Featured resource
2025 Tech Upskilling Playbook
Tech Upskilling Playbook

Build future-ready tech teams and hit key business milestones with seven proven plays from industry leaders.

Check it out
  • Lab
    • Libraries: If you want this lab, consider one of these libraries.
    • Cloud
    • Security
Google Cloud Platform icon
Labs

OpenLDAP Client User Authentication

Using a central authentication service in your organization isn't just a good idea - it's a great one. There's no reason to have different copies of user information on every server. Using OpenLDAP and PAM can enable clients to authenticate users without having a copy of user information locally.

Google Cloud Platform icon
Lab platform
Lab Info
Level
Intermediate
Last updated
Sep 05, 2025
Duration
1h 0m

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
Table of Contents
  1. Challenge

    Install Required Packages

    You're going to need quite a few packages installed to make this server work.

    You can install them with the following command:

    yum -y install openldap compat-openldap openldap-clients openldap-servers nss-pam-ldapd
    
  2. Challenge

    Configure LDAP

    With the daemon running, now we can set an LDAP password with:

    slappasswd -h {SSHA} -s password
    

    That will run and print a hash out to the screen. Let's copy that, and then edit initial.ldif. Get into the right directory, then into the file:

    cd LDAP/LDAP
    vim initial.ldif
    

    On the olcRootPW line, replace {SHAA} with our hash. The line should look something like this:

    olcRootPW {SSHA}<OUR_HASH>
    

    Save that file, and then run this so that it takes effect:

    ldapmodify -Y external -H ldapi:/// -f initial.ldif
    

    We've also got to pull in a few other different configuration files, but we can do it in a one-liner here with a for loop:

    for i in cosine nis inetorgperson; do ldapadd -Y external -H ldapi:/// -f  /etc/openldap/schema/$i.ldif; done
    

    Now we can add the OUs:

    ldapadd -x -W -D "cn=ldapadm, dc=la,dc=local" -f ous.ldif
    

    We'll be prompted for a password, which is going to be the one we set earlier with slappasswd -h {SSHA} -s password.

    Now, to add users, run this:

    ldapadd -x -W -D "cn=ldapadm, dc=la,dc=local" -f users.ldif
    

    We'll need our password again, and then we should see users get added.

  3. Challenge

    Make Sure PAM Authentication Is Correct

    We need to set up PAM to authenticate users correctly. On the server, we can run the following command to do the configuration for you.

    authconfig --enableldap --enableldapauth --ldapserver=localhost --ldapbasedn="dc=la,dc=local" --enablemkhomedir --update
    

    Then we've got to restart the daemon, so that our changes take effect:

    systemctl restart nslcd
    

    Now let's test. Run id tcox, and we should see details on the tcox user. tcox, by the way, was one of the users we set up. You might have seen the username in output from one of the ldapadd commands. Run id pinehead to see if that user was added too.

    Now, we can become tcox by running su - tcox. We should end up being that user, and sitting in the home directory (we'll also notice that the directory is created upon the su command getting run too), /home/tcox.

  4. Challenge

    Configure the Client

    Ok, the server is all set. Now in the client, we need to install some software:

    yum install openldap-clients nss-pam-ldapd -y
    

    We'll run the same kind of authconfig line we did on the server now, changing localhost here to the server's actual IP address:

    authconfig --enableldap --enableldapauth --ldapserver=10.0.1.100 --ldapbasedn="dc=la,dc=local" --enablemkhomedir --update
    

    Now restart the daemon, so that our changes take effect:

    systemctl restart nslcd
    

    Now if we run id for tcox and pinehead like we did on the server, we should see the same kind of output.

  5. Challenge

    Set a Password and Test

    Let's set a new pinehead password, and test it out. It doesn't matter if we're doing this on the client or the server, since both ways will be actually authenticating to the same LDAP server:

    Now, to add users, run this:

    ldappasswd -s password -W -D "cn=ldapadm, dc=la,dc=local" -x "uid=pinehead,ou=People,dc=la,dc=local
    

    Enter a new password at the prompt, then try logging in as pinehead:

    ssh pinehead@localhost
    

    After an authenticity prompt, we should see a Creating '/home/pinehead' message and we're in as pinehead, sitting in this account's home directory.

About the author

Pluralsight Skills gives leaders confidence they have the skills needed to execute technology strategy. Technology teams can benchmark expertise across roles, speed up release cycles and build reliable, secure products. By leveraging our expert content, skill assessments and one-of-a-kind analytics, keep up with the pace of change, put the right people on the right projects and boost productivity. It's the most effective path to developing tech skills at scale.

Real skill practice before real-world application

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Learn by doing

Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.

Follow your guide

All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.

Turn time into mastery

On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.

Get started with Pluralsight