The ldap.conf File--Configure LDAP Daemon (slapd)
For the LDAP module to know how LDAP authentication is to be performed, client LDAP processes must refer to an ldap.conf file. In this case, the ingvalidpam program is the only client process that references the ldap.conf file, therefore, the ldap.conf file needs to be configured on the server side only. Client machines do not need to configure ldap.conf.
By default, ldap.conf resides in the /etc directory, but you can override the path and file name of ldap.conf with the LDAPCONF environment variable.
By default, the PAM LDAP module searches the slapd database for object classes of posixAccount. A Distinguished Name for a posixAccount user might look like this:
uid=johnDoe,ou=people,dc=myDomain,dc=com
In ldap.conf, you define a BASE attribute of:
ou=people,dc=myHost,dc=com
This shorthand allows you to define only "johnDoe" as the user name in netutil instead of the entire Distinguished Name.
The only other attribute required is the HOST, which is defined as the FQDN (fully qualified domain name) of the server as defined by TCP/IP. Therefore, your ldap.conf file would look like this:
HOST myHost.myDomain.com
BASE ou=people,dc=myDomain,dc=com
Note: PAM expects ldap.conf to reside in /etc, and ignores the LDAPCONF variable. So if your ldap.conf directory resides elsewhere, set up a symbolic link:
ln -s /etc/openldap/ldap.conf /etc/ldap.conf
Browse slapd Database
To see the format of the Distinguished Names in the user database, you can browse the database using the ldapsearch command.
To list the contents of the slapd database
Issue the following command:
ldapsearch '(objectclass=*)' -H ldap://myHost.mydomain.com:389 -b "dc=myDomain,dc=com" -x
Note: You need to know the root domain name of the slapd database, defined above as "dc=myDomain,dc=com". In many cases, it corresponds to the domain and domain suffix of your host name. If this approach does not work, consult your system administrator.
Last modified date: 01/30/2023