If you exist primarily on a Microsoft environment, you probably work with Active Directory to authenticate your desktop and server machines to a centralized directory. This set up makes it incredibly easy to manage users and allow anyone to log into any desktop (or server), without needing a local account on the machine.
But what about a Linux environment? If you have a number of desktops and servers on a network, what can you do to create such a system? You can turn to OpenLDAP. With OpenLDAP, you can manage users on a centralized directory server and then configure each desktop to authenticate to that server. Let me show you how.
SEE: Linux distribution comparison chart (Tech Pro Research)
What you need
The first thing you’ll need is a server running OpenLDAP (See: How to install OpenLDAP on Ubuntu 18.04). I’ll assume you have that up and properly configured. I highly recommend using LDAP Account Manager to add your users (See: How to install LDAP Account Manager on Ubuntu 18.04). Next, I will assume you also have Linux desktop clients that authenticate to your LDAP server.
I’ll demonstrate with Ubuntu Desktop 18.04.
Installing the client
With your server configured and running, you only need to work on the client machines. Log into one of your clients (you have to take care of these steps on all clients) and install the necessary software with the following command:
sudo apt-get install libnss-ldap libpam-ldap ldap-utils nscd -y
During the installation, you will be asked to define the LDAP server URI (Figure A). The URI address should be in the form ldap://SERVER_IP (Where SERVER_IP is the IP address of your OpenLDAP server – Figure A).
Next, you must specify the distinguished name (DN) of your LDAP search base (Figure B). This will be in the form dc=example,dc=com.
If you’re not sure what the DN of your OpenLDAP server is, log into LDAP Account Manager, click Tree View, and you’ll see it listed in the left pane (Figure C).
The next screens in the installation ask:
- Specify LDAP version (select 3)
- Make local root Database admin (select Yes)
- Does the LDAP database require login (select No)
- Specify LDAP admin account suffice (this will be in the form cn=admin,dc=example,dc=com)
- Specify password for LDAP admin account (this will be the password for the LDAP admin user)
That’s it for the installation.
Configuring the client
Now we must configure our client to be able to authenticate against the OpenLDAP server. On the client, open a terminal window and issue the command:
sudo nano /etc/nsswitch.conf
In that file, add ldap at the end of the following entries:
passwd: compat systemd group: compat systemd shadow: files
These should now look like:
passwd: compat systemd ldap group: compat systemd ldap shadow: files ldap
At the end of that first section, add the following line:
Save and close that file.
Next, issue the command:
sudo nano /etc/pam.d/common-password
Remove use_authtok from the following line:
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
Save and close that file.
Issue the command:
sudo nano /etc/pam.d/common-session
At the end of that file, add the following:
session optional pam_mkhomedir.so skel=/etc/skel umask=077
Save and close that file. The above line will create the default home directory for any LDAP user that doesn’t have a local account on the client.
Reboot the client machine and then, when the log-in screen is presented, attempt to log in with a user on your OpenLDAP server. It should authenticate and all is well. Make sure to configure all of your clients in the same fashion, so they can make use of the OpenLDAP directory services.