ldap-client cheatsheet

Home

1 LDAP Resources

1.1 LDAP server resources

Two main online resources for LDAP are:

1.2 LDAP client resources

Arthur DeJong about ldapd on LDAP authentication with nss-pam-ldapd (CentOS 7)

access.redhat.com Chptr 1 Authselect on CentOS8

access.redhat.com Chpt2 SSSD on CentOS8

2 LDAP authentication using nss-pam-ldapd

3 Overview User Authentication using Authselect.

Authselect is a utility that simplifies the configuration of user authentication on a RedHat / CentOS 8 host. Authselect comes with two profiles out of the box, that can be universally used with all modern identify management systems

the sssd profile
the winbind profile

NIS is also included for legacy systems.

Warning

Do not use authselect if your host is part of Red Hat Enterprise Linux Identity Management or Active Directory. The ipa-client-install command, called when joining your host to a Red Hat Identity Management domain, takes full care of configuring authentication on your host. Similarly the realm join command, called when joining your host to an Active Directory domain, takes full care of configuring authentication on your host.

3.0.1 authconfig is deprecated in CentOS8

he authconfig utility, used in previous Red Hat Enterprise Linux versions, created and modified many different configuration files, making troubleshooting a difficult task.

Authselect makes testing and troubleshooting easy) because it only modifies files in these directories:

/etc/nsswitch.conf
/etc/pam.d/* files
/etc/dconf/db/distro.d/* files

3.1 Name Service Switch (NSS)

3.1.1 /etc/nsswitch.conf

NSS is used by GNU C Library and some other applications to determine the sources from which to obtain name-service info in a range of catagories, and in what order. Each category of info is identified by a database name.

3.2 Linux-PAM (Pluggable Authentication Modules)

is a system of modules that handle the authentication tasks of applications (services) on the system. The nature of the authentication is dynamically configurable. The sys\admin can choose how individual service-providing applications will authenticate users. this dynamic configuration is set by the contents of the configuration files in etc/pam.d which list the PAMS that will do the authentication tasks required by this service, and the appropriate behaviour of the PAM-API in the event that individual PAMS fail.

Once the authselect profile is selected for a given host, the profile will be applied to every user logging into the host.

3.3 Choosing an authselect profile

System admins can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into that host.

1) Select the authselect profile

Select the authselect profile that is appropriate for your authentication provider. For example, for logging into the network of a company that uses LDAP, choose sssd. Run the command as root:

authselect select sssd
2)Optionally, review the contents of the /etc/nsswitch.conf file:

passwd: sss files group: sss files netgroup: sss files automount: sss files services: sss files …

The content of the /etc/nsswitch.conf file shows that selecting the sssd profile means that the system first uses sssd if information concerning one of the first five items is requested. Only if the requested information is not found in the sssd cache and on the server providing authentication, or if sssd is not running, the system looks at the local files, that is /etc/*.

For example, if information is requested about a user id, the user id is first searched in the sssd cache. If it is not found there, the /etc/passwd file is consulted.

Likewise, if a user’s group affiliation is requested, it is first searched in the sssd cache and only if not found there, the /etc/group file is consulted.

In practice, the local files database does not normally get consulted at all. The only exception is the case of the root user, which is neve r handled by sssd but by files.
3)*Optionally*, review the contents of the /etc/pam.d/system-auth file:
```
# Generated by authselect on Tue Sep 11 22:59:06 2018
# Do not modify this file manually.

auth        required        pam_env.so
auth        required        pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]    pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]    pam_localuser.so
auth        sufficient      pam_unix.so nullok try_first_pass
auth        requisite       pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient      pam_sss.so forward_pass
auth        required        pam_deny.so

account     required        pam_unix.so
account     sufficient      pam_localuser.so
...
```
Among other things, the /etc/pam.d/system-auth file contains information about:
- user password lockout condition
- the possibility to authenticate with a smart card
- the possibility to authenticate with fingerprints
  You can modify the default profile settings by adding the following options to the authselect select sssd or authselect select winbind command, for example:
  - with-faillock
  - with-smartcard
  - with-fingerprint
To see the full list of available options, see Section 1.5, “Converting your scripts from authconfig to authselect” or the authselect-migration(7) man page.

