How to configure Linux to use LDAP user authentication

I am using LDAP user management implemented in CentOS, which may be different from most tutorials on the Internet, but now that I have written it, it will definitely work. However, there may be some files that I have forgotten to advise on.
The user management completed here with OPENLdap and CentOS7 requires the configuration of three services: nssswitch, pam and sssd. You need to have a certain understanding before you can complete the configuration of this article.

Basic Configuration#

1. Complete the configuration of the yum source

mkdir /root/back
tar -Jcvf /root/back/yum.repos.d-`date '+(%Y.%m.%d_%H:%M:%S)'`.tar.xz /etc/yum.repos.d/
rm -rf /etc/yum.repos.d/*
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum,repos.d/CentOS-epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum makecache

1. Install necessary software

yum -y install vim bash-completion openldap-servers openldap-clients nss-pam-ldapd sssd

OPENLdap service partial configuration#

The initialization process will not be described in detail. For details, please refer to "OPENLDAP service installation and post-management".

1. First stop the database service:

systemctl stop slapd

1. Then edit the file:

# Back up the file first, in case it cannot be restored mkdir /root/back
tar -Jcvf /root/back/slapd.config-`date '+(%Y.%m.%d_%H:%M:%S)'`.tar.xz /etc/openldap/slapd.d/
tar -Jcvf /root/back/slapd.data-`date '+(%Y.%m.%d_%H:%M:%S)'`.tar.xz /var/lib/ldap/
# Then delete the configuration file rm -rf /etc/openldap/slapd.d/*
rm -rf /var/lib/ldap/*
# Copy the configuration file to the temporary directory mkdir /root/ldap
cd /root/ldap

1. Write the configuration file for slapd. The configuration file here is derived from /usr/share/openldap-servers/slapd.ldif. The main changes are baseDN(suffix), OPENLDAPTLS, olcRootPW (the password is generated by slappasswd, the password in this article is: 123456) and include.

# file: /root/ldap/slapd.ldif
dn:cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCertificateFile: /etc/openldap/certs/server.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
dn:olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase:frontend
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase:config
olcAccess: to * 
 by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
 by * none
dn:olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * 
 by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read 
 by dn.base="cn=Manager,dc=black,dc=com" read 
 by * none
dn:olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=black,dc=com
olcRootDN: cn=Manager,dc=black,dc=com
olcRootPW: {SSHA}l1vBI/HOMKLEiQZgcm3Co+hFQI68rH1Q
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

1. Configure the OPENSSL certificate. Used for the encrypted tunnel of the openldap server.

# First, create the certificate file for the CA service cd /etc/pki/CA
openssl genrsa -out private/cakey.pem 2048
openssl req -new -x509 -key private/cakey.pem -out cacert.pem # The certificate creation process is omitted here.
# However, it should be noted that the beginning of the server certificate application must be the same as the beginning of the certificate, otherwise the certificate cannot be issued by the CA.
touch index.txt
echo "01" > serial
# Then apply for the issuance of server certificate cd /etc/openldap/certs/
openssl genrsa -out server.key 2048
openssl ca -in server.csr -out server.crt -days 365
# Copy the CA certificate to the specified location mkdir /etc/openldap/cacerts
cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/

1. Generate server configuration files based on the configuration

slapadd -F "/etc/openldap/slapd.d/" -b "cn=config" -l slapd.ldif
# Note that the file owner is still root, so you need to change it back to openldap
chown -R ldap:ldap /etc/openldap/slapd.d/*
# Then start the service systemctl start slapd

_#################### 100.00% eta none elapsed none fast!
 Closing DB...

