Loading...

VONDS ©

Lab 32: Account Authentication

Lab Index

Configure a Linux host to resolve and authenticate users from a centralized directory service using LDAP client components. Validate the full path from name service resolution to a working login session with evidence-based checks.

security packages users

Scenario

Your company is transitioning from local accounts to a centralized authentication system. Your job is to install the LDAP client stack, configure the base DN and server URI, and verify that directory users can be resolved and authenticated like normal local accounts.

Operator context

In practice, “it’s configured” means nothing until getent resolves an identity and a login actually succeeds.

Objective

  • Install LDAP client utilities and NSS/PAM integration packages.
  • Configure LDAP base DN and server URI via reconfigure workflow.
  • Restart caching to ensure fresh NSS results.
  • Verify a directory user resolves through getent.
  • Inspect PAM configuration for LDAP modules.
  • Simulate a login session and prove identity.

What You’ll Practice

  • Installing LDAP client tooling and integration packages.
  • Understanding the difference between name service resolution (NSS) and authentication (PAM).
  • Evidence checks with getent and controlled login simulation.
  • Reading PAM stack files for module presence and order.

Walkthrough

Step 1 : Install LDAP client utilities.
Command 
sudo apt install ldap-utils libnss-ldap libpam-ldap nscd

This pulls in the LDAP client tools plus the NSS and PAM components that allow the system to resolve directory users and authenticate them, with nscd providing caching.

Step 2 : Configure base DN and LDAP URI.
Command 
sudo dpkg-reconfigure ldap-auth-config

This guided configuration sets the directory search base (base DN) and server endpoint (URI). That information becomes the lookup foundation for NSS and PAM LDAP modules. 

LDAP server Uniform Resource Identifier:
  ldap://ldap.example.com/

Distinguished name of the search base:
  dc=example,dc=com

LDAP version to use: 3
Step 3 : Restart cache service to apply settings.
Command 
sudo systemctl restart nscd

Restarting nscd clears cached name service results so your getent checks reflect the current LDAP configuration.

Step 4 : Verify directory user resolution via getent.
Command 
getent passwd jdoe

This is the critical resolution proof. If NSS is correctly wired to LDAP, the user appears as if it were local. 

jdoe:x:1003:1003:John Doe:/home/jdoe:/bin/bash
Step 5 : Check PAM for LDAP module entries.
Command 
cat /etc/pam.d/common-auth

PAM is the authentication layer. This check confirms the LDAP PAM module is present in the auth stack so directory credentials can be validated. 

auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure
Step 6 : Lock down local sysadmin access except root.
Command 
sudo passwd -l sysadmin

Locking an account is a fast containment control when you are transitioning identity sources or suspect misuse.

Step 7 : Simulate a login session as a directory user.
Command 
su - jdoe

Resolution is not the same as authentication. A successful su - proves PAM can authenticate the directory user and build a working login environment.

Step 8 : Prove identity from inside the session.
Command 
whoami
jdoe

This final proof is simple and direct: the session is actually running as the directory user.

Reference

  • ldap-utils : Client tooling for LDAP queries and troubleshooting.
  • libnss-ldap : NSS integration so directory users can be resolved via standard interfaces (getent).
  • libpam-ldap : PAM module enabling directory-backed authentication.
  • nscd : Name Service Cache Daemon; caches NSS results.
  • dpkg-reconfigure ldap-auth-config : Reconfigures LDAP auth parameters (URI, base DN).
  • getent passwd <user> : Verifies NSS can resolve the user from configured sources.
  • /etc/pam.d/common-auth : PAM stack file for authentication rules on Debian-family systems.
  • passwd -l <user> : Locks an account by disabling password-based login.
  • su - <user> : Simulates a login shell for a user and exercises PAM auth.