com,dc=top
tls_reqcert never
ssl no
tls_cacertdir /etc/openldap/cacerts
# grep ldap /etc/nsswitch.conf
passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
netgroup:   files sss ldap
automount:  files ldap

Troubleshooting

# journalctl -xlf

Also check LDAP server logs.

A note to myself, when setting up LDAP users, ensure that they have a valid loginShell attribute defined, for example /bin/bash. Otherwise we may hit the following issue:

This account is currently not available.

It will happen when a loginShell attribute is set to /sbin/nologin.

11 thoughts on “Set up LDAP Authentication with nslcd on CentOS 7

  1. Hi,

    I followed this procedure (that I can also found on my website) and it’s very easy… I can open very easily a console (local session on my Linux box) But I have a problem when I would like to open a session via OpenSSH Terminal. The LDAP authentication not work.

    Do you known how to tweak OpenSSH to make reference through the NSLCD

    • I’ve just tried this configuration in my test lab, and it works fine. OpenSSH server configuration must have the following line:

      GSSAPIAuthentication yes
    • It does not need to have that line , that’s for kerberos auth
      If it doesn’t work than you’ve done something wrong , which most of the time has something to do with LDAPS/STARTTSL certificates not being trusted , from my experience.

  2. Hi ,

    thank you for this article .it is working with freeipa. when ı used to anonymous bind.

    But how can ı do if ı close to anonymous bind from my ldap server? which configuration ı should add user id and passwd ?

  3. Hi Lisenet.
    What if we need to provide multiple base dn in nslcd file. For example i was trying to authenticate my client with ou=admin and ou=devops only. I have tried with the below entry but it is not restricting the groups.
    base group ou=admin,dc=shakdomain,dc=com
    base group ou=devops,dc=shakdomain,dc=com

  4. Hi,

    My nslcd.service is getting inactive automatically.
    Please suggest how to troubleshoot

    • Please check nslcd logs, also check the journal for any additional info.

      Enable debugging mode, note that nslcd will not put itself in the background but will send verbose debugging info to stderr.

  5. Please check below details:
    ****************************************************************************************************
    EMM002VM002400APP002:/etc# grep -ve “^$” -ve “^#” /etc/openldap/ldap.conf
    TLS_CACERTDIR /etc/openldap/certs
    SASL_NOCANON on
    *************************************************************************************
    EMM002VM002400APP002:/etc# grep -ve “^$” -ve “^#” /etc/nslcd.conf
    uid nslcd
    gid ldap
    uri ldaps://ldaps.vodafone.com.au
    base DC=VHA,DC=internal
    binddn CN=svc_npe_vemm,OU=EricssonSVC,OU=Service Accounts,DC=VHA,DC=internal
    bindpw Asrv@vE33
    tls_reqcert never
    tls_cacertdir /Vodafone/archive/Certificates/LDAP/
    nss_initgroups_ignoreusers root,mmsuper,postgres,vmfuser,pmuser,sftpuser,esauser,ut_test
    map passwd homeDirectory “/home/$uid”
    referrals off
    ************************************************************************************************
    EMM002VM002400APP002:~# grep ldap /etc/nsswitch.conf
    passwd: files sss ldap
    shadow: files sss ldap
    group: files sss ldap
    netgroup: nisplus sss ldap
    automount: files ldap
    ***********************************************************************************************

Leave a Reply

Your email address will not be published. Required fields are marked *