1. Initialize database dn: dc=black,dc=com
dc: black
objectClass: top
objectClass: domain

dn:cn=Manager,dc=black,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

dn:ou=People,dc=black,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: black.com

dn:ou=Group,dc=black,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: black.com

1. Import into database

ldapadd -x -D "cn=Manager,dc=black,dc=com" -w 123456 -f base.ldif # Import basic information into the database.
adding new entry "dc=black,dc=com"
 adding new entry "cn=root,dc=black,dc=com"
 adding new entry "ou=People,dc=black,dc=com"
 adding new entry "ou=Group,dc=black,dc=com"

1. Then use Apache Directory Studio to check whether the server is configured successfully.

First, turn on the firewall

firewall-cmd --add-service=ldap

1. Let's import a user here for later testing

Linux User Authentication Configuration#

The user authentication and parsing I designed here is done like this:

It may be different from what other people write on the Internet, so please pay attention.

NSS Service Configuration#

If you want nss to be able to query ldap, you first need to enable a service called nslcd. The following is the configuration file for the service.

# file: /etc/nslcd.conf
uid-nslcd
gid ldap
uri ldap://127.0.0.1/
base dc=black,dc=com
binddn cn=Manager,dc=black,dc=com
bindpw 123456
ssl no
tls_cacertdir /etc/openldap/cacerts

Start the service

chmod 600 /etc/nslcd.conf
systemctl start nslcd
systemctl enable nslcd

Configure nss

# file: /etc/nsswitch.conf

passwd: files ldap # Mainly, the three lines of passwd, shadow and group need to be followed by ldap
shadow: files ldap
group: files ldap
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nisplus sss
publickey: nisplus
automount: files nisplus sss
aliases: files nisplus

Test whether it is available:

getent passwd | grep black
black:x:1001:1001:black:/home/black:/bin/bash

PAM Service Configuration#

The pam module has been configured with relevant modules that have passed SSSD authentication. We can quote the following here.

cd /etc/pam.d/
 mv system-auth{,.bak}
 ln -s system-auth-ac system-auth

PAM does not need to restart the service and can be used directly

sssd service configuration#

For LDAP user logins, the PAM configuration will forward them to SSSD, which will authenticate the user. Below is the sssd.conf configuration file:

# file: /etc/sssd/sssd.conf
[domain/black.com]
autofs_provider = ldap # Configure the provider of autofs to ldap
id_provider = ldap # The provider of id is ldap
auth_provider = ldap # Configure the auth authentication provider to ldap
chpass_provider = ldap # The application used when changing passwords cache_credentials = True # Enable caching ldap_search_base = dc=black,dc=com # The base dn for ldap queries
ldap_uri = ldap://127.0.0.1/ # ldap URL path ldap_id_use_start_tls = True # Enable ldap tls encryption.
ldap_tls_reqcert = never # Do not force tls encryption (you can set it to hard to force TLS encryption. If tls cannot be used, the service may fail. Since ldap and sssd are on the same machine, tls encryption is not required)
ldap_tls_cacertdir = /etc/openldap/cacerts # ldap service tls encryption trust certificate (CA root certificate).
[sssd]
services = nss, pam, autofs # Services provided domains = black.com # Set enabled domains [nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]

Configure the startup service and set it to start automatically at boot.

chmod 600 /etc/sssd/sssd.conf # Pay attention to the permission configuration, otherwise it will not start.
systemctl start sssd
systmctl enable sssd

test#

So the user authentication part is ready, so let's test it now:
Because the configured system-auth file does not configure the ssh file, ssh cannot connect. Login is used here to test feasibility.

Here we can also see that the user can log in. Another flaw is that there is no home directory, which can be solved by the script below.

script#

I wrote a script for this LDAP user authentication to facilitate adding users. I still want to emphasize here that although CentOS provides the migrationtools tool for storing users in the LDAP database, if you mention all local users to the LDAP database and do not retain local users, then you will find that the computer will not be able to restart, so it is recommended not to store users with UID less than 1000 in the LDAP server.

Note: This script can only be used after the above environment is built. Other environments may have unknown problems.
The script is placed on gitee. https://gitee.com/somata/script/blob/master/ldap_adduser.sh

It is very easy to use

Then test whether the added user can log in:

Summarize

The above is the editor's introduction to configuring Linux to use LDAP user authentication. I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to you in time!

You may also be interested in: