This page explains why you would want to use LDAP, and how a client system talks to an LDAP server.
Introduction to LDAP on Linux
LDAP is a network protocol that can be used to share databases of Unix users, groups and other information between multiple systems. Typically, a single LDAP server will store a databases of users, which is then queried by multiple clients. If these clients also mount home directories via NFS (covered in NFSExports and DiskAndNetworkFilesystems), users will be able to login to any one of those systems with the same username and password. In many ways, LDAP is used similarly to NIS, covered on the NISClientAndServer page.
The LDAP Client module
This module allows you to configure a Linux system as a client of an existing LDAP server. For this to work, your system must first have the packages require to act as a client installed - specifically the NSS LDAP client library, and the PAM client library. The actual package names differ depending on your distribution, but on Debian and Ubuntu they are libnss-ldap and libpam-ldap respectively. On Redhat and Fedora systems, they are both in the nss_ldap package. The simplest way to install these is to use the Software Packages module (covered on SoftwarePackages) to install them direct from APT or YUM.
Selecting an LDAP server
Once you have the needed software installed, follow these steps to configure your system connect to the correct LDAP server :
- Open the LDAP Client module under the System category. A page of icons as shown below will appear.
- Click on the LDAP Server Configuration icon to bring up the form below.
- In the LDAP server hostnames field, enter the hostname of your LDAP server. If you plan to use LDAP for address resolution (unlikely), enter the IP address instead.
- In the Login for non-root users field, enter the DN of a user in the LDAP database who has permission to read all information about users, such as cn=Manager,dc=my-domain,dc=com.
- In the Password for non-root users field, enter the password for the DN user above.
- Unless your LDAP server is running in SSL mode or on a custom port, all other options can be left as their defaults.
- Click the Save button.
Selecting the LDAP search bases
An LDAP database has a heirarchial structure, in many ways similar to Internet domain names. Each user or other object in the database has a full name (called the DN) that specifies its position in the heirarchy, like cn=moroder, cn=Users,dc=my-domain,dc=com. Typically, all the users in the database will be stored under the same parent DN, which would be dc=my-domain,dc=com in the previous example.
For your system to find users and groups in the LDAP database, it must know the DNs to search for them under. To configure this, do the following :
- Click on the LDAP Search Bases icon on the module's main page, which will bring up the form shown below.
- In the Global search base field, enter a DN like dc=my-domain, dc=com under which all your users and groups can be found.
- From the Search depth menu, select Entire subree.
- Only if your DNs for users and groups are under completely different trees do you need to fill in the Base for Unix users and Base for Unix groups sections.
- Click Save.
The LDAP Search Bases form
Selecting services to use LDAP
One more step is needed before your system will actually use LDAP to find users and groups - configuring the NSS (Name Service Switch) to use the LDAP datastore. To do this, following these steps :
- Click on the Services Using LDAP icon.
- In the table that appears, click on Unix users.
- Typically, only one data source will be selected initially - Files, which tells the system to use /etc/passwd to find user accounts. From the Second data source menu, select LDAP.
- Click Save. After returning to the services list, follow the same steps for the Unix shadow passwords and Unix groups services.
Once everything is configured, you can use the Validate Configuration button on the module's main page to check that everything is setup properly. If it reports any problems, you will need to re-try some of the steps above with different options.