So, we have installed and configured our own centralized auth server with LDAP. Now is the time to use LDAP to authenticate client logins. In this recipe, we will set up a separate Ubuntu server to use our LDAP server for authenticating users.
You will need a new Ubuntu server to be set as an LDAP client. Also, sudo
privileges are needed for the initial setup.
Make sure you have followed the previous recipes and have set up your LDAP server.
$ sudo apt-get update $ sudo apt-get install ldap-auth-client nscd
LDAP server URI
: ldap://you-LDAP-server-IP:
Make sure you change the protocol line from ldapi:///
to ldap://
Distinguished name of search base
: Match this to the domain set on the LDAP server in the format dc=example,dc=com
LDAP version to use
: 3
Make local root database admin
: Yes
Does LDAP database require login
: No
LDAP account for root
: cn=admin,dc=example,dc=com
LDAP root account password
: The password for the LDAP admin account/etc/nsswitch.conf
:$ sudo auth-client-config -t nss -p lac_ldap
/etc/nsswitch.conf
as follows:/etc/pam.d/common-session
. This will create a local home directory for LDAP users. Edit the common-session
file and add the following line at the end of the file:session required pam_mkhomedir.so umask=0022 skel=/etc/skel
nscd
service with the following command:$ sudo /etc/init.d/nscd restart
Now you should be able to log in with the user account created on your LDAP server. I have set up an Organizational Unit (OU) named users and created an admin user under it:
su username
command. You will need to enter a password that is configured on LDAP server. As this is a first-time login for this new user, our PAM settings have created a new home
directory for him:This new user is a member of the admin group on the LDAP server, so he will get sudo
privileges on the local server as well.
You can always use a default login prompt to log in with LDAP users, as well as local user accounts that already exist on the server.
Here we have configured the Ubuntu server to authenticate with our centralized LDAP system. This is not limited to the Ubuntu server and you can configure the Ubuntu desktop in a similar way as well. Using a centralized authentication makes it easy to administer hundreds of user accounts from a single place. A user can still log in as a local user if he has any local credentials.
Using centralized authentication enables you to log in from any system. You will get the same access rights and permissions from any terminal. Additionally, if the LDAP configuration supports roaming profiles then all your data will be replicated to any new system you log in from. You may have noticed the home
directory for the LDAP user account is located in the /home/users
directory and not in /home
. This separates your account from any local users.
Finally, the groups and roles configured on the LDAP server also apply on the system you are logging in from. So, if the user is assigned admin rights on the LDAP server, he will get admin rights, including sudo
privileges, on the system he is logged in from. This is because Ubuntu contains a default group named admin
with sudo
privileges. When a user logs in with his LDAP account, the groups and roles assigned to his LDAP account are matched with local groups and roles. You can either disable such groups from any remote systems, or set the proper access rights on the LDAP server itself.