24/7/365 Support

Ubuntu server logins with LDAP

So, we have installed and configured our own centralized auth server with LDAP. Now is the time to use LDAP to authenticate client logins. In this recipe, we will set up a separate Ubuntu server to use our LDAP server for authenticating users.

Getting ready

You will need a new Ubuntu server to be set as an LDAP client. Also, sudo privileges are needed for the initial setup.

Make sure you have followed the previous recipes and have set up your LDAP server.

How to do it…

We will need to install the LDAP client-side package on the client system. This package will install all the required tools to authenticate with the remote LDAP server:

$ sudo apt-get update

$ sudo apt-get install ldap-auth-client nscd

The installation process will ask you some questions regarding your LDAP server and its authentication details. Answer those questions as follows:

LDAP server URI: ldap://you-LDAP-server-IP: Make sure you change the protocol line from ldapi:/// to ldap://

Distinguished name of search base: Match this to the domain set on the LDAP server in the format dc=example,dc=com

LDAP version to use: 3

Make local root database admin: Yes

Does LDAP database require login: No

LDAP account for root: cn=admin,dc=example,dc=com

LDAP root account password: The password for the LDAP admin account

Next, we need to change the authentication configuration to check with the LDAP server. First, run the following command to set the name service switch file /etc/nsswitch.conf:

$ sudo auth-client-config -t nss -p lac_ldap

This will change /etc/nsswitch.conf as follows:

Next, add the following line to /etc/pam.d/common-session. This will create a local home directory for LDAP users. Edit the common-session file and add the following line at the end of the file:

session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Now restart the nscd service with the following command:

$ sudo /etc/init.d/nscd restart

Now you should be able to log in with the user account created on your LDAP server. I have set up an Organizational Unit (OU) named users and created an admin user under it:

Next, change the login to the newly created LDAP user account with the su username command. You will need to enter a password that is configured on LDAP server. As this is a first-time login for this new user, our PAM settings have created a new home directory for him:

This new user is a member of the admin group on the LDAP server, so he will get sudo privileges on the local server as well.

You can always use a default login prompt to log in with LDAP users, as well as local user accounts that already exist on the server.

How it works…

Here we have configured the Ubuntu server to authenticate with our centralized LDAP system. This is not limited to the Ubuntu server and you can configure the Ubuntu desktop in a similar way as well. Using a centralized authentication makes it easy to administer hundreds of user accounts from a single place. A user can still log in as a local user if he has any local credentials.

Using centralized authentication enables you to log in from any system. You will get the same access rights and permissions from any terminal. Additionally, if the LDAP configuration supports roaming profiles then all your data will be replicated to any new system you log in from. You may have noticed the home directory for the LDAP user account is located in the /home/users directory and not in /home. This separates your account from any local users.

Finally, the groups and roles configured on the LDAP server also apply on the system you are logging in from. So, if the user is assigned admin rights on the LDAP server, he will get admin rights, including sudo privileges, on the system he is logged in from. This is because Ubuntu contains a default group named admin with sudo privileges. When a user logs in with his LDAP account, the groups and roles assigned to his LDAP account are matched with local groups and roles. You can either disable such groups from any remote systems, or set the proper access rights on the LDAP server itself.

See also

The Ubuntu community page for LDAP client authentication at https://help.ubuntu.com/community/LDAPClientAuthentication

Help Category:

What Our Clients Say