How to Install Configure LDAP Client for 389 Directory Server


389 Directory Server is a super fast open source enterprise LDAP Server.

In this tutorial, we’ll explain how to install and configure the LDAP client on Linux which will talk to your 389 directory server.

Install EPEL

On your client machine, make sure you have EPEL repository setup, as we’ll be downloading the ldap related packages from EPEL.

First, download the latest EPEL package from fedora project website:

Next, install the EPEL rpm on your client machine.

Verify /etc/hosts

Make sure your hosts file is setup properly.

In this example, the following is the current /etc/hosts file setup. In this example, we have the 389 directory server installed on deploy

If you are new to 389 directory server, refer to our previous tutorial where we explained in detail about how to install LDAP 389 Directory Server On Linux.

Install the LDAP Client libraries

For the LDAP client libraries, we need to install the following packages:

  • openldap – This contains LDAP support libraries
  • openldap-devel.x86_64 – This contains LDAP development libraries and header files
  • nss-pam-ldapd – This is the nsswitch module which uses directory servers

Install the above packages using yum as shown below:

Apart from installing the above three packages, depending on your current system configuration, yum might also install the following dependent packages:

  • cyrus-sasl
  • cyrus-sasl-devel
  • nscd

Configure LDAP Client Authentication Resources

To configure the LDAP client authentication resources, we can use any one of the following tools:

  • authconfig – The command line tool to configure authentication resources
  • authconfig-tui – An GUI based tool to configure the auth resources

To launch the GUI version, execute the following command:

This will bring-up the following user interface:

Use the arrow keys and select “Use LDAP Authentication” check-box as shown below. To select a check-box, press the space bar.

In the next screen, set your LDAP server and base DN accordingly. These values should correspond to your installation of 389 directory server. Please refer to our 389 directory server installation tutorial for more details on this.

Start Name Services related Services for LDAP Client

First make sure nslcd Naming Services LDAP client daemon is up and running. If this is not up, start it accordingly.

Next, start nscd Name service caching daemon as shown below using systemctl command.

Setup SSSD and PAM LDAP Configuration

Execute the following authconfig command to setup the SSSD authentication configuration as shown below. This will also make sure you are getting user home directory accordingly for the LDAP client.

Please note that the SSSD service will be enabled and started during by the authconfig when two of the following are satisfied:
/etc/sssd/sssd.conf file exists, or atleast it is already configured using the implicit SSSD support
SSSD authentication is enabled, which means that module is referred in PAM configuration
SSSD is enabled for user identity, which means that nsswitch.conf file has reference to sss

Execute the following authconfig command to setup PAM configuration as shown below.

The following are some of the files that will get affected during the authconfig change:

  • /etc/nscd.conf
  • /etc/nslcd.conf
  • /etc/openldap/ldap.conf
  • /etc/pam.d/system-auth
  • /etc/pam.d/password-auth-ac
  • /etc/nsswitch.conf

The following optiosn are used in the above authconfig command:

  • –enableldapauth will configure authentication functions via /etc/pam.d/system-auth
  • –enableldap options will configure user information services in /etc/nsswitch.conf
  • –enablesysnetauth option will allow authentication of system accounts that has uid < 500.
  • –enablelocauthorize option will allow to bypass checking network authentication services for authorization
  • –update option will make sure that all the configuration files are modified based on the specified command line options

If you enjoyed this article, you might also like..


Facebook Comments

Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button