Introduction
This article shows you how you can configure a Debian Linux operating system so that you can log into your Linux computer using LogonBox Directory credentials.
If you have not installed LogonBox Directory, now is the time to do so. This discussion assumes you have a server installed, configured, and ready to go with users waiting to log into Linux.
Before you head off configuring Debian to connect to your directory there are a few values you will need to jot down. These are:
Directory Hostname
This will be the FQDN of your LogonBox Directory. This hostname must be resolvable from each client you want to log in from. If your users will be accessing the directory via the Internet then make sure you have firewalled and port-forwarded the directory from your public hostname/IP address.
Directory LDAP DN
The LDAP Distinguished Name is a uniquely formatted string that provides a way to resolve elements in the LDAP. You will need to know the root DN of your server. If you have not changed this, then it will be dc=System,dc=local.
Directory LDAP Port
Unless you have changed the default LDAPS interface, the port value will be 636 for the ldaps:// protocol.
Service Account
You will need an account that has permission to search the LDAP. We recommend creating a specific user with a minimal set of permissions. See our Creating a Service Account article for more information.
Debian system configuration
1. Installing the LDAP client
We first need to install the LDAP client and other utilities we need for LDAP to work with Debian 10. This can be done with this command from a terminal prompt (confirm with Y):
sudo apt install libnss-ldap libpam-ldap ldap-utils
At the LDAP server URI prompt that appears, enter ldap:// followed by the LogonBox Directory hostname and press enter.
Now enter the DN noted earlier to define the Base DN of the system and press enter (i.e. dc=System,dc=local)
For the LDAP version, select 3 and press enter to continue.
Now enter the DN for the service account which will be used to access the LogonBox Directory for authentications and press enter.
If using the default settings, this will be something like cn=serviceAccount,cn=Users,dc=System,dc=local
Now type in the password for the service account and press enter.
For the basic LDAP services to function properly, it is recommended to remove the default entries from the configuration file. This can be done simply by pressing enter.
We will add the required ldap entries to this config file later.
Now allow the LDAP service account to behave like a local root account by selecting Yes and pressing enter.
Select No for the option to require login and press enter.
Enter the DN of the LogonBox serviceAccount again and press enter.
Enter the service account password and press enter. This completes the configuration of the LDAP client.
2. Completing the Debian configuration
To configure Debian 10 to use LDAP for authentication we need to update the PAM configurations with the following command:
sudo pam-auth-update
Press enter to begin.
Press enter to accept the default profiles (Unix, LDAP, etc).
You are returned back to the terminal. Now we will configure automatic creation of a user's home directory.
Edit the Common Session PAM file with:
sudo nano /etc/pam.d/common-session
At the end of the file add this line:
session required pam_mkhomedir.so skel=/etc/skel umask=077
Save the file with CTRL-X then Y, enter.
Now edit the Common Password file with:
sudo nano /etc/pam.d/common-password
Find the line:
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
and remove the use_authtok part of that line.
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
Save the file with CTRL-X then Y, enter.
Finally edit the nsswitch.conf file with:
sudo nano /etc/nsswitch.conf
Add ldap to the end of the lines starting with passwd:, group: and shadow:
Save the file with CTRL-X then Y, enter.
3. Reboot system
Restart and enable the nscd service:
sudo systemctl restart nscd
sudo systemctl enable nscd
Finally for good measure, reboot your Debian client.
You now have a completed configuration.
Testing Configuration
Now you are ready to log in to Debian with your LogonBox Directory accounts.
You can perform a quick test to list all the available accounts:
getent passwd
This should list all local Linux accounts as well as any account on your LogonBox Directory.
For example here, my test Directory has 3 accounts: admin, user1 and serviceAccount.
Testing a login via SSH
Testing a GUI login