Make sure that the config files for your profile are configured properly before finishing the authselect procedure.

If adjusting a ready-made profile by adding one of the authselect select command-line options described above is not enough for your use case, you can:
- modify a ready-made profile by changing the /etc/authselect/user-nsswitch.conf file.
- create your own custom profile.

3.4 Modifying a ready-made authselect profile

A sys admin can modify one of the default profiles, the ssd, winbind, or the nis profile as needed. You can modify any of the items in the /etc/authselect/user-nsswitch.conf file with the exception of:

passwd
group
netgroup
automount
services

Running authselect select profile_name afterwards will result in permissible changes to the profile being transferred from /etc/authselect/user-nsswitch.conf to the /etc/nsswitch.conf file, with bad changes being overwritten by the default profile config.

DO NOT modify the /etc/nsswitch.conf file directly.

1) Select an authselect profile

for example authselect select sssd
2) Edit /etc/authselect/user-nsswitch.conf file
3) Appy these changes to /etc/authselect/user-nsswitch.conf file

authselect apply-changes
4) Optionally review /etc/nsswitch.conf file to verify the

transfer of the changes.

3.5 Create a home-grown authselect profile

A sysadmin can create and deploy a custom profile by customizing one of the default profiles, the sssd, winbind, or the nis profile. This is particularly useful if a ready-made authselect profile” is not enough for your needs. When you deploy a custom profile, the profile is applied to every user logging into the given host.

1)Create your custom profile by using the authselect create-profile command

For example, to create a custom profile called user-profile based on the ready-made sssd profile but one in which you can configure the items in the /etc/nsswitch.conf file yourself: authselect create-profile user-profile -b sssd --symlink-meta --symlink-pam

New profile was created at /etc/authselect/custom/user-profile

Including the –symlink-pam option in the command means that PAM templates will be symbolic links to the origin profile files instead of their copy; including the –symlink-meta option means that meta files, such as README and REQUIREMENTS will be symbolic links to the origin profile files instead of their copy. This ensures that all future updates to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.

The command has created a copy of the /etc/nsswitch.conf file in the /etc/authselect/custom/user-profile directory.
2)Configure the /etc/authselect/custom/user-profile/nsswitch.conf file
3) authselect select custom/<name-of-profile> to select it.

Selecting the user-profile profile for your machine means that if the sssd profile is subsequently updated by Red Hat, you will benefit from all the updates with the exception of updates made to the /etc/nsswitch.conf file.
4)Check that the selecting profile has
- created the /etc/pam.d/system-auth file according to the sssd profile
- left the configuration in the /etc/nsswitch.con unchanged.

3.6 Relation of authconfig options to authselect profiles

Authconfig options	Authselect options
–enableldap	sssd
–enableldapauth
–enablesssd	sssd
–enablesssdauth
–enablekrb5	sssd
–enablewinblind	winbind
–enablewinbindauth
–enablenis	nis

3.7 Relation of authselect options equivalents to authconfig options

Authconfig options	Authselect options
–enablesmartcard	with-smartcard
–enablefingerprint	with-fingerprint
–enableecryptfs	with-ecryptfs
–enablemkhomedir	with-mkhomedir
–enablefaillock	with-faillock

–enablepamaccess	with-pamaccess
–enablewinbindkrb5	with-krb5

Examples: authconfig --enableldap --enableldapauth --enablefaillock --updateall becomes authselect select sssd with-faillock

authconfig –enablesssd –enablesssdauth –enablesmartcard –smartcardmodule=sssd –updateall becomes authselect select sssd with-smartcard

authconfig --enableecryptfs --enablepamaccess --updateall becomes authselect select sssd with-ecryptfs with-pamaccess

authconfig –enablewinbind –enablewinbindauth –winbindjoin=Administrator –updateall

becomes realm join -U Administrator --client-software=winbind WINBINDDOMAIN

4 Overview Configuring SSSD to use LDAP authentication (and optionally TLS)

From redhat The System Security Services Daemon (SSSD) is a daemon that manages identity data retrieval and authentication on a RHEL 8 host. A system administrator can configure the SSSD on the host to use a standalone LDAP server database as the user account database. Examples of an LDAP server include the OpenLDAP server and the Red Hat 389 Directory Server. In this chapter, the scenario also includes the requirement that the connection with the LDAP server must be encrypted with a TLS certificate.

