We will configure LDAP authentication on a CentOS 7 server.
Software used in this article:
- CentOS 7.2
- nss-pam-ldapd 0.8.13
- nscd 2.17
The nscd package comes as a dependency for the nss-pam-ldapd and can therefore be omitted.
# yum install -y nss-pam-ldapd nscd
The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups.
nslcd.conf contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups.
LDAP Authentication Configuration
SELinux is set to enforcing mode.
We are going to use an OpenLDAP server which we set up some time ago. Run the authconfig in a text mode. Note that there is a GUI version of the tool available, look for authconfig-gtk.
Our configuration can be seen below.
We use the ldaps protocol and therefore bind to 636 port directly.
Another option is to use StartTLS (see “Use TLS” above). This, however, requires us to have a plain LDAP port 389 open on the network (which we don’t) as the client needs to establish an unencrypted connection with the directory server first. Also note that to connect to an LDAP server with TLS protocol enabled we need a CA certificate which signed out server’s certificate. It has to be in the PEM format and copied to the directory
In a case where a self-signed certificate is used, the following parameter should be set in the file
/etc/nslcd.conf to avoid getting “peer’s certificate issuer has been marked as not trusted by the use” error:
Once the configuration is complete, it should all be good really assuming the LDAP server allows anonymous read access. In our case it does not, therefore we have to do one more thing and put some authentication credentials to be able to bind successfully.
/etc/nslcd.conf and add the following lines:
# The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=guest,dc=top # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. bindpw passwd
Restart the nslcd service:
# systemctl restart nslcd
Try to login with an LDAP user:
# su - ldapuser1 Last login: Sat Mar 19 18:38:42 GMT 2016 on pts/1 su: warning: cannot change directory to /home/ldapuser1: No such file or directory id: cannot find name for group ID 2001 -bash-4.2$
We can ignore warnings.
$ id uid=2001(ldapuser1) gid=2001 groups=2001 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
These below are purely for future references.
# grep -ve "^$" -ve "^#" /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/cacerts SASL_NOCANON on URI ldaps://ldap.lisenet.com BASE ou=Users,dc=lisenet.com,dc=top
# grep -ve "^$" -ve "^#" /etc/nslcd.conf uid nslcd gid ldap uri ldaps://ldap.lisenet.com base ou=Users,dc=lisenet.com,dc=top binddn cn=guest,dc=top bindpw passwd base group ou=Groups,dc=lisenet.com,dc=top tls_reqcert never ssl no tls_cacertdir /etc/openldap/cacerts
# grep ldap /etc/nsswitch.conf passwd: files sss ldap shadow: files sss ldap group: files sss ldap netgroup: files sss ldap automount: files ldap
# journalctl -xlf
Also check LDAP server logs.
A note to myself, when setting up LDAP users, ensure that they have a valid loginShell attribute defined, for example
/bin/bash. Otherwise we may hit the following issue:
This account is currently not available.
It will happen when a loginShell attribute is set to