How to Configure LDAP Client to Connect External Authentication

LDAP (short for Lightweight Directory Access Protocol) is an industry standard, widely used set of protocols for accessing directory services.

A directory service in simple terms is a centralized, network-based database optimized for read access. It stores and provides access to information that must either be shared between applications or is highly distributed.

Directory services play an important role in developing intranet and Internet applications by helping you share information about users, systems, networks, applications, and services throughout the network.

A typical use case for LDAP is to offer a centralized storage of usernames and passwords. This allows various applications (or services) to connect to the LDAP server to validate users.

After setting up a working LDAP server, you will need to install libraries on the client for connecting to it. In this article, we will show how to configure an LDAP client to connect to an external authentication source.

I hope you already having a working LDAP server environment, if not setup Up LDAP Server for LDAP-based Authentication.

How to Install and Configure LDAP Client in Ubuntu and CentOS

On the client systems, you will needs to install a few necessary packages to make authentication mechanism function correctly with an LDAP server.

Configure LDAP Client in Ubuntu 16.04 and 18.04

First start by installing the necessary packages by running the following command.

$ sudo apt update && sudo apt install libnss-ldap libpam-ldap ldap-utils nscd

During the installation, you will be prompted for details of your LDAP server (provide the values according to your environment). Note that the ldap-auth-config package which is auto-installed does the most of the configurations based on the inputs you enter.

Enter LDAP Server URI
Enter LDAP Server URI

Next, enter the name of the LDAP search base, you can use the components of their domain names for this purpose as shown in the screenshot.

Enter LDAP Search Base
Enter LDAP Search Base

Also choose the LDAP version to use and click Ok.

Select LDAP Version
Select LDAP Version

Now configure the option to allow you to make password utilities that use pam to behave like you would be changing local passwords and click Yes to continue..

Make Local Root Database Admin
Make Local Root Database Admin

Next, disable login requirement to the LDAP database using the next option.

Disable Login to LDAP Database
Disable Login to LDAP Database

Also define LDAP account for root and click Ok.

Define LDAP Account for Root
Define LDAP Account for Root

Next, enter the password to use when ldap-auth-config tries to login to the LDAP directory using the LDAP account for root.

Enter LDAP Root Password
Enter LDAP Root Password

The results of the dialog will be stored in the file /etc/ldap.conf. If you want to make any alterations, open and edit this file using your favorite command line editor.

Next, configure the LDAP profile for NSS by running.

$ sudo auth-client-config -t nss -p lac_ldap

Then configure the system to use LDAP for authentication by updating PAM configurations. From the menu, choose LDAP and any other authentication mechanisms you need. You should now be able to log in using LDAP-based credentials.

$ sudo pam-auth-update
Configure PAM Authentication Mechanism
Configure PAM Authentication Mechanism

In case you want the home directory of the user to be created automatically, then you need to perform one more configuration in the common-session PAM file.

$ sudo vim /etc/pam.d/common-session

Add this line in it.

session required pam_mkhomedir.so skel=/etc/skel umask=077

Save the changes and close the file. Then restart the NCSD (Name Service Cache Daemon) service with the following command.

$ sudo systemctl restart nscd
$ sudo systemctl enable nscd

Note: If you are using replication, LDAP clients will need to refer to multiple servers specified in /etc/ldap.conf. You can specify all the servers in this form:

uri ldap://ldap1.example.com  ldap://ldap2.example.com

This implies that the request will time out and if the Provider (ldap1.example.com) becomes unresponsive, the Consumer (ldap2.example.com) will attempt to be reached to process it.

To check the LDAP entries for a particular user from the server, run the getent command, for example.

$ getent passwd tecmint

If the above command displays details of the specified user from the /etc/passwd file, your client machine is now configured to authenticate with the LDAP server, you should be able to log in using LDAP-based credentials.

Configure LDAP Client in CentOS 7

To install the necessary packages, run the following command. Note that in this section, if you are operating the system as a non-root administrative user, use the sudo command to run all commands.

# yum update && yum install openldap openldap-clients nss-pam-ldapd

Next, enable the client system to authenticate using LDAP. You can use the authconfig utility, which is an interface for configuring system authentication resources.

Run the following command and replace example.com with your domain and dc=example,dc=com with your LDAP domain controller.