The authentication method of the LDAP objects can be either a Kerberos password or an LDAP password. Note that the questions of authentication and authorization of the LDAP objects are not addressed in this chapter.

Users and groups that are defined in an LDAP server can log in to your system. Whether a user is known to the system, is managed through an NSS module and the authentication is done with a PAM module.

The RHEL system uses an OpenLDAP server as the user account database.

The RHEL system uses the System Security Services Daemon (SSSD) as the service responsible for retrieving the user data.

The RHEL system uses a TLS certificate to encrypt the connection with the OpenLDAP server. (optionally?)

The host you want to become a client of the OpenLDAP server needs to configure /etc/sssd/sssd.conf to specify ldap as the autofs_provider and the id_provider.

Procedure:

Install neccessary packages: dnf -y install openldap-clients sssd sssd-ldap -ddjob-mkhomedir
Switch the authentication provider to sssd: authselec select sssd with-\mkhomedir
Copy core-dirsrv.ca.pem file containing the LDAP server certificate into the /etc/openldap/cacerts folder *(if using TLS)
Ad dURL and suffix of yoru LDAP server to the /etc/openldap/ldap.conf file URI ldap://vm4.andrew.ops/ BASE dc=andrew,dc=ops
in /etc/openldap/ldap.conf specifiy the location of the OpenLDAP server certificate by adding a line pointing to TLS_CACERT parameter to /etc/openldap/cacerts/core-dirsrv.ca.pem *(if using TLS)
TLS_CACERT /etc/openldap/certs/core-dirsrv.ca.pem
In /etc/sssd/sssd.conf file, add environement variables to [ldap_uri] and [ldap_search_base]
[domain/default] id_provider = ldap autofs_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap-server.example.com/ ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_reqcert = allow

[sssd] services = nss, pam, autofs domains = default

[nss] homedir_substring = /home

…

In /etc/sssd/sssd.conf, specify the TLS authentication by modifying the ldap_tls_cacert and ldap_tls_reqcert values in [domain/default]
…

cache_credentials = True ldap_tls_cacert = /etc/openldap/certs/core-dirsrv.ca.pem ldap_tls_reqcert = hard …

Change the permissions on the /etc/sssd/sssd.conf file:

Restart and enable SSSD:

(Optional) If your LDAP server uses the deprecated TLS 1.0 or TLS 1.1 protocols, switch the system-wide cryptographic policy on the client system to the LEGACY level to allow RHEL 8 to communicate using these protocols:

Verify Verify login by using the id command and specifying an LDAP user

uid=(16252(ldap_user) gid=51515(sysadmins) groups= 724236(sysadmins),25216(engineers),10(wheel),11515216(admins)

The system administrator can now query users from LDAP using the id command The command returns a correct user ID and group membership.

5

5.1 First how to turn it off

** Disable LDAP authentication –deprecated (authselect replaces authconfig) To disable LDAP authentication, use the following command: sudo /usr/bin/authconfig –disableldap –disableldapauth –ldapserver=ldap://your-ldap-server-name:port –ldapbasedn="dc=your-ldap-dc,dc=your-ldap-dc" –update

5.2 Installing nss-pam-ldapd

dnf install libsss_nss_idmap.x86₆₄

5.3 Configure /etc/nslcd.conf

See man nslcd.conf(5) for list of all the available options

Minimally you need to tell nss where your ldap server resides: uri ldap://vm4.zintis.ops/

The base from which to search LDAP database base dc=andrew,dc=ops

The credentials for searching the LDAP database binddn cn=ldaproot,dc=andrew,dc=ops

The credentials with which to bind bindpw seneca99ldap

The dn to perform password modifications by root (root password modifier dn) rootpwmoddn cn=ldaproot,dc=andrew,dc=ops

Set the uid and gid optiosn to the crearted user and group uid nslcd gid ldap # examples in arthurjong.org had gid nslcd

5.3.1 After making these mods, restart nslcd

5.4 Configure /etc/nsswitch.conf

Have to add ldap to the passwd, group and shadow maps. Maps seem to be telling auth where to look for users. For example, if you have the follwing in /etc/nsswitch.conf:

passwd: files ldap group: files ldap shaddow: files ldap

Then the authentication process will first look for user defined in passwd (through useradd) and if not found, will defer to ldap.

