LightweightDirectoryAccessProtocol is a centralized user management system. Imagine that when multiple services such as redmine and gitlab are built in an enterprise, it is very troublesome to re-open an account and it is not conducive to management. LDAP provides a unified interface for user management. Its backend is equivalent to a database, which is stored as a directory tree and a file, so that it does not need to depend on any database. Lightweight Directory Access Protocol is a centralized user management system. Imagine that when multiple services such as redmine and gitlab are built in an enterprise, it is very troublesome to re-open an account and it is not conducive to management. LDAP provides a unified interface for user management. Its backend is equivalent to a database, which is stored as a directory tree and a file, so that it does not need to depend on any database.
Record the process of configuring the LDAP client on Ubuntu 14.04.
sudo apt-get install ldap-utils ldap-auth-client libnss-ldap libpam-ldap
During the installation process, the following information is displayed: ldap server address, base dc, etc,Save the information in/etc/ldap. conf.You can use dpkg-reconfigure ldap-auth-config to reconfigure the configuration, where:
Lda address format ldap: // 192.168.x.x: 389 Distinguished name of the search base: is the root of your directory tree. For example, if my directory is dc = navinfo, dc = comLDAP version to use: 3 Make local root Database admin: YesDoes the LDAP database require login? NoLDAP account for root: the admin account created when the LDAP server is installed. my options are cn = admin, dc = navinfo, dc = comLDAP root account password:
Modify the/etc/nsswitch. conf file, add the ldap login mode, and search the order of the system to check your local passwd file before querying the LDAP server.
sudo cp -p /etc/nsswitch.conf /etc/nsswitch.conf.baksudo auth-client-config -t nss -p lac_ldap
As you can see, the execution is complete.CommandLater, the nsswitch. conf file becomes the following content:
……passwd: files ldapgroup: files ldapshadow: files ldap……
Modify/etc/pam. d/common-password so that the password can be synchronized to the LDAP server when passwd is executed.
Sudo vim/etc/pam. d/common-password ...... # Find row 26th (delete use_authtok field) password [success = 1 user_unknown = ignore default = die] pam_ldap.so try_first_pass ......
If you do not perform this step, the logged-on LDAP user will prompt the passwd: Authentication information cannot be recovered error when executing the passwd command to change the password.
Automatically create the home Directory
Enable the pam_mkhomedir.so module to work properly. When you log on for the first time, create the main directory
Sudo vim/etc/pam. d/common-session # add a line at the end (before pam_ldap and pam_krb5 must be added) session required pam_mkhomedir.so umask = 0022 skel =/etc/skel
sudo /etc/init.d/libnss-ldap restart
Then you can test the connection to the LDAP Server. If an error occurs, check the local/var/log/auth. log to analyze the cause.
Reference: