HxHippy

LDAP Authentication

Centralized authentication with LDAP and Active Directory integration.

Last updated: 2025-01-15

LDAP Authentication

LDAP (Lightweight Directory Access Protocol) provides centralized authentication for enterprise environments.

OpenLDAP Server Setup

Installation

# Debian/Ubuntu
sudo apt install slapd ldap-utils

# RHEL/CentOS
sudo dnf install openldap-servers openldap-clients

# Reconfigure slapd
sudo dpkg-reconfigure slapd

Basic Configuration

# base.ldif - Create base structure
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
# Apply configuration
ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f base.ldif

Client Configuration

# Install SSSD
sudo apt install sssd sssd-ldap

# /etc/sssd/sssd.conf
[sssd]
services = nss, pam
domains = LDAP

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

# Set permissions
sudo chmod 600 /etc/sssd/sssd.conf
sudo systemctl restart sssd

NSS Configuration

# /etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss

PAM Configuration

# /etc/pam.d/common-auth
auth    sufficient      pam_sss.so use_first_pass
auth    required        pam_unix.so nullok try_first_pass

Active Directory Integration

Using realmd

# Install packages
sudo apt install realmd sssd sssd-tools adcli

# Discover domain
realm discover ad.example.com

# Join domain
sudo realm join ad.example.com -U Administrator

# Verify
realm list
id [email protected]

SSSD for AD

# /etc/sssd/sssd.conf for AD
[sssd]
services = nss, pam
domains = ad.example.com

[domain/ad.example.com]
id_provider = ad
access_provider = ad
auth_provider = ad
ad_domain = ad.example.com
krb5_realm = AD.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = true

Security Best Practices

Practice Implementation
Use LDAPS Port 636 with TLS
Bind accounts Use service accounts, not admin
Access control Implement LDAP ACLs
Password policy Enforce via ppolicy overlay
Audit logging Enable access logging

Troubleshooting

# Test LDAP connection
ldapsearch -x -H ldap://server -b "dc=example,dc=com"

# Test authentication
ldapwhoami -x -D "uid=user,ou=People,dc=example,dc=com" -W

# Check SSSD
sssctl domain-status LDAP
journalctl -u sssd
advanced Authentication Updated 2025-01-15
  • ldap
  • active directory
  • openldap
  • centralized auth
  • directory services