Debian 10 Buster
Sponsored Link

OpenLDAP : Configure LDAP Client2019/07/26

 
Configure LDAP Client in order to share users' accounts in your local networks.
[1] Configure LDAP Client.
root@www:~#
apt -y install libnss-ldap libpam-ldap ldap-utils
(1) specify LDAP server's URI

 +-----------------------| Configuring libnss-ldap |-------------------------+
 | Please enter the URI of the LDAP server to use. This is a string in the   |
 | form of ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:// can also    |
 | be used. The port number is optional.                                     |
 |                                                                           |
 | Note: It is usually a good idea to use an IP address because it reduces   |
 | risks of failure in the event name service problems.                      |
 |                                                                           |
 | LDAP server Uniform Resource Identifier:                                  |
 |                                                                           |
 | ldap://dlp.srv.world/_________________________________________________    |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

(2) specify suffix

 +-----------------------| Configuring libnss-ldap |-------------------------+
 | Please enter the distinguished name of the LDAP search base. Many sites   |
 | use the components of their domain names for this purpose. For example,   |
 | the domain "example.net" would use "dc=example,dc=net" as the             |
 | distinguished name of the search base.                                    |
 |                                                                           |
 | Distinguished name of the search base:                                    |
 |                                                                           |
 | dc=srv,dc=world_______________________________________________________    |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

(3) specify LDAP version (generally OK to select Version [3])

  +-----------------------| Configuring libnss-ldap |------------------------+
  | Please enter which version of the LDAP protocol should be used by        |
  | ldapns. It is usually a good idea to set this to the highest available   |
  | version.                                                                 |
  |                                                                          |
  | LDAP version to use:                                                     |
  |                                                                          |
  |                                    3                                     |
  |                                    2                                     |
  |                                                                          |
  |                                                                          |
  |                                  <Ok>                                    |
  |                                                                          |
  +--------------------------------------------------------------------------+

(4) specify LDAP admin account's suffix

  +-----------------------+ Configuring libnss-ldap +------------------------+
  | Please enter the name of the LDAP administrative account.                |
  |                                                                          |
  | This account will be used automatically for database management, so it   |
  | must have the appropriate administrative privileges.                     |
  |                                                                          |
  | LDAP administrative account:                                             |
  |                                                                          |
  | cn=admin,dc=srv,dc=world________________________________________________ |
  |                                                                          |
  |                                  <Ok>                                    |
  |                                                                          |
  +--------------------------------------------------------------------------+

(5) specify password for LDAP admin account

 +-----------------------| Configuring libnss-ldap |-------------------------+
 | Please enter the password to use when ldap-auth-config tries to login to  |
 | the LDAP directory using the LDAP account for root.                       |
 |                                                                           |
 | The password will be stored in a separate file /etc/ldap.secret which     |
 | will be made readable to root only.                                       |
 |                                                                           |
 | Entering an empty password will re-use the old password.                  |
 |                                                                           |
 | LDAP root account password:                                               |
 |                                                                           |
 | _________________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

(6) [OK]


  +-----------------------+ Configuring libnss-ldap +------------------------+
  |                                                                          |
  | nsswitch.conf not managed automatically                                  |
  |                                                                          |
  | For the libnss-ldap package to work, you need to modify your             |
  | /etc/nsswitch.conf to use the "ldap" datasource.  There is an example    |
  | file at /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can be   |
  | used as an example for your nsswitch setup, or it can be copied over     |
  | your current setup.                                                      |
  |                                                                          |
  | Also, before removing this package, it is wise to remove the "ldap"      |
  | entries from nsswitch.conf to keep basic services functioning.           |
  |                                                                          |
  |                                  <Ok>                                    |
  |                                                                          |
  +--------------------------------------------------------------------------+

(7) select the one you like. (this example selects [Yes])

 +------------------------+ Configuring libpam-ldap +------------------------+
 |                                                                           |
 | This option will allow password utilities that use PAM to change local    |
 | passwords.                                                                |
 |                                                                           |
 | The LDAP admin account password will be stored in a separate file which   |
 | will be made readable to root only.                                       |
 |                                                                           |
 | If /etc is mounted by NFS, this option should be disabled.                |
 |                                                                           |
 | Allow LDAP admin account to behave like local root?                       |
 |                                                                           |
 |                    <Yes>                       <No>                       |
 |                                                                           |
 +---------------------------------------------------------------------------+

(8) select the one you like. (this example selects [No])

    +---------------------| Configuring libpam-ldap |----------------------+
    |                                                                      |
    | Choose this option if you are required to login to the database to   |
    | retrieve entries.                                                    |
    |                                                                      |
    | Note: Under a normal setup, this is not needed.                      |
    |                                                                      |
    | Does the LDAP database require login?                                |
    |                                                                      |
    |                   <Yes>                      <No>                    |
    |                                                                      |
    +----------------------------------------------------------------------+

(9) specify LDAP admin account's suffix

  +-----------------------+ Configuring libpam-ldap +------------------------+
  | Please enter the name of the LDAP administrative account.                |
  |                                                                          |
  | This account will be used automatically for database management, so it   |
  | must have the appropriate administrative privileges.                     |
  |                                                                          |
  | LDAP administrative account:                                             |
  |                                                                          |
  | cn=admin,dc=srv,dc=world________________________________________________ |
  |                                                                          |
  |                                  <Ok>                                    |
  |                                                                          |
  +--------------------------------------------------------------------------+

(10) specify password for LDAP admin account

 +------------------------+ Configuring libpam-ldap +------------------------+
 | Please enter the password of the administrative account.                  |
 |                                                                           |
 | The password will be stored in the file /etc/pam_ldap.secret. This will   |
 | be made readable to root only, and will allow libpam-ldap to carry out    |
 | automatic database management logins.                                     |
 |                                                                           |
 | If this field is left empty, the previously stored password will be       |
 | re-used.                                                                  |
 |                                                                           |
 | LDAP administrative password:                                             |
 |                                                                           |
 | ********_________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

root@www:~#
vi /etc/nsswitch.conf
# line 7: add

passwd:         compat systemd ldap
group:          compat systemd ldap
shadow:         compat

root@www:~#
vi /etc/pam.d/common-password
# line 26: change ( remove [use_authtok] )

password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass

root@www:~#
vi /etc/pam.d/common-session
# add to the end if need (create home directory automatically at initial login)

session optional        pam_mkhomedir.so skel=/etc/skel umask=077
root@www:~#
Debian GNU/Linux 10 www.srv.world ttyS0

www login: buster     # LDAP user
Password:
Linux www.srv.world 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Creating directory '/home/buster'.
buster@www:~$      # just logined

# changing password is like follows

buster@www:~$
Enter login(LDAP) password:     # current one
New password:                   # new one
Re-enter new password:
LDAP password information changed for buster
passwd: password updated successfully
buster@www:~$                   # just changed
Matched Content