5.5 Configure /etc/pam.conf OR /etc/pam.d/*

You will need to config these in order enable logins using BOTH LDAP and local users. You have to edit files in /etc/pam.d directory.

Everywhere that pam_unix is called you should also call pam_ldap.

password-auth (Do not modify this file manually. Generated by authselect)

5.6 authselect

Select the system identity and authentication sources.

From the man page:AUTHSELECT(8) It is a configuration tool, by selecting a specific profile. A profile is a set of files that describes how the resulting system configuration will look like. When a profile is selected, authselect will create nsswitch.conf(5) and PAM(8) stack to use identity and authentication sources.

If the provided profile set is not sufficient, the admin may create a custom profile by putting it in a special profile directory /etc/authselect/custom By doing so the profile is immediately usable by authselect.

5.7 authselect commands

authselect - lists all available commands authselect select –help - explains the command COMMAND authselect select –force authselect select -b backup system files before activating the selected profile authselect select –backup=NAME, stored in /var/lib/authselect/backups/NAME

authselect apply-changes re-apply currently selected profile. Will work if the existing configuration is a valid authselect configuration. Otherwise an error is returned. authselect apply-changes -b backup system files before applying changes authselect apply-changes –backup=NAME ditto as in select

authselect list list available profiles authselect show profile_id print info about profile authselect requirements profile_id # info about profile requirements authselect current # print info about currrently selected profile authselect check # is current profile valid? authselect test profile_id # print contents of files generated by authselect without actually making any changes.

-a all files -n print nsswitch.conf content -s print system-auth content -p print password-auth content -c print smartcard-auth content -o print postlogin content -d print dconf database content -l print dconf lock content

authselect create-profile NAME # a new custom profile is created. (see man)

6 some additional stuff that might be old (from artherdejong.org )

/etc/pam.conf or /etc/pam.d/* To enable logins using both LDAP and local users (e.g. you want to keep root logins) you should edit files under /etc/pam.d (or /etc/pam.conf if your system uses that). Everywhere that pam_unix is called you should also call pam_ldap. A very basic snippet is included below.

auth sufficient pam_unix.so auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass auth required pam_deny.so

account required pam_unix.so account sufficient pam_ldap.so minimum_uid=1000 account required pam_permit.so

session required pam_unix.so session optional pam_ldap.so minimum_uid=1000

password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so minimum_uid=1000 try_first_pass password required pam_deny.so

—————— that's it from arthur——————————

7 From redhat discussions:

On redhat discussions boards (deprecated, authconfig is replaced by authselect) With the following command line, our RHEL 7 workstations here can be set up correctly for LDAP authentication:

authconfig –enableldap –ldapserver [our ldap server] –enableldapauth –ldapbasedn [our base DN] –enableldaptls –ldaploadcacert=[our slapd cert file] –update

7.1 From redhat documentation CentOS8

2.1. An OpenLDAP client using SSSD to retrieve data from LDAP in an encrypted way. The System Security Services Daemon (SSSD) is a daemon that manages identity data retrieval and authentication on a RHEL 8 host. A system administrator can configure the SSSD on the host to use a standalone LDAP server database as the user account database. Examples of an LDAP server include the OpenLDAP server and the Red Hat 389 Directory Server. In this chapter, the scenario also includes the requirement that the connection with the LDAP server must be encrypted with a TLS certificate.

