Linux LDAP Setup Instructions

The instructions below will show how to set up the Linux clients to work with the LDAP database for network authentication.

• Install the Debian libnss-ldap package using dselect or any other method you choose..
  • Debian Configuration Script Steps:
  • Host IP = ipadderss_of_ldap_server
  • DN of base = dc=host,dc=domain,dc=com
  • LDAP Version = 3
  • Requires Login = no
  • Mode 600 = no
  • sample libnss-ldap.conf
• Install the Debian libpam-ldap package.
  • Local root admin = no
  • Requires Login = no
  • Password crypt = crypt
  • sample pam_ldap.conf
• Install the Debian nscd package.
• /etc/nsswitch.conf
  • sample nsswitch.conf
• restart the nscd deamon

Code:

  /etc/init.d/nscd restart

  
  
• Test with standard unix tools (this assumes a user in the ldap database with uid_name of bbonzai:
  
  Code:

  prompt> finger bbonzai Login: bbonzai                                    Name: Buckaroo Bonzai Directory: /home/bbonzai                     Shell: /bin/bash Office: Bonzai Labs 101, 888-555-1234 Home Phone: 555-4321 Never logged in. No mail. No Plan.

  
  |
• Make the LDAP client able to get the encrypted password from the LDAP server for user authentication purposes.
  • Add a rootbinddn section to the libnss-ldap.conf and pam_ldap.conf files.
    (There is one there commented out)
    
    Code:

    rootbinddn cn=admin,dc=host,dc=domain,dc=com

    
    
    (This is how the client will connect to the LDAP database. cn= is the user it will connect as, and the dc= sections give the path to the server.)
    
    
  • Edit the file /etc/ldap.secret. Put the LDAP admin password in here.
  • Change the ownership and file permissions of this file to readonly by root.
    (If this file is compromised, it gives FULL access to the LDAP database!)
  • Be sure that no backups of the file exist that are readable by anyone else.
• Remember your server is also an LDAP client.