Loading...

VONDS ©

Lab 32: Account Authentication

Back to Lab Index

Configure a Linux host to resolve and authenticate users from a centralized directory service using LDAP client components. Validate the full path from name service resolution to a working login session.

security packages users

Scenario

Your company is transitioning from local accounts to a centralized authentication system. You need to install the LDAP client stack, configure the base DN and server URI, and verify that directory users resolve and authenticate like local accounts.

Operator context

“Configured” is not a result. Treat this as complete only when getent resolves an identity and a login succeeds.

Objective

  • Install LDAP client utilities and NSS and PAM integration packages.
  • Configure LDAP base DN and server URI via the reconfigure workflow.
  • Restart name service caching to ensure fresh NSS results.
  • Verify a directory user resolves through getent .
  • Inspect PAM configuration for LDAP module presence.
  • Simulate a login session and prove identity.

Concepts

  • Name Service Switch (NSS) controls how identities resolve via standard interfaces such as getent.
  • Pluggable Authentication Modules (PAM) controls how credentials are verified for logins and privilege changes.
  • LDAP client configuration supplies the base DN and server URI used by NSS and PAM LDAP modules.
  • Caching can mask configuration changes until the cache is restarted or invalidated.
  • Evidence-based checks chain resolution and authentication: getent, PAM stack inspection, then an actual login.

Walkthrough

Step 1 : Install LDAP client utilities.
Command 
sudo apt install ldap-utils libnss-ldap libpam-ldap nscd

This installs LDAP client tooling plus NSS and PAM components for directory identity resolution and authentication. nscd caches NSS lookups.

Step 2 : Configure base DN and LDAP URI.
Command 
sudo dpkg-reconfigure ldap-auth-config

This guided workflow sets the directory search base (base DN) and server endpoint (URI). These values become the lookup foundation for the LDAP NSS and PAM modules. 

LDAP server Uniform Resource Identifier:
  ldap://ldap.example.com/

Distinguished name of the search base:
  dc=example,dc=com

LDAP version to use: 3
Step 3 : Restart cache service to apply settings.
Command 
sudo systemctl restart nscd

Restarting nscd clears cached results so getent reflects the current LDAP configuration.

Step 4 : Verify directory user resolution via getent.
Command 
getent passwd jdoe

This is the resolution proof. If NSS is correctly wired to LDAP, the user appears as if it were local. 

jdoe:x:1003:1003:John Doe:/home/jdoe:/bin/bash
Step 5 : Check PAM for LDAP module entries.
Command 
cat /etc/pam.d/common-auth

PAM is the authentication layer. This verifies the LDAP PAM module is present in the auth stack so directory credentials can be validated. 

auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure
Step 6 : Lock a local account as a containment control.
Command 
sudo passwd -l sysadmin

Locking an account disables password-based login for that user. Use this during identity transitions or when you need immediate access containment.

Step 7 : Simulate a login session as a directory user.
Command 
su - jdoe

Resolution is not authentication. A successful su - proves PAM can authenticate the directory user and build a login environment.

Step 8 : Prove identity from inside the session.
Command 
whoami
jdoe

This confirms the session is running as the directory user.

Common breakpoints

getent returns no results for the user

NSS is not resolving the directory identity. Confirm the LDAP URI and base DN, restart nscd, then re-check. If the issue persists, validate network reachability and DNS for the LDAP host.

getent works but su fails authentication

Resolution is working, but PAM is not authenticating. Confirm pam_ldap.so is present in the auth stack and check logs for module failures. On systemd systems, inspect auth events via journalctl.

Cached results hide configuration changes

NSS caching can make broken configuration look correct (or vice versa). Restart nscd and re-run the evidence chain: getent then a login attempt.

passwd -l does not behave as expected

Account locking affects password-based login, but does not necessarily prevent access via keys, sudo rules, or other auth mechanisms. Treat this as one control in a broader access model.

Cleanup checklist

Remove the LDAP client stack and unlock any local accounts you modified so the host returns to a local-auth baseline.

Commands 
sudo passwd -u sysadmin
sudo apt remove --purge -y ldap-utils libnss-ldap libpam-ldap nscd
sudo systemctl daemon-reload
sudo systemctl restart nscd 2>/dev/null || true
Success signal

getent no longer resolves directory identities, and local accounts behave normally. No LDAP client services remain enabled on the host.

Reference

  • apt install <pkgs> : Installs packages on Debian-family systems.
    • ldap-utils : LDAP client utilities for queries and troubleshooting.
    • libnss-ldap : NSS integration for directory-backed identity resolution.
    • libpam-ldap : PAM module enabling directory-backed authentication.
    • nscd : Name Service Cache Daemon for NSS caching.
  • dpkg-reconfigure ldap-auth-config : Reconfigures LDAP auth parameters (URI, base DN).
  • systemctl restart nscd : Restarts the name service cache daemon.
  • getent passwd <user> : Verifies NSS can resolve a user from configured sources.
  • cat /etc/pam.d/common-auth : Displays the PAM auth stack on Debian-family systems.
    • /etc/pam.d/common-auth : PAM rules for authentication decisions.
  • passwd -l <user> : Locks an account by disabling password-based login.
    • -l : Locks the account.
  • su - <user> : Starts a login shell for a user and exercises PAM auth.
    • - : Uses a login shell environment (loads profile, sets HOME).
  • whoami : Prints the effective username of the current session.