8 continuation from some older systems:

8.1 Configure sssd through /etc/sssd/sssd.conf

Configure the LDAP client by using sssd. The sssd configuration is located at /etc/sssd/sssd.conf. Examples of sssd.conf: [sssd] config_file_version = 2 services = nss, pam domains = default

[nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[domain/default] auth_provider = ldap id_provider = ldap ldap_schema = rfc2307 ldap_search_base = ou=im,dc=example,dc=com ldap_group_member = memberuid ldap_tls_reqcert = never ldap_id_use_start_tls = False chpass_provider = ldap ldap_uri = ldap://ldap.example.com:389/ ldap_tls_cacertdir = /etc/openldap/cacerts entry_cache_timeout = 600 ldap_network_timeout = 3 #ldap_access_filter = (&(object)(object)) ldap_default_bind_dn = cn=Manager,ou=im,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = YOUR_PASSWORD cache_credentials = True enumerate=true

8.2 OpenLDAP client that comes with the server.

OpenLDAP provides not only a server, but also a client, openldap-clients This package includes the following command line utilities

ldapadd: Adds entries to an LDAP directory either from a file or from standard input.
ldapmodify: Modifies entries in an LDAP directory [ ldapmodify -a is identical to ldapadd. ]
ldapcompare: Compares a given attribute with an LDAP directory entry
ldapdelete: Deletes entries from an LDAP directory
ldapexop: Performs extended LDAP operations
ldapmodrdn: Modifies the RDN value of an LDAP directory entry
ldappasswd: Is a password utility for an LDAP user
ldapsearch: Is an LDAP directory search tool
ldapurl: Is an LDAP URL formatting tool
ldapwhoami: Performs a whoami operation on an LDAP server

There are also several GUI LDAP clients. Use at your own risk.

9 Examples from lab 7, Seneca OPS335

9.1 ldapusers.ldif

dn: uid=zintis,ou=People,dc=andrew,dc=ops
uid: zintis
cn: zintis
sn: zintis
mail: zintis@zintis.ops
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$mjRyTHR5$ARM0BM7g1dPc422iHK3BGVHqcXVty0FETrE6yj/N47sudpjivy0ExxSNpvzW.
shadowLastChange: 18348
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/zintis

9.2 slapcat output from original directory

slapcat
5e80f53b The first database does not allow slapcat; using the first available one (2)
dn: dc=andrew,dc=ops
dc: andrew
objectClass: top
objectClass: domain
structuralObjectClass: domain
entryUUID: 0192e632-da18-1038-83ca-ef40d5fa4d01
creatorsName: cn=ldaproot,dc=andrew,dc=ops
createTimestamp: 20190313201201Z
entryCSN: 20190313201201.126862Z#000000#000#000000
modifiersName: cn=ldaproot,dc=andrew,dc=ops
modifyTimestamp: 20190313201201Z

dn: cn=ldaproot,dc=andrew,dc=ops
objectClass: organizationalRole
cn: ldaproot
description: LDAP Manager
structuralObjectClass: organizationalRole
entryUUID: 019a13f8-da18-1038-83cb-ef40d5fa4d01
creatorsName: cn=ldaproot,dc=andrew,dc=ops
createTimestamp: 20190313201201Z
entryCSN: 20190313201201.174170Z#000000#000#000000
modifiersName: cn=ldaproot,dc=andrew,dc=ops
modifyTimestamp: 20190313201201Z

dn: ou=People,dc=andrew,dc=ops
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
entryUUID: 01a1a870-da18-1038-83cc-ef40d5fa4d01
creatorsName: cn=ldaproot,dc=andrew,dc=ops
createTimestamp: 20190313201201Z
entryCSN: 20190313201201.223848Z#000000#000#000000
modifiersName: cn=ldaproot,dc=andrew,dc=ops
modifyTimestamp: 20190313201201Z

dn: ou=Group,dc=andrew,dc=ops
objectClass: organizationalUnit
ou: Group
structuralObjectClass: organizationalUnit
entryUUID: 01ac22f0-da18-1038-83cd-ef40d5fa4d01
creatorsName: cn=ldaproot,dc=andrew,dc=ops
createTimestamp: 20190313201201Z
entryCSN: 20190313201201.292521Z#000000#000#000000
modifiersName: cn=ldaproot,dc=andrew,dc=ops
modifyTimestamp: 20190313201201Z

dn: uid=john,ou=People,dc=andrew,dc=ops
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: john
uid: john
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/john
loginShell: /bin/bash
gecos: John Someone
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
structuralObjectClass: account
entryUUID: bfa78756-da1b-1038-83d1-ef40d5fa4d01
creatorsName: cn=ldaproot,dc=andrew,dc=ops
createTimestamp: 20190313203848Z
userPassword:: e1NTSEF9a0ljTGtXdVkxNXBQL0labDN3TklBaE5MSm94cWU4ZVQ=
entryCSN: 20190709215232.858989Z#000000#000#000000
modifiersName: cn=ldaproot,dc=andrew,dc=ops
modifyTimestamp: 20190709215232Z