# authconfig --enableldap --enableldapauth --ldapserver=ldap.example.com --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update

In the above command, the --enablemkhomedir option creates a local user home directory at the first connection if none exists.

Next, test if the LDAP entries for a particular user from the server, for example user tecmint.

$ getent passwd tecmint

The above command should display details of the specified user from the /etc/passwd file, which implies that the client machine is now configured to authenticate with the LDAP server.

Important: If SELinux is enabled on your system, you need to add a rule to allow creating home directories automatically by mkhomedir.

For more information, consult the appropriate documentation from OpenLDAP Software document catalog.

Summary

LDAP, is a widely used protocol for querying and modifying a directory service. In this guide, we have shown how to configure an LDAP client to connect to an external authentication source, in Ubuntu and CentOS client machines. You can leave any questions or comments you may have using the feedback form below.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

25 Comments

Leave a Reply
  1. Hi Everyone,

    I need your help in this situation. I had open the authconfig-tui utility with sudo privileges on the ldap server to check its configuration. After I was done I closed the authconfig-tui tool with the OK button instead of CANCEL button, and now I am not able to login to the LDAP server with the LDAP id. Do you have any suggestions, what has changed here?

    Reply
  2. Each time user logs in from the client system, it asks for password change and logouts immediately.

    next login same thing repeats.

    Reply
      • Even I am getting the same error.

        ubuntu@osm-ldap-c:~$ su prabhu
        Password:
        You are required to change your password immediately (root enforced)
        Enter login(LDAP) password:
        su: Authentication information cannot be recovered
        

        Note: I have replaced tecmint with prabhu.

        When I logged in with putty, directly entering the username, I get the following.

         
        login as: prabhu
        [email protected]'s password:
        You are required to change your password immediately (root enforced)
        Last login: Wed Jul  1 08:52:05 2020 from 10.101.241.3
        WARNING: Your password has expired.
        You must change your password now and login again!
        Enter login(LDAP) password:
        

        After entering the correct password, the putty window will disappear

        Can you please help

        Reply
  3. Hi, can anyone help?

    I am not getting any error messages nor the Success message after the “getent passwd tecmint” command on client-side.

    I’m using CentOS 7 btw.

    Thanks

    Reply
  4. Enter LDAP Server URI is not right. I spend 3 days to fix this error.

    ldapi:/// => ldap://

    All of the guides have the same error.

    Reply
  5. Hi, Does this work with a Windows application that requires validating users by LDAP? Should something else be configured?

    Reply
  6. I followed the guide yet I am getting the following error

    su pranav
    su: user pranav does not exist

    Below command is not working fine for me on the Client

    authconfig --enableldap --enableldapauth --ldapserver=ldap.example.com --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update

    I am not getting any error messages nor the Success message

    Reply
  7. Hello,

    Why root password must be stored in client machine ( i can see it is for changing password) only? Without root password client user on external machine can not log via ssh using LDAP DB and into Gnome .

    Reply
  8. On ubuntu 19.04 following these steps I get the error:

    lokaal@silver-linux:~$ auth-client-config
    auth-client-config: command not found

    Reply
  9. Invalid user test from localhost port 60074

    Jul 2 17:49:28 localhost sshd[3413]: input_userauth_request: invalid user test [preauth]
    Jul 2 17:50:07 localhost sshd[3413]: pam_unix(sshd:auth): check pass; user unknown
    Jul 2 17:50:07 localhost sshd[3413]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
    Jul 2 17:50:09 localhost sshd[3413]: Failed password for invalid user test from localhost port 60074 ssh2
    Jul 2 17:50:18 localhost sshd[3413]: pam_unix(sshd:auth): check pass; user unknown
    Jul 2 17:50:21 localhost sshd[3413]: Failed password for invalid user test from localhost port 60074 ssh2

    Reply
  10. Client side doesn’t work for me either.

    If I run the command:

    # ldapsearch -x -b 'dc=ldapteste,dc=com' 'objectclass=*' 
    

    for the server side or the client side I can retrieve information about ldap and it seems to be working.

    But when I run on the client:

    # authconfig --enableldap --enableldapauth --ldapserver=ldap.example.com --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update
    

    No user is created and therefore the command: getent passwd tecmint have no output at all.

    Does anyone knows how to solve this?

    Reply
  11. I also followed that guide but when I login from the user on client machine, it is showing authentication error.

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.