Skip to main content

OpenLDAP Client User Authentication

Hands-On Lab

 

Photo of Terrence Cox

Terrence Cox

Senior Vice President of Content

Length

01:00:00

Difficulty

Intermediate

Using a central authentication service in your organization isn't just a good idea - it's a great one. There's no reason to have different copies of user information on every server. Using OpenLDAP and PAM can enable clients to authenticate users without having a copy of user information locally.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

OpenLDAP Client User Authentication

Introduction

Using a central authentication service in an organization isn't just a good idea, it's a great one. There's no reason to have different copies of user information on every server.

Using OpenLDAP and PAM can enable clients to authenticate users without having a copy of user information locally.

The Scenario

We've been tasked with setting up a central authentication server for our organization. The team has decided on an OpenLDAP server for clients authenticate against.

The base LDIF files are provided in /root/LDAP/LDAP. We'll need to install the required packages and set the server up, then verify that the settings are correct by using the Client server provided.

Logging In

Use the credentials provided on the hands-on lab page to get into both the server and the client systems that have been set up for us. Since we need root privileges, let's just run sudo -i right off and become root in each one.

On the Server

Install Required Packages

We're going to need quite a few packages installed to make this server work. We can install them with the following command:

yum -y install openldap compat-openldap openldap-clients openldap-servers nss-pam-ldapd

Once those are all installed, start things up with:

systemctl start slapd

Configure LDAP

With the daemon running, now we can set an LDAP password with:

slappasswd -h {SSHA} -s password

That will run and print a hash out to the screen. Let's copy that, and then edit initial.ldif. Get into the right directory, then into the file:

cd LDAP/LDAP
vim initial.ldif

On the olcRootPW line, replace {SHAA} with our hash. The line should look something like this:

olcRootPW {SSHA}<OUR_HASH>

Save that file, and then run this so that it takes effect:

ldapmodify -Y external -H ldapi:/// -f initial.ldif

We've also got to pull in a few other different configuration files, but we can do it in a one-liner here with a for loop:

for i in cosine nis inetorgperson; do ldapadd -Y external -H ldapi:/// -f  /etc/openldap/schema/$i.ldif; done

Now we can add the OUs:

ldapadd -x -W -D "cn=ldapadm, dc=la,dc=local" -f ous.ldif

We'll be prompted for a password, which is going to be the one we set earlier with slappasswd -h {SSHA} -s password.

Now, to add users, run this:

ldapadd -x -W -D "cn=ldapadm, dc=la,dc=local" -f users.ldif

We'll need our password again, and then we should see users get added.

Make Sure PAM Authentication Is Correct

We need to set up PAM to authenticate users correctly. On the server, we can run the following command to do the configuration for you.

authconfig --enableldap --enableldapauth --ldapserver=localhost --ldapbasedn="dc=la,dc=local" --enablemkhomedir --update

Then we've got to restart the daemon, so that our changes take effect:

systemctl restart nslcd

Now let's test. Run id tcox, and we should see details on the tcox user. tcox, by the way, was one of the users we set up. You might have seen the username in output from one of the ldapadd commands. Run id pinehead to see if that user was added too.

Now, we can become tcox by running su - tcox. We should end up being that user, and sitting in the home directory (we'll also notice that the directory is created upon the su command getting run too), /home/tcox.

On the Client

Ok, the server is all set. Now in the client, we need to install some software:

yum install openldap-clients nss-pam-ldapd -y

We'll run the same kind of authconfig line we did on the server now, changing localhost here to the server's actual IP address:

authconfig --enableldap --enableldapauth --ldapserver=10.0.1.100 --ldapbasedn="dc=la,dc=local" --enablemkhomedir --update

Now restart the daemon, so that our changes take effect:

systemctl restart nslcd

Now if we run id for tcox and pinehead like we did on the server, we should see the same kind of output.

Set a Password and Test

Let's set a new pinehead password, and test it out. It doesn't matter if we're doing this on the client or the server, since both ways will be actually authenticating to the same LDAP server:

Now, to add users, run this:

ldappasswd -s password -W -D "cn=ldapadm, dc=la,dc=local" -x "uid=pinehead,ou=People,dc=la,dc=local

Enter a new password at the prompt, then try logging in as pinehead:

ssh pinehead@localhost

After an authenticity prompt, we should see a Creating '/home/pinehead' message and we're in as pinehead, sitting in this account's home directory.

Conclusion

That's all there is to it. We created an LDAP server, set up a couple of user accounts, then set up a client and authenticated against the server. Congratulations!