9.3 Adding user zintis to directory:

This ldapusers.ldif file had and error that shows up with error: "no global superior knowledge"

root@vm4~[604]$ 
ldapadd -v -f ldapusers.ldif -D cn="ldaproot,dc=zintis,dc=ops" -W 
ldap_initialize( <DEFAULT> )
Enter LDAP Password: seneca99ldap
add uid:
     zintis
add cn:
     zintis
add sn:
     zintis
add mail:
     zintis@zintis.ops
add objectClass:
     person
     organizationalPerson
     inetOrgPerson
     posixAccount
     top
     shadowAccount
add userPassword:
     {crypt}$6$mjRyTHR5$ARM0hiRWKGdBM7g1dPc422i4Ut9TQ7HKty0FETrE6yj/NxudpjitlrhkNpvzW.
add shadowLastChange:
     18348
add shadowMin:
     0
add shadowMax:
     99999
add shadowWarning:
     7
add loginShell:
     /bin/bash
add uidNumber:
     10000
add gidNumber:
     10000
add homeDirectory:
     /home/zintis
adding new entry "uid=zintis,ou=People,dc=zintis,dc=op"s
ldap_add: Server is unwilling to perform (53)
     additional info: no global superior knowledge

root@vm4~[604]$

The error above occurs because we were trying to add entries specified for the zintis.ops tree, where the tree was actually andrew.ops.

Fix was to correct the config file in : /usr/share/migrationtools/migrate-passwd.pl so that the migrate_passwd step would generate ldif data correctly (i.e. dc=andrew,dc=ops)

9.4 Error "no global superior knowledge"

This specific error means that slapd doesn't know where to put the new entry. This typically means that you have not defined an appropriate database, or you have made a typo in the higher in the tree. With newer systems (ones using cn=config instead of slapd.conf), you would typically first add a new database or modify an existing database entry using ldapadd or ldapmodify.

For example, let's say you are trying to add "uid=zintis,ou=People,dc=zintis,dc=ops" But you are in a tree with dc=zint,dc=ops slapd cannot find the root tree dc=zint,dc=ops so it says "No superior knowledge".

9.5 Adding three users to ldap

useradd zintis -u 10000
useradd -c "Jane Greystoke" jane -u 10001
useradd -c "Andrew's Guests" guest -u 10002

if user jane already exists, delete her with userdel jane
also chown her mailbox with chown jane /var/spool/mail/jane
And delete /var/spool/mail/andrew

grep -w zintis /etc/passwd > /root/zintis.entry
grep -w Jane /etc/passwd > /root/jane.entry
grep -w Andrew /etc/passwd > /root/guest.entry

/usr/share/migrationtools/migrate_passwd.pl /root/zintis.entry /root/zintis.ldif
/usr/share/migrationtools/migrate_passwd.pl /root/jane.entry /root/jane.ldif
/usr/share/migrationtools/migrate_passwd.pl /root/guest.entry /root/guest.ldif

ldapadd -v -f ldapusers.ldif -D cn="ldaproot,dc=andrew,dc=ops" -W 
ldapadd -v -f jane.ldif -D cn="ldaproot,dc=andrew,dc=ops" -W 
ldapadd -v -f guest.ldif -D cn="ldaproot,dc=andrew,dc=ops" -W

9.6 Changing an existing user's password

slapcat shows user John as:

dn: uid=john,ou=People,dc=andrew,dc=ops
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: john
uid: john
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/john
loginShell: /bin/bash
gecos: John Someone
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
structuralObjectClass: account
entryUUID: bfa78756-da1b-1038-83d1-ef40d5fa4d01
creatorsName: cn=ldaproot,dc=andrew,dc=ops
createTimestamp: 20190313203848Z
userPassword:: e1NTSEF9a0ljTGtXdVkxNXBQL0labDN3TklBaE5MSm94cWU4ZVQ=
entryCSN: 20190709215232.858989Z#000000#000#000000
modifiersName: cn=ldaproot,dc=andrew,dc=ops
modifyTimestamp: 20190709215232Z

