How to set up OpenLDAP Client on Debian 10

In this tutorial, I will show you how to set up an OpenLDAP client using the Debian 10 Buster. Before using this guide, ensure that you have an OpenLDAP server installed on another node or server that the client can be connected to.

For this tutorial, I will use the Debian 10 with 1GB of RAM and 15GB disk space. Also, you must have the root privileges.

What we will do

  • Install and Configure OpenLDAP Client Packages
  • Set Up Name Service Switch (nsswitch)
  • Set Up Pam Authentication and Session
  • Testing

Step 1 - Install and Configure OpenLDAP Client Packages

First, we will install LDAP packages on the client-side. We will install the libnss and libpam packges for ldap client.

During the ldap client packages installation, you will be asked for some configuration, including the the ldap server address, ldap base DN, and the password for ldap admin user.

Install ldap packages for clients using the apt command below.

sudo apt install libnss-ldap libpam-ldap ldap-utils

Install libnss-ldap

Now you will be asked for the LDAP server IP address. Type your LDAP/LDAPS server IP address and choose 'OK'.

Install libnss-ldap

Type the base DN of your LDAP server and choose 'OK'.

Base DN

Now specify the LDAP protocol version to '3' and choose 'OK'.

LDAP Protocol version

Type default LDAP root user (default is admin) and choose 'OK' again.

LDAP root user

Now type the password for default admin user.

LDAP user password

For the NSSwitch configuration, choose 'OK'.

NSSwitch configuration

Install libpam-ldap

Next, allow the ldap admin user to hevae like the root user by choosing 'Yes'.

Install libpam-ldap

For the LDAP database login password, I choose 'No' in my case.

LDAP database login

Now type again the default admin user for LDP server and choose 'OK'.

Default admin user

Type the admin password and choose 'OK' again.

Admin password

Step 2 - Set Up Name Service Switch (nsswitch)

In this step, we will modify the NSSwitch configuration '/etc/nsswitch.conf' to use the ldap as a datasource.

Edit the configuration '/etc/nsswitch.conf' using vim editor.

vim /etc/nsswitch.conf

Now change detail lines exact as below.

passwd: compat ldap
group: compat ldap
shadow: compat ldap

Save and close.

Now the NSSwitch will loopkup information for user authentication to the ldap server.

Step 3 - Set Up Pam Authentication and Session

In this step we will setup the pam password authentiucation by disabling the 'use_authok' module and add optional pam session for automatically create home directory.

The 'use_authtok' module will not prompt the user for a new password, and the 'pam_mkhomedir' module will automatically create home directory for ldap users.

For the pam authentication password, edit the configuration '/etc/pam.d/common-password' using vim editor.

vim /etc/pam.d/common-password

Remove the option 'use_authtok' on the password 'pam_ldap' module configuraiton as below.

password [success=1 user_unknown=ignore default=die] try_Step 4 - Testingfirst_pass

Save and close.

Next, edit the pam session configiration '/etc/pam.d/common-session'.

vim /etc/pam.d/common-session

Add the 'pam_mkhomedir' module configuration below.

session optional skel=/etc/skel umask=077

Save and close.

As a result, you've set up the PAM module for authentication and session configuration.

Now reboot the Debian client.

sudo reboot

Configure nsswitch and reboot

Step 4 - Testing

To test the OpenLDAP client installation and configuration, log in to the client system using the user provided by the OpenLDAP server.

Log in using the user 'olaf' that available on OpenLDAP server.

Test OpenLDAP Login

Once the 'olaf' user logged in, a new user home directory for that user will be automatically created.

Login successful

As a result, the installation and configuration of OpenLDAP client on Debian 10 has been completed successfully.

Share this page:

Suggested articles

2 Comment(s)

Add comment


By: Metta Crawler at: 2020-05-25 18:12:26

You should not install the libpam-ldap package. It is old and does not do automatic /etc/nsswitch.conf and automatic PAM configuration.

The new package is libpam-ldapd (with a "d" on the end) and it automatically configures /etc/nsswitch.conf and PAM. You just have to update /etc/nslcd.conf to have an account that can bind. Update binddn and bindpw in /etc/nslcd.conf and optionally run pam-auth-update to set the control that creates home directories automatically at login.


By: Golle at: 2020-09-02 08:16:30

Hello and thank you for a very helpful and useful guide.

I think the guide is a bit outdated now though, I did find this way much smoother in the end, it automates many of the steps your guide performs manually:

apt install libnss-ldapd libpam-ldapd

echo "session optional skel=/etc/skel umask=077" >> /etc/pam.d/common-session