Tutorial
How To Authenticate Client Computers Using LDAP on an Ubuntu 12.04 VPS
Status: Deprecated
This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:
- Upgrade to Ubuntu 14.04.
- Upgrade from Ubuntu 14.04 to Ubuntu 16.04
- Migrate the server data to a supported version
Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.
See Instead: This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.
Introduction
LDAP, or Lightweight Directory Access Protocol, is one way of keeping authentication information in a single centralized location. In a previous article, we discussed how to set up an LDAP server on an Ubuntu 12.04 VPS. This explained the actual server configuration.
In this article, we will discuss how to configure a client machine to remotely authenticate with that server for various services.
To complete this project, you will need an Ubuntu 12.04 server configured as the LDAP server. Look at the link to the previous guide if you haven’t done so already. You will also need another Ubuntu 12.04 droplet to act as the client machine.
Install Client Packages
On the client machine, you will needs to install a few packages to make authentication function correctly with an LDAP server.
You can install them from the default Ubuntu repositories with the following commands:
sudo apt-get update
sudo apt-get install libpam-ldap nscd
You will be asked a variety of questions similar to the those asked when you were installing the server components.
-
LDAP server Uniform Resource Identifier: ldap://LDAP-server-IP-Address
- Change the initial string from “ldapi:///” to “ldap://” before inputing your server’s information
-
Distinguished name of the search base:
-
This should match the value you put in your LDAP server’s
/etc/phpldapadmin/config.phpfile. -
Search for: " ‘server’,‘base’,array " within the file.
-
Our example was “dc=test,dc=com”
-
-
LDAP version to use: 3
-
Make local root Database admin: Yes
-
Does the LDAP database require login? No
-
LDAP account for root:
-
This should also match the value in your
/etc/phpldapadmin/config.php. -
Search for: " ‘login’,‘bind_id’ " within the file
-
Our example was “cn=admin,dc=test,dc=com”
-
-
LDAP root account password: Your-LDAP-root-password
If you make a mistake and need to change a value, you can go through the menu again by issuing this command:
sudo dpkg-reconfigure ldap-auth-config
Configure Client Software
We have to adjust a few files to tell our authentication files that they can look to our LDAP server for authentication information.
First, edit the /etc/nsswitch.conf file. This will allow us to specify that the LDAP credentials should be modified when users issue authentication change commands.
sudo nano /etc/nsswitch.conf
The three lines we are interested in are the “passwd”, “group”, and “shadow” definitions. Modify them to look like this:
<pre> passwd: <span class=“highlight”>ldap</span> compat group: <span class=“highlight”>ldap</span> compat shadow: <span class=“highlight”>ldap</span> compat </pre>
Next, we will add a value to our PAM configuration.
PAM, or Pluggable Authentication Modules, is a system that connects applications that can provide authentication to applications that require authentication.
PAM is already implemented on most computers, and works behind the scenes without needing user interaction. When we installed and configured our LDAP PAM module, most of the needed information was added to the configuration files.
Edit the /etc/pam.d/common-session file:
sudo nano /etc/pam.d/common-session
Add a line to the bottom of the configuration that reads:
session required pam_mkhomedir.so skel=/etc/skel umask=0022
This will create a home directory on the client machine when an LDAP user logs in who does not have a home directory.
We have to restart a service for these changes to be implemented:
sudo /etc/init.d/nscd restart
Permissions
During the LDAP server configuration, we created a group called “admin”. This was not chosen at random. It coincides with the “admin” group that is created by default on Ubuntu machines.
The LDAP users that you added to the “admin” group will have access to the sudo command.
This is because we have a line that gives members of the “admin” group sudo access within the /etc/sudoers file. Edit the file by issuing this command:
sudo visudo
There is a line that reads:
%admin ALL=(ALL) ALL
Entries that begin with a percentage sign (%) specify a group instead of a user. If you wish to disable this functionality, or only grant specific users this functionality, comment out this line:
#%admin ALL=(ALL) ALL
Log In as an LDAP User
We have now configured our client machine enough to be able to log in as one of our LDAP users. This user does not have to exist on the client machine.
In a new terminal window (it is best to keep your original terminal window logged in, in case of a configuration mistake), ssh into the client machine using an LDAP user’s credentials:
<pre> ssh <span class=“highlight”>LDAP_user</span>@<span class=“highlight”>LDAP_client_IP_Address</span> </pre>
You should be able to log in as if your user had been created locally. Issue the print working directory command:
pwd
You should see that the home directory you selected for your user on the LDAP server is being used on this machine. It has been created on-demand to serve the LDAP user.
