
This assumes you've created a user in LDAP. Let's say you've created user JohnDoe in example.com.
Install the following packages on Red Hat distribution, such as Red Hat, CentOS, or Fedora, that you want to configure to use LDAP authentication.
yum install openldap-clients
yum install nss-pam-ldapd
Use the authconfig command to configure your system to use your LDAP server. In this example, LDAP (non-secure is being used), not LDAPS (secured).
authconfig --enableldap --enableldapauth --ldapserver="ldap.example.com" --ldapbasedn="dc=example,dc=com" --update
To reduce complexity, disable SSS as an authentication mechanism.
authconfig --disablesssd --update
The above commands would have updated /etc/nslcd.conf to have the following.
uri ldap://example.com/
base dc=example,dc=com
Ensure the changes have been properly set.
authconfig --test | grep -i ldap
nss_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap.example.com"
LDAP base DN = "dc=example,dc=com"
pam_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap.example.com"
LDAP base DN = "dc=example,dc=com"
LDAP schema = "rfc2307"
Ensure LDAP port 389 is open in iptables or firewalld.
The ldapsearch command can be used to query your LDAP database.
Update /etc/nssswitch.conf to use ldap.
passwd: files ldap
group: files ldap
shadow: files ldap
The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.
If your system is using systemd, use the systemctl command to restart and enable Name Service LDAP Client Daemon (nslcd).
systemctl enable nslcd
systemctl restart nslcd
systemctl status nslcd
If your system is using init, use the chkconfig and service commands to restart and enable Name Service LDAP Client Daemon (nslcd).
chkconfig nslcd on
service nslcd restart
service nslcd status
The getent command can be used to see that you are able to get an LDAP user, but the user is not in the local /etc/passwd or /etc/shadow files.
getent passwd JohnDoe
JohnDoe:x:1001:1001:JohnDoe:/home/JohnDoe:/bin/bash
getent shadow JohnDoe
JohnDoe:*::0:99999:7:::0
You should also be able to authenticate on the client using your LDAP user.
su - JohnDoe
Mount home directory
When switching to JohnDoe on a client PC, the client PC will not have a home directory for John Doe, such as /home/JohnDoe. To resolve this, share /home/JohnDoe on the LDAP server using AutoFS.
Did you find this article helpful?
If so, consider buying me a coffee over at