Debian LDAP Client Installation
Debian LDAP Client Installation
This procedure shows how to create a ldap client installation from packages.
1. First install the required packages:
An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered. 2. Server setup
ldap://192.168.66.120
3. Entering the base
dc=uis,dc=edu,dc=co
4. Setting-up the protocol version
select 3
5. Setting-up pam-utilities to change passwords
Select Yes
6. Database access
Select No
7. Setting-up account with LDAP access priviledges Configurar la cuenta de acceso con privilegios a LDAP
cn=admin,dc=uis,dc=edu,dc=co
8. Entering the password for said account.
Now to configure LDAP-PAM integration:
1. Install the required packages:
2. Edit the file /etc/libnss-ldap.conf like this:
... base dc=local,dc=net uri ldaps://ldap.local.net ldap_version 3 binddn cn=nss,ou=Admin,dc=local,dc=net bindpw COLOQUE_AQUI_LA_CLAVE scope one pam_filter objectclass=posixAccount pam_login_attribute uid pam_password crypt nss_base_passwd ou=People,dc=local,dc=net?one nss_base_shadow ou=People,dc=local,dc=net?one nss_base_group ou=Group,dc=local,dc=net?one ssl on tls_checkpeer no ...
3. Set-up the file /etc/nsswitch.conf
... passwd: files ldap shadow: files ldap group: files ldap ...
4. Add the following option to /etc/openldap/ldap.conf
... TLS_REQCERT never ...
5. Replace the following line in /etc/pamd.d/common-password
... password required pam_unix.so nullok obscure md5 ...
for
... password required pam_passwdqc.so min=disabled,16,12,8,6 max=256 password sufficient pam_unix.so use_authtok md5 password sufficient pam_ldap.so use_first_pass use_authtok md5 password required pam_deny.so ...
6) Replace the following line in /etc/pamd.d/common-auth
... auth required pam_unix.so nullok_secure ...
for
... auth sufficient pam_unix.so auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so ...
7. Replace the following line in /etc/pamd.d/common-account
... account required pam_unix.so ...
Por
... account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so ...
8. Edit /etc/pam_ldap.conf and add the following lines
... # lines to be added base dc=platino,dc=gov,dc=ve uri ldaps://ldap.platino.gov.ve ldap_version 3 pam_password crypt
9. Start the nscd daemon
10. Test the setup
1. Edit the file /etc/libnss-ldap.conf y change the line shown below to the new uri (The uri being in this case ldap://someroot.somedc.somedc)
... uri ldap://someroot.somedc.somedc ...
2. Edit /etc/pam_ldap.conf change the line with the uri
... uri ldap://someroot.somedc.somedc ...
3. Edit /etc/ldap/ldap.conf adding the following lines (somedc and the uri written are placeholder texts)
... BASE dc=somedc,dc=somedc,dc=somedc URI ldaps://someroot.somedc.somedc TLS_REQCERT never ...
4. Backup the following files
5. Edit the files /etc/pam_ldap.secret and /etc/libnss-ldap.secret changing the password.
6. Test the setup by login-in in the machine with an ldap user.