Configure OpenLDAP login for CentOS 7

October 01, 2022

Join our Newsletter

Subscribe to get beginner friendly DevOps Guide.
    We won't send you spam. Unsubscribe at any time.

    Creating local accounts for a Linux machine is easy, but managing numerous accounts for thousands of machines can be a disaster. With OpenLDAP, you can store accounts in the server and use them to log in to all of your machines. This centralization makes account management easy and allows you to reuse created accounts to log in to new machines.

    In this guide, I will explain how to configure the host to use OpenLDAP for authentication.

    Prerequisites

    You need to have a OpenLDAP server and an account which belongs to posixAccount and shadowAccount. This guide will help you meet the prerequisites.

    Configuration

    Create Service Account (Optional) on the server

    If you disable anonymous bind on the LDAP server as this guide, you need to create a service account & put service account credentials in a configuration file of the host. One of the packages the host use to authenticate to the OpenLDAP server (nss-pam-ldapd) will perform anonymous bind to the OpenLDAP server & check if the account we try to login exists or not. As we disable anonymous bind, we need to supplement a service account credentials to nss-pam-ldapd to do authenticated bind instead.

    Create a service account, uid=svc,ou=People,dc=abc,dc=local

    cat > svc.ldif << EOF
    dn: uid=svc,ou=People,dc=abc,dc=local
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: svc
    sn: svc
    cn: svc
    uidNumber: 90001
    gidNumber: 90001
    homeDirectory: /home/svc
    shadowMin: 0
    shadowMax: 9999
    shadowWarning: 7
    userPassword: {CRYPT}x
    shadowLastChange: 20000
    EOF
    
    sudo ldapadd -x -W -D "cn=admin,dc=abc,dc=local" -f svc.ldif # replace cn=admin,dc=abc,dc=local by your admin cn
    
    sudo ldappasswd -x -D cn=admin,dc=abc,dc=local -W -S uid=svc,ou=People,dc=abc,dc=local # Change password of service account
    
    sudo ldapsearch -x -LLL -b dc=abc,dc=local '(uid=svc)' -D cn=admin,dc=abc,dc=local -W # Verify if service account is created

    Create service account

    Install OpenLDAP client and Name Service Switch (NSS) module on the host

    OpenLDAP client allows us to communicate with OpenLDAP servers & NSS module does identity and authentication management.

    sudo yum install -y openldap-clients nss-pam-ldapd

    Configure OpenLDAP authentication on the host

    Configure the host to use OpenLDAP for user login

    sudo authconfig --enableldap --enableldapauth --ldapserver=<<your-openLDAP-server-ip>> --ldapbasedn="dc=<<your-dc>>,dc=<<your-dc>>" --enablemkhomedir --update

    Configure OpenLDAP authentication (Optional) If you disable anonymous bind, add the credentials of service account you just created for nslcd service to do authenticated bind

    sudo sed 's/^#binddn.*/binddn uid=svc,ou=People,dc=abc,dc=local/' /etc/nslcd.conf -i
    sudo sed 's/^#bindpw.*/bindpw <<password>>/' /etc/nslcd.conf -i

    User login Restart the service

    sudo systemctl restart nslcd

    Test LDAP login on the host

    su - joe

    User login You are asked to change the password in the first login because we set shadowLastChange as 0.

    Conclusion

    In this guide, I share the benefit of using accounts in centralized OpenLDAP server for machine login, how to configure host to allow accounts in OpenLDAP server to login your host and advanced configuration for OpenLDAP server which disable anonymous bind.

    Blog: https://joeho.xyz

    LinkedIn: https://www.linkedin.com/in/ho-cho-tai-0260758a

    Subscribe