Configure LDAP Clients
2015/05/10 |
Configure LDAP Client in order to share users' accounts in your local networks.
|
|
[1] | Configure LDAP Client. |
root@www:~#
aptitude -y install libnss-ldap libpam-ldap ldap-utils (1) specify LDAP server's URI +-----------------------+ Configuring libnss-ldap +------------------------+ | Please enter the Uniform Resource Identifier of the LDAP server. The | | format is 'ldap://<hostname_or_IP>:<port>/'. Alternatively, 'ldaps://' | | or 'ldapi://' can be used. The port number is optional. | | | | Using an IP address is recommended to avoid failures when domain name | | services are unavailable. | | | | LDAP server URI: | | | | ldap://dlp.srv.world/________________________________________________ | | | | <Ok> | | | +--------------------------------------------------------------------------+ (2) specify suffix +------------------------+ Configuring libnss-ldap +------------------------+ | Please enter the distinguished name of the LDAP search base. Many sites | | use the components of their domain names for this purpose. For example, | | the domain "example.net" would use "dc=example,dc=net" as the | | distinguished name of the search base. | | | | Distinguished name of the search base: | | | | dc=srv,dc=world_______________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (3) specify LDAP version +-----------------------+ Configuring libnss-ldap +-----------------------+ | Please choose the version of the LDAP protocol that should be used by | | ldapns. Using the highest available version number is recommended. | | | | LDAP version to use: | | | | 3 | | 2 | | | | | | <Ok> | | | +-------------------------------------------------------------------------+ (4) specify suffix for LDAP admin account +-----------------------+ Configuring libnss-ldap +------------------------+ | Please choose which account will be used for nss requests with root | | privileges. | | | | Note: For this to work the account needs permission to access the | | attributes in the LDAP directory that are related to the users' shadow | | entries as well as users' and groups' passwords. | | | | LDAP account for root: | | | | cn=admin,dc=srv,dc=world_____________________________________________ | | | | <Ok> | | | +--------------------------------------------------------------------------+ (5) set password for LDAP admin account +------------------------+ Configuring libnss-ldap +------------------------+ | Please enter the password to use when libnss-ldap tries to login to the | | LDAP directory using the LDAP account for root. | | | | The password will be stored in a separate file /etc/libnss-ldap.secret | | which will be made readable to root only. | | | | Entering an empty password will re-use the old password. | | | | LDAP root account password: | | | | ********_________________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (6) click OK +-----------------------+ Configuring libnss-ldap +------------------------+ | | | nsswitch.conf not managed automatically | | | | For the libnss-ldap package to work, you need to modify your | | /etc/nsswitch.conf to use the "ldap" datasource. There is an example | | file at /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can be | | used as an example for your nsswitch setup, or it can be copied over | | your current setup. | | | | Also, before removing this package, it is wise to remove the "ldap" | | entries from nsswitch.conf to keep basic services functioning. | | | | <Ok> | | | +--------------------------------------------------------------------------+ (7) select the one you like. ( this example selects 'Yes' ) +------------------------+ Configuring libpam-ldap +------------------------+ | | | This option will allow password utilities that use PAM to change local | | passwords. | | | | The LDAP admin account password will be stored in a separate file which | | will be made readable to root only. | | | | If /etc is mounted by NFS, this option should be disabled. | | | | Allow LDAP admin account to behave like local root? | | | | <Yes> <No> | | | +---------------------------------------------------------------------------+ (8) select the one you like. ( this example selects 'No' ) +------------------------+ Configuring libpam-ldap +------------------------+ | | | Please choose whether the LDAP server enforces a login before retrieving | | entries. | | | | Such a setup is not usually needed. | | | | Does the LDAP database require login? | | | | <Yes> <No> | | | +---------------------------------------------------------------------------+ (9) specify LDAP admin account's suffix +-----------------------+ Configuring libpam-ldap +------------------------+ | Please enter the name of the LDAP administrative account. | | | | This account will be used automatically for database management, so it | | must have the appropriate administrative privileges. | | | | LDAP administrative account: | | | | cn=admin,dc=srv,dc=world_____________________________________________ | | | | <Ok> | | | +--------------------------------------------------------------------------+ (10) specify password for LDAP admin account +------------------------+ Configuring libpam-ldap +------------------------+ | Please enter the password of the administrative account. | | | | The password will be stored in the file /etc/pam_ldap.secret. This will | | be made readable to root only, and will allow libpam-ldap to carry out | | automatic database management logins. | | | | If this field is left empty, the previously stored password will be | | re-used. | | | | LDAP administrative password: | | | | ********_________________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+
root@www:~#
vi /etc/nsswitch.conf # line 7: add passwd: compat ldap group: compat ldap shadow: compat
ldap
root@www:~#
vi /etc/pam.d/common-password # line 26: change ( remove 'use_authtok' ) password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
root@www:~#
vi /etc/pam.d/common-session # addto the end if needed ( create home directory automatically at initial login ) session optional pam_mkhomedir.so skel=/etc/skel umask=077
root@www:~#
Debian GNU/Linux 8 www.srv.world ttyS0
www login: debian # user on LDAP Password: Last login: Thu May 7 20:14:33 JST 2015 from 10.0.0.19 on pts/0 Linux www.srv.world 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Creating directory '/home/debian'.debian@www:~$ # just logined debian@www:~$ # try to change LDAP password Enter login(LDAP) password: # input current password New password: # input new password Re-enter new password: # confirm LDAP password information changed for debian passwd: password updated successfully # just changed |