If you log out and log in with a different LDAP user, you can see that there will be two home directory entries:
ls /home
user1 user2
If your user is part of the “admin” group and you didn’t disable the ability in the previous section, you will have normal sudo access, otherwise, you will not.
If you issue the passwd command to change your password, you can see that it will be modifying your LDAP credentials:
passwd
Enter login(LDAP) password:
Restricting Access by Group
If you only want members of certain groups to be able to log into this specific machine, you can configure that restriction within the PAM files.
Edit the following file with root privileges:
sudo nano /etc/pam.d/common-auth
At the bottom, we will specify that PAM should look at the security access file to see how to restrict user logins. Add this to the bottom:
auth required pam_access.so
Save and close the file.
The file that PAM references for security information when that setting is configured is at /etc/security/access.conf. Open this file now, with root privileges:
sudo nano /etc/security/access.conf
We need to add a rule to the end of the file.
The dash (-) at the beginning of the line means this is a restriction. From the first colon (:) to the next colon, we specify who this rule applies to.
We specify that this applies to all users except root and the group “admin”. Groups are given within parentheses.
From the second colon to the end of the line, we will specify under which circumstances the rule should apply. In our case, the restriction will apply in all circumstances but local logins.
<pre> -:ALL EXCEPT root (admin):ALL EXCEPT LOCAL </pre>
This will allow us to restrict logins to the “admin” group. We can add other groups or change the group.
This will also allow us to log in through the “console access” button on the DigitalOcean console if we somehow lock ourselves out of SSH.
Keep in mind that this will apply to all users, not just LDAP users. So any users you create on the client machine will need to be a member of one of the specified groups.
Conclusion
You should now be able to authenticate multiple computers using a centralized LDAP server. Your LDAP users will be allowed to use any of the machines you configure in this way, as long as they have the appropriate login credentials.
This can prevent your user information from becoming dispersed, duplicated, and unmanageable. When the number of users accessing your servers or projects is increasing, and the number of machines is also growing, LDAP authentication can be a huge help.
<div class=“author”>By Justin Ellingwood</div>
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author(s)
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Get our newsletter
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Thank you!
Thanks a lot, I managed to have a ssh - ldap connection with opendj. Now I prepared opendj with ldaps, what are the changes needed in ssh/pam ?
I have problem… I’ve named LDAP account same like local account and now can not login to this account. Local password nor LDAP password not working. When I log in other account I can apt-get remove --purge libpam-ldap nscd … then I can login local account … then install libpam-ldap nscd and again can not login my main account … In windows I can chose which account I want to log in (local or ActiveDirectory account ) LDAP is sth new for me and I’m kinda lost :/
How to delete whole database/login history from the client machine ? How I can login other LDAP account after restart machine (didnt used ssh ldaplogin@ipmachine)
Hi You have a great tutorial for Ldap, it helped me understand ldap much better.
I have a query, can we configure Ldap client on the Ldap server itself? That is change the local login to Ldap on Ldap server itself on ubuntu.
Thank you, works like a charm for username and password authentication. Can you add something here to show how to ssh with a cert instead of username and password. Can I just put my private key on the ldap server… How would pam know to authenticate a cert through ldap.
Hi, First, thank you for this tutorial, it helped me a lot BUT I am having a problem: I make the configurations and I log by my ldap account, but when the computer is rebooted the following message appears:
Errors were found while checking the disk for drive /. Press S to skip mountingm or M for manual recovery.
Can anyone help me? Thanks
@jonas: That doesn’t seem like it could be related to LDAP. It could potentially be a disk failure. If this is a DigitalOcean droplet, please file a support ticket.
Andrew, I did the same process some times and this failure just appears when I do the configurations to authenticate from LDAP. No, it is a computer of my firm. Thanks for your answer!
I have the same as @jonas please help because i have 5 machines not booting now
I used the rescue mode from the ubuntu server cd and removed ldap entries from /etc/nsswitch.conf and then it booted. Luckily i am back in to my machines but without ldap authentication. anyone?
Another very good article! Thanks again!
I too have the same problem with a DigitalOcean Ubuntu 14.04 Droplet. After configuring LDAP auth, I can’t reboot… Anybody opened a ticket at DO?
hello everybody, I could solve the problem. Change the order in /etc/nsswitch.conf from “ldap compat” to “compat ldap”.
Thank you Afsin that helped me out too!
