How to set up OpenLDAP Client on Debian 10
In this tutorial, I will show you how to set up an OpenLDAP client using Debian 10 Buster. Before using this guide, make sure that you have an OpenLDAP server installed on another node or server to which the client can connect.
In this tutorial, I will use Debian 10 with 1GB RAM and 15GB disk space. In addition, you must have root privileges.
What are we going to do
- Install and configure the OpenLDAP client package
- Setting the name service switch (nsswitch)
- Setting up Pam authentication and sessions
- testing
Step 1-install and configure the OpenLDAP client package
First, we will install the LDAP package on the client. We will install libnss and libpam packages for the ldap client.
During the ldap client package installation process, you will be required to perform some configuration, including the ldap server address, the ldap base DN, and the password of the ldap admin user.
Use the following apt command to install the ldap package for the client.
sudo apt install libnss-ldap libpam-ldap ldap-utils
Install libnss-ldap
You will now be asked to provide the LDAP server IP address. Enter your LDAP / LDAPS server IP address and select “OK”.
Enter the base DN of the LDAP server and select OK.
Now specify the LDAP protocol version as “3” and select “OK”.
Enter the default LDAP root user (default is admin) and select OK again.
Now enter the password for the default administrator user.
For NSSwitch configuration, select OK.
Install libpam-ldap
Next, by selecting “Yes”, allow the ldap admin user to reinstall like the root user.
For the LDAP database login password, I choose “No”.
Now type the default administrator user of the LDP server again and select OK.
Enter the administrator password and select OK again.
Step 2-Set up the name service switch (nsswitch)
In this step, we will modify the NSSwitch configuration ‘/etc/nsswitch.conf’ to use ldap as a data source.
Edit configuration “/etc/nsswitch.conf” with vim editor.
vim /etc/nsswitch.conf
Now change the detailed lines as shown below.
passwd: compat ldapgroup: compat ldapshadow: compat ldap
Save and close.
NSSwitch will now loop the information for user authentication to the ldap server.
Step 3-setting up Pam authentication and sessions
In this step, we will set up pam password authentication by disabling the “use_authok” module and add an optional pam session to automatically create the home directory.
The “use_authtok” module will not prompt the user for a new password, and the “pam_mkhomedir” module will automatically create a home directory for the ldap user.
For pam authentication password, edit configuration ‘/etc/pam.d/common-password’ using vim editor.
vim /etc/pam.d/common-password
Remove the option “use_authtok” in the password “pam_ldap” module configuration as shown below.
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_Step 4 - Testingfirst_pass
Save and close.
Next, edit the pam session configuration ‘/etc/pam.d/common-session’.
vim /etc/pam.d/common-session
Add the “pam_mkhomedir” module configuration below.
session optional pam_mkhomedir.so skel=/etc/skel umask=077
Save and close.
Therefore, you have set up a PAM module for authentication and session configuration.
Now restart the Debian client.
sudo reboot
Step 4-Test
To test the installation and configuration of the OpenLDAP client, log in to the client system using the user provided by the OpenLDAP server.
Login with user ‘olaf’ available on the OpenLDAP server.
Once the “olaf” user logs in, a new user home directory is automatically created for that user.
As a result, the installation and configuration of the OpenLDAP client on Debian 10 has been successfully completed.