Set up LDAP Authentication with nslcd on CentOS 7

We will configure LDAP authentication on a CentOS 7 server.

Software

Software used in this article:

  1. CentOS 7.2
  2. nss-pam-ldapd 0.8.13
  3. nscd 2.17

Installation

The nscd package comes as a dependency for the nss-pam-ldapd and can therefore be omitted.

# yum install -y nss-pam-ldapd nscd

The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups.

The file nslcd.conf contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups.

LDAP Authentication Configuration

SELinux is set to enforcing mode.

We are going to use an OpenLDAP server which we set up some time ago. Run the authconfig in a text mode. Note that there is a GUI version of the tool available, look for authconfig-gtk.

# authconfig-tui

Our configuration can be seen below.

We use the ldaps protocol and therefore bind to 636 port directly.

Another option is to use StartTLS (see “Use TLS” above). This, however, requires us to have a plain LDAP port 389 open on the network (which we don’t) as the client needs to establish an unencrypted connection with the directory server first. Also note that to connect to an LDAP server with TLS protocol enabled we need a CA certificate which signed out server’s certificate. It has to be in the PEM format and copied to the directory /etc/openldap/cacerts/.

In a case where a self-signed certificate is used, the following parameter should be set in the file /etc/nslcd.conf to avoid getting “peer’s certificate issuer has been marked as not trusted by the use” error:

tls_reqcert never

Once the configuration is complete, it should all be good really assuming the LDAP server allows anonymous read access. In our case it does not, therefore we have to do one more thing and put some authentication credentials to be able to bind successfully.

Open /etc/nslcd.conf and add the following lines:

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=guest,dc=top

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
bindpw passwd

Restart the nslcd service:

# systemctl restart nslcd

Try to login with an LDAP user:

# su - ldapuser1
Last login: Sat Mar 19 18:38:42 GMT 2016 on pts/1
su: warning: cannot change directory to /home/ldapuser1: No such file or directory
id: cannot find name for group ID 2001
-bash-4.2$

We can ignore warnings.

$ id
uid=2001(ldapuser1) gid=2001 groups=2001 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

These below are purely for future references.

# grep -ve "^$" -ve "^#" /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
SASL_NOCANON    on
URI ldaps://ldap.lisenet.com
BASE ou=Users,dc=lisenet.com,dc=top
# grep -ve "^$" -ve "^#" /etc/nslcd.conf
uid nslcd
gid ldap
uri ldaps://ldap.lisenet.com
base ou=Users,dc=lisenet.com,dc=top
binddn cn=guest,dc=top
bindpw passwd
base group ou=Groups,dc=lisenet.com,dc=top
tls_reqcert never
ssl no
tls_cacertdir /etc/openldap/cacerts
# grep ldap /etc/nsswitch.conf
passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
netgroup:   files sss ldap
automount:  files ldap

Troubleshooting

# journalctl -xlf

Also check LDAP server logs.

A note to myself, when setting up LDAP users, ensure that they have a valid loginShell attribute defined, for example /bin/bash. Otherwise we may hit the following issue:

This account is currently not available.

It will happen when a loginShell attribute is set to /sbin/nologin.

Leave a Reply

Your email address will not be published. Required fields are marked *