I had same problem with booting when ldap server was unavailable
Your explanation is good, but it misses some important notes. Using Ubuntu 12.04 LTS, not VPS, I did everything exactly as you wrote. Server-side configuration worked fine, but client-side - not: SSH-ing did not work. This is not because when you do a clean installation of Ubuntu, SSH-server is not installed. Yes, it is not installed by default, but this is not the main source of the problem. Even after you install SSH-server on the Client PC using command: “apt-get install ssh”, SSHing still does not work. The command returns: “Permission denied (publickey,password)”. I checked on the Client PC: ssh service was running, I could SSH from another PC as a regular user . Then I issued “getent passwd” on the Client PC. The Client PC could retrieve info about LDAP users from the Server PC. But the password field for all LDAP users had “(asterisk)”. MAN pages say: “If the encrypted password is set to an asterisk, the user will be unable to login using login(1), but may still login using rlogin(1).” I don`t know how it relates to SSH. Please check everything that you wrote yourself. Setup two Ubuntu 12.04 virtual machines from scratch and configure everything exactly as you wrote. You will not be able to pass the SSH-ing stage. Maybe the answer is simple, but your tutorial misses some important notes. Anyway, thank you for taking time to write this tutorial.
I figured it out myself. The problem is not in the client-side configuration. It is on the server-side, it is in the phpLDAPadmin. The latest version of the phpLDAPadmin up to this date (28.09.2014) is 1.2.2. When you create a Generic User Account in this version, it allows you to choose a loginShell from the predefined list: either SH, CSH or TCSH. There is no BASH! THIS IS THE SOURCE OF THE PROBLEM. For each user that you create with this version of the phpLDAPadmin, you must later review the information and manually type in the “loginShell” field: “bin/bash” and click “Update Object”. If you do not do this, you will face the problem I described above. I hope this information will be helpful to others. Again, thanks to Justin Ellingwood for writing this beautiful tutorial.
Also, this version of phpLDAPadmin (1.2.2) creates the first LDAP user with uid=1000. This uid is already used by Ubuntu for the first local user account. This results in some strange behaviours when SSH-ing with credentials of the first LDAP user. Do not give any LDAP user uid of 1000, unless you change the uid of your local user account to be something different than 1000.
add <value id=“/bin/bash”>/bin/bash</value> to
/etc/phpldapadmin/templates/creation/posixAccount.xml
Thank you for the helping guides. I don’t know what am doing wrong but I have tried to follow the two guides on creating the ldap server and the client side. But I have failed to authenticate on the client machine with the ldap account. I have tried to restart the client machine but it has also failed to come up… stoping at some level with a word keys; and nothing else. I am using Ubuntu 12.04.3 and the client machines is Mint 17. Is there any thing I might be doing wrong? Thank you
hey i followed this guide but successfully authenticated users from the ldap server. but as i reboot the machine it did not start … i am using ubuntu 14.04. tried to debug the problem. found this . https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/1024475
any help
Hi great tutorial it works for me. I have a question, I have been digging for the solution that ssh key based authentication with LDAP but i did not find way to make it ? Is there any way for ssh-key based authentication of client using LDAP in ubuntu.
Hi, I also want to do ssh-key based authentication of client using LDAP in ubuntu Have you got any Solution of that?
Hi, Did you get the help? I am able to ssh the local users fine, but not the LDAP users.
Great guide!
Note to Ubuntu 14.04 users: DO NOT USE THIS GUIDE, IT WILL BRICK YOUR INSTALLATION! Follow this one instead
Could not get this working until I changed /etc/ldap.conf on the client. I commented out socket: #uri ldapi://ldap.test.local/ and inserted host: uri ldap://ldap.test.local/
Note there is no “i” in the protocol of second uri.
M.
If you want this functionality but don’t want the hassle of running an LDAP server, check out my service Foxpass (https://www.foxpass.com).
I still can’t login using ssh. I followed the solution provided by Ork1983. Please help
Master can you help me for simultaneous-use Ldap-freeradius Login config?
For those who are having issues with your system not rebooting after doing this tutorial, the problem is from setting up nscd the way this article tells you to. for Ubuntu 14.04 anyways.
in /etc/nsswitch.conf
compat has to come before ldap
ie:
passwd: compat ldap group: compat ldap shadow: compat ldap
Once you set it up this way, your system will reboot.
For those of you interested in why this makes a difference:
Most of the boot sequence runs as the root user.
It doesn’t require authentication, but it does require that the root user exists and has a home dir and such.
If ldap is not started yet, then the nsswitch won’t be able to see the root user, and it gets stuck.
Having ldap first in the nsswitch.conf makes the user lookup try to connect to and search ldap first before consulting the local /etc/passwrd at which point, boot up will choke.
Cheers
Dears, I know it is deprecated but why i have to use : “LDAP account for root” in config of the client ? Why user password and login is insufficient ?
– washide