9.6.1 Change John's password with ldapppasswd

ldappasswd -s Jan1sparole -W -D "cn=ldaproot,dc=andrew,dc=ops" 
           -x "uid=john,ou=people,dc=andrew,dc=ops"

9.6.2 Confirm the change with ldapsearch

ldapsearch -h localhost -p 389 -D cn="ldaproot,dc=andrew,dc=ops" 
           -W -b dc=andrew,dc=ops uid=john

10 ldap client

To let a VM authenticate to an ldap server.

10.1 Install the necessary LDAP client packages on the client machine.

This is PAM the "Pluggable Authentication Module" and NSS the "Name Service Switch"

yum install -y openldap-clients nss-pam-ldapd Since CentOS8 does not see nss-pam-ldap I did the following:

First: dnf provides nss-pam-ldapd Then, based on the above this: dnf install -y nss-pam-ldapd-0.9.9-3.el8.x86₆₄

10.2 About nss-pam-ldapd

From arthurdejong.org: This is nss-pam-ldapd which provides a Name Service Switch (NSS, nsswitch) module that allows your LDAP server to provide user account, group, host name, alias, netgroup, and basically any other information that you would normally get from /etc flat files or NIS. It also provides a Pluggable Authentication Module (PAM) to do identity and authentication management with an LDAP server on unix systems.

This is implemented using thin NSS and PAM modules which delegate to a dedicated service (nslcd) that queries the LDAP server with persistent connections, authentication, attribute translation, etc.

The NSS module was originally a fork of nss_ldap with some structural design improvements. The most important features of nss-pam-ldapd are:

light and simple NSS and PAM libraries
avoid loading LDAP and SSL libraries in all programs
separation between NSS, PAM and LDAP code
fewer connections to the LDAP server
better debugging possibilities
better performance
See the documentation section for more detai

11 Configuring LDAP Authentication on CentOS 8

From tylers guides I have dnf installed nss-pam-ldapd, and nss ? which one?

I have edited /etc/nslcd.conf according to tyler's website

I skipped the TLS section.

And I have enbled and started nslcd

I have authselect ready to go, after running these commands as root with the goal of replacing the SSSD related text with NSLCD equivalent in the relevant files.

root@vm1/etc[1038]$ tar cf /root/pre-ldap-config.tar nsswitch.conf pam.d root@vm1/etc[1039]$ date Mon Mar 30 18:52:43 EDT 2020

authselect select custom/nslcd –force Profile "custom/nslcd" was selected. The following nsswitch maps are overwritten by the profile:

passwd
group
netgroup
automount
services

Make sure that NSLCD service is configured and enabled. See NSLCD documentation for more information.

11.1 Centos7 only (authconfig is deprecated and replaced by authselect)

Configure the client VM to use LDAP To add the client machine to LDAP server for single sign-on. Replace “192.168.1.10” with your LDAP server’s IP address or hostname.

authconfig –enableldap –enableldapauth –ldapserver=192.168.1.10 –ldapbasedn="dc=itzgeek,dc=local" –enablemkhomedir –update

Restart the LDAP client service. O.K, so this will make this VM defer logins to the LDAP server rather than looking in its own /etc/passwd file ??? That would mean that the users defined in the ldap server would require a local prescence on this VM, including home directory, and entry in /etc/passwds. I guess this is just centralizing the passwords themselves I guess?? Confirm this!

systemctl restart nslcd To verify LDAP Login, use the getent command to get the LDAP entries from the LDAP server.

getent passwd raj Output:

raj:x:9999:100:Raj [Admin (at) ITzGeek]:/home/raj:/bin/bash Screenshot:

OpenLDAP Server Configuration on CentOS 7 - Verify LDAP Login OpenLDAP Server Configuration on CentOS 7 – Verify LDAP Login

To verify the LDAP, log in using the LDAP user “raj” on the client machine. Like this: