LDAP Authentication
LDAP (Lightweight Directory Access Protocol) provides centralized authentication for enterprise environments.
OpenLDAP Server Setup
Installation
# Debian/Ubuntu
sudo apt install slapd ldap-utils
# RHEL/CentOS
sudo dnf install openldap-servers openldap-clients
# Reconfigure slapd
sudo dpkg-reconfigure slapdBasic Configuration
# base.ldif - Create base structure
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups# Apply configuration
ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f base.ldifClient Configuration
SSSD (Recommended)
# Install SSSD
sudo apt install sssd sssd-ldap
# /etc/sssd/sssd.conf
[sssd]
services = nss, pam
domains = LDAP
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
# Set permissions
sudo chmod 600 /etc/sssd/sssd.conf
sudo systemctl restart sssdNSS Configuration
# /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sssPAM Configuration
# /etc/pam.d/common-auth
auth sufficient pam_sss.so use_first_pass
auth required pam_unix.so nullok try_first_passActive Directory Integration
Using realmd
# Install packages
sudo apt install realmd sssd sssd-tools adcli
# Discover domain
realm discover ad.example.com
# Join domain
sudo realm join ad.example.com -U Administrator
# Verify
realm list
id [email protected]SSSD for AD
# /etc/sssd/sssd.conf for AD
[sssd]
services = nss, pam
domains = ad.example.com
[domain/ad.example.com]
id_provider = ad
access_provider = ad
auth_provider = ad
ad_domain = ad.example.com
krb5_realm = AD.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = trueSecurity Best Practices
| Practice | Implementation |
|---|---|
| Use LDAPS | Port 636 with TLS |
| Bind accounts | Use service accounts, not admin |
| Access control | Implement LDAP ACLs |
| Password policy | Enforce via ppolicy overlay |
| Audit logging | Enable access logging |
Troubleshooting
# Test LDAP connection
ldapsearch -x -H ldap://server -b "dc=example,dc=com"
# Test authentication
ldapwhoami -x -D "uid=user,ou=People,dc=example,dc=com" -W
# Check SSSD
sssctl domain-status LDAP
journalctl -u sssd - ldap
- active directory
- openldap
- centralized auth
- directory services