{"id":1902,"date":"2019-01-04T00:14:29","date_gmt":"2019-01-03T21:14:29","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1902"},"modified":"2019-01-04T12:40:49","modified_gmt":"2019-01-04T09:40:49","slug":"configure-openldap-client-on-debian-9-stretch","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-openldap-client-on-debian-9-stretch\/","title":{"rendered":"Configure OpenLDAP Client on Debian 9 Stretch"},"content":{"rendered":"

This articles describes how to configure OpenLDAP client on Debian 9 Stretch. You can check our previous article on how to install and configure OpenLDAP Server on Debian 9 Stretch<\/a>.<\/p>\n

Install and Configure OpenLDAP Client on Debian 9 Stretch<\/h2>\n

Install the required packages.<\/p>\n

apt -y install libnss-ldap libpam-ldap ldap-utils<\/code><\/pre>\n
Configure OpenLDAP client on Debian 9 Stretch<\/h2>\n
During the installation process, you will receive different configuration prompts.<\/p>\n
Define LDAP server’s URI.<\/p>\n
\"Configure<\/a><\/p>\n
Set the distinguished name of the LDAP search base.<\/p>\n
\"Configure<\/a><\/p>\n
Specify LDAP protocol version.<\/p>\n
\"Configure<\/a><\/p>\n
Set the LDAP administrator suffix.<\/p>\n
\"Configure<\/a><\/p>\n
Enter the LDAP admin account password for libnss-ldap LDAP authentication.<\/p>\n
\"Configure<\/a><\/p>\n
On nsswitch configuration, select Ok and press Enter to proceed. We will configure nsswitch later.<\/p>\n
\"Configure<\/a><\/p>\n
Allow LDAP admin account to assume local root behavior. This allows using the usual passwd<\/code> command for changing passwords stored in the LDAP database.<\/p>\n
\"Configure<\/a><\/p>\n
Disable LDAP database login requirement.<\/p>\n
\"Configure<\/a><\/p>\n
Enter LDAP administrator account suffix.<\/p>\n
\"Configure<\/a><\/p>\n
Set the LDAP administrator account password. Press Enter to complete installation and configuration.<\/p>\n
\"Configure<\/a><\/p>\n
Modify nsswitch.conf<\/code> to use ldap datasource such that it looks like;.<\/p>\n
vim \/etc\/nsswitch.conf<\/code><\/pre>\n
...\r\npasswd:         compat\tldap<\/strong>\r\ngroup:          compat\tldap<\/strong>\r\nshadow:         compat\tldap<\/strong>\r\ngshadow:        files\r\n...<\/code><\/pre>\n
Edit the \/etc\/pam.d\/common-password<\/code> and remove the use_authtok<\/code> on the highlighted line below. use_authtok<\/code>\u00a0 causes the PAM module to use the earlier provided password when changing the password..<\/p>\n
vim \/etc\/pam.d\/common-password<\/code><\/pre>\n
...\r\n# here are the per-package modules (the \"Primary\" block)\r\npassword\t[success=2 default=ignore]\tpam_unix.so obscure sha512\r\npassword\t[success=1 user_unknown=ignore default=die]\tpam_ldap.so try_first_pass<\/strong>\r\n# here's the fallback if no module succeeds\r\npassword\trequisite\t\t\tpam_deny.so\r\n# prime the stack with a positive return value if there isn't one already;\r\n...<\/code><\/pre>\n
To enable automatic user home directory creation at first login, add the line session optional pam_mkhomedir.so skel=\/etc\/skel umask=077<\/code> to the \/etc\/pam.d\/common-session<\/code> between the pam_ldap.so<\/code> and pam_systemd.so<\/code>.<\/p>\n
vim \/etc\/pam.d\/common-session<\/code><\/pre>\n
# and here are more per-package modules (the \"Additional\" block)\r\nsession\trequired\tpam_unix.so \r\nsession\toptional\t\t\tpam_ldap.so \r\nsession optional        pam_mkhomedir.so skel=\/etc\/skel umask=077<\/strong>\r\nsession\toptional\tpam_systemd.so \r\n# end of pam-auth-update config<\/code><\/pre>\n
Reboot the LDAP client for the changes to take effect. After reboot, try logging in as an LDAP user. See screenshot below.<\/p>\n
\"Configure<\/a><\/p>\n
You have successfully authenticated to Debian 9 Strecth as an LDAP user.<\/p>\n
That is all it takes configure OpenLDAP client on Debian 9 Stretch. In our next article, we will discuss how to configure LDAP client to use SSSD for LDAP authentication on Debian 9 stretch.<\/p>\n","protected":false},"excerpt":{"rendered":"
This articles describes how to configure OpenLDAP client on Debian 9 Stretch. You can check our previous article on how to install and configure OpenLDAP<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[285,121],"tags":[],"class_list":["post-1902","post","type-post","status-publish","format-standard","hentry","category-directory-server","category-howtos","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1902"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=1902"}],"version-history":[{"count":4,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1902\/revisions"}],"predecessor-version":[{"id":1927,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1902\/revisions\/1927"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=1902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=1902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=1902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}