Setting up an LDAP Client

This post continues on from my previous post on configuring an OpenLDAP server and will demonstrate setting up a client configuration in Enterprise Linux 8.

Note: I originally wrote both this and the previous post using the Enterprise Linux distribution AlmaLinux, however during the course of testing I re-built the virtual machines to use Oracle Linux. If you’re reading both posts in sequence you might notice a change in hostnames and differences in screenshots, however the technical steps to set up LDAP server and client are the same regardless.

On your EL client machine install the openLDAP client packages.

$ sudo dnf install nss-pam-ldapd openldap-clients oddjobd-mkhomedir

Next configure the client machine to use LDAP. Edit the /etc/nslcd.conf file. On line 18, change the uri from ‘uri ldap://127.0.0.1’ to ‘uri ldap://rhauth.davidroddick.com’, changing the domain name for your own. On line 25 change the base dc=example,dc=com line to your own domain, in my case it is ‘base dc=davidroddick,dc=com’.

Restart the LDAP client and oddjob, ensure these services are also enabled.

$ sudo systemctl restart nslcd
$ sudo systemctl enable nslcd
$ sudo systemctl restart oddjobd
$ sudo systemctl enable oddjobd

Next, set up the authselect profile. Copy the sssd profile that we can modify for authselect, changing all occurrences of sss for ldap and selecting the profile to use.

$ sudo cp -Rp /usr/share/authselect/default/sssd /etc/authselect/custom/nscld

$ cd /etc/authselect/custom/nscld
$ sudo sed -i 's/sss/ldap/g' fingerprint-auth
$ sudo sed -i 's/sss/ldap/g' password-auth
$ sudo sed -i 's/sss/ldap/g' smartcard-auth
$ sudo sed -i 's/sss/ldap/g' system-auth
$ sudo sed -i 's/sss/ldap/g' nsswitch.conf
$ sudo sed -i 's/SSSD/NSLCD/g' REQUIREMENTS
$ sudo authselect select custom/nscld with-mkhomedir --force

If everything worked correctly, you should be able to query the LDAP server for the user entry we created previously.

$ sudo getent passwd droddick

Now try logging in to your LDAP user account to verify.

In the next post we’ll configure a Kerberos authentication server.