Enable LDAP Authentication in Ubuntu 14.04

Posted by Admin on Tuesday, July 15, 2014 / Labels: ,

Enable LDAP Authentication in Ubuntu 14.04

What I will be doing here ?

If you read my previous article, you will see that I had set up a CentOS 6.5 machine as an LDAP server and created a user named madesh whose primary group is venkatn with uid=5000 and gid=5000. The IP address of the CentOS LDAP server is 192.168.122.249. The CentOS machine is a KVM virtual machine hosted on an Ubuntu machine.

I have also got an Ubuntu server 14.04 virtual machine running under the same KVM host. It is a fresh install of Ubuntu server 14.04 and I will enable LDAP authentication. I will also use the LDAP user madesh for login.

Initial check before enabling LDAP authentication:

Just to make sure we are using only LDAP user and not the local user, I will check for local user venkatn using following commands which all will return nothing.
# id madesh
id: madesh: no such user
# groups madesh
groups: madesh: no such user
# getent passwd madesh
# getent group madesh
# grep madesh /etc/passwd /etc/group
# ls /home/madesh
ls: cannot access /home/madesh: No such file or directory
So there is no user/group named venkatn in the local system. Lets check once we enable ldap authentication.

Install packages

All we need is the following two packages.
  • libpam-ldap – Pluggable Authentication Module for LDAP. This package provides an interface between LDAP server and the PAM user authentication system
  • nscd - Name Service Cache daemon which handles passwd, group and host lookups and caches the result for next query
Install them using the below command
# apt-get install libpam-ldap nscd
When you install libpam-ldap it will ask you a series of questions. Each of them is show below for your reference. Make a note of the LDAP server IP address, base dn and ldap admin. In my case the details are as below.
LDAP Server IP 192.168.122.249
Base DN dc=junglegeek,dc=com
LDAP admin cn=Manager,dc=junglegeek,dc=com

Screen #1: Enter the LDAP server address

LDAP Authentication 1Enter you ldap server address in the below format
LDAP Authentication 2

Screen #2: Set the Base DN

LDAP Authentication 3

Screen #3: Select LDAP verion 3

LDAP Authentication 4

Screen #4: Select “Yes” for “Make local root database admin”

LDAP Authentication 5

Screen #5: Select “No” for “Does the LDAP database require login?”

LDAP Authentication 6

Screen #6: Enter LDAP admin id and password

LDAP Authentication 7
LDAP Authentication 8

Configure ldap authentication

We just need to make two more configuration changes before we can use LDAP users.

Step #1: Update /etc/nsswitch.conf

Edit /etc/nsswitch.conf file and make sure you add ldap as below
passwd:         ldap compat
group:          ldap compat
shadow:         ldap compat

Step #2: Update /etc/pam.d/common-session

Edit /etc/pam.d/common-session and add the following line to the end of the file.
session required         pam_mkhomedir.so  skel=/etc/skel  umask=0022

Verifying the LDAP user

Restart the name service cache daemon nscd before trying anything.
# service nscd restart
Now lets verify the LDAP user from the local system.
# id madesh
uid=5000(madesh) gid=5000(madesh) groups=5000(madesh)
# groups madesh
madesh: madesh
# getent passwd madesh
madesh:x:5000:5000:Madesh Soniya:/home/madesh:/bin/bash
# getent group madesh
madesh:*:5000:

Loggin in using LDAP user

It’s all working now. Lets try logging in using the ldap user
[root@ubunt1: ~] # ssh madesh@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is b7:b0:d9:76:d2:11:24:da:02:50:40:92:31:c0:61:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
madesh@localhost's password: 

[madesh@ubunt1: ~]$ pwd
/home/madesh
We have successfully logged in to the local system using an LDAP user authentication.

Changing LDAP user password

Now lets try to change the LDAP user password when logged in as madesh user.
[madesh@ubunt1: ~] $ passwd
Enter login(LDAP) password: 
passwd: Authentication information cannot be recovered
passwd: password unchanged
[madesh@ubunt1: ~] $
As you see there is some problem updating the user password. Lets fix it.
Open the file /etc/pam.d/common-password
# vi /etc/pam.d/common-password
Look for the below line
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
Remove the use_authtok parameter so that the line now looks like the below one.
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass
Save it and try updating the password now.
[madesh@ubunt1: ~] $ passwd
Enter login(LDAP) password: 
New password: 
Re-enter new password: 
LDAP password information changed for madesh
passwd: password updated successfully
[madesh@ubunt1: ~] $
Success this time.
That’s it for this tutorial. Hope you enjoyed it and thanks for reading.

1 comments:

Anonymous said...

OK, but when I restart my ubuntu, this does not start again.

August 12, 2016 at 10:59 PM

Post a Comment