Configuring LDAP Authentication on CentOS 8 - Tyler's Guides (2025)

This guide will walk you through setting up CentOS 8 to use an LDAP directory server for authentication. I am assuming you have a directory server up and running. If you don’t, you can follow these two guides to install and configure OpenLDAP:

  1. Install OpenLDAP From Source – CentOS 8
  2. Configure OpenLDAP

In this guide, I use nss-pam-ldapd. You can also use sssd. I have a guide for setting up SSSD on CentOS 7. I haven’t tested this, but you should be able to follow it for setting up SSSD itself, and this guides section on enabling the configuration and have a working system.

Install Packages

First, you need to install and configure a LDAP pluggable authentication module (PAM), a LDAP name service switch (NSS) module, and a caching service. I prefer nss-pam-ldapd because it is available in the OS repositories and straightforward to configure. It is what the examples in this guide will use. Install the necessary packages by running the following command:

# dnf install nss-pam-ldapd openssl

TLS CA Certificates

I recommend using TLS for your connections to your directory server(s). If you don’t, user names and passwords will be sent through the network unencrypted. If you opt to not use TLS, then skip this section. If your directory server certificate was obtained from one of the well known certificate authorities, you can probably use your system’s trusted certificate authority (CA) certificate list. On CentOS 8, this is /etc/ssl/certs/ca-bundle.crt. If you are using a self-signed certificate or an in-house certificate authority, you will need to get a copy of the certificate used to sign the directory server(s) server certificates.

Well Known CA

If your directory server is using a certificate issued by one of the well known CAs, then you are done with this section. Read the comment regarding nslcd.conf file.

Local CA

Contact your CA administrator and ask them for the CA certificate in PEM format. I keep CA certificates that don’t ship with the OS in/pki/cacerts.pem. Append the CA certificate to this file, or if you like, a location of your choosing.

Self-Signed Certificate

Create a directory to store your certificate files in and obtain the certificates from your directory server. I recommend keeping self-signed certificates in a separate file. If possible, ask your directory server administrator for the certificate in PEM format. If this isn’t possible, it can be obtained with OpenSSL. Run the following openssl command on the directory server, if possible. If you run it on the client, you are susceptible to a man in the middle attack.

# openssl s_client -connect ldap.tylersguides.com:636 -showcerts < /dev/null

From the output of the openssl command, copy and paste the certificate text into /pki/ldap_server_certs.pem or a location of your choosing. Do this for each server. The certificate text will look something like this:

-----BEGIN CERTIFICATE-----MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBvMQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFpu/xO28QOG8=-----END CERTIFICATE-----

Configure nss-pam-ldapd

Nss-pam-ldapd uses the same file,/etc/nslcd.conf, for the NSS and PAM modules. I have included an example file with comments explaining what the various options do. There are many more options than the ones in the example. It wouldn’t hurt to skim through the official documentation to see what options are available. Replace the highlighted values in the example below with what is relevant to your system.

# The user and group name the cache daemon will run as.uid nslcdgid ldap# Make sure to use the fully qualified domain name or the TLS handshake# will fail and you won't be able to connect.# The URI if your directory server(s). Multiple servers can be specified.uri ldaps://ldap.tylersguides.com/# uri ldaps://ldap2.tylersguides.com# This should be your suffix.base dc=tylersguides,dc=com# The LDAP user the cache daemon and modules will use for looking# up entriesbinddn cn=osproxy,ou=system,dc=tylersguides,dc=com# The password for the aforementioned accountbindpw osproxy_password# Where to look for groups and users, respectively.base group ou=groups,dc=tylersguides,dc=combase passwd ou=users,dc=tylersguides,dc=com# How long, in seconds, to wait for the server to respond when logging in# as the aforementioned user before giving upbind_timelimit 30# How long to wait for the server when searching for entries.timelimit 30# TLS configuration. tls_reqcert demand will prevent the daemon and modules# from using the server if the server certificate does not have a signing chain# that ends with a root certificate listed in the file set by tls_cacertfile# comment out the rest of the file if you do not plan on using TLS. If you# opt to not use TLS, passwords will be sent through the network in plain textssl ontls_reqcert demand# If your directory server uses a certificate from a well known CA,# comment out the next line and uncomment the one below it.tls_cacertfile /pki/cacerts.pem#tls_cacertfile /etc/ssl/certs/ca-bundle.crttls_ciphers HIGH:TLSv1.2:!aNULL:!eNULL

You may want or need to adjust the tls_ciphers. The CentOS 8 nss-pam-ldapd package uses OpenSSL. See the OpenSSL ciphers man page for guidance.

If you use self-signed certificates or a local CA, set the SELinux1 label. If SELinux is enforcing, nslcd won’t be able to read /pki/cacerts.pem:

# chcon system_u:object_r:cert_t:s0 /pki/cacerts.pem

Nss-pam-ldapd uses a daemon to lookup directory entries. Set nslcd to automatically start on boot and restart it.

# systemctl enable nslcd# systemctl restart nslcd

Create an authselect Profile

The authselect program will automatically update the relavent configuration files for you. Unfortunately, it does not have a profile for nss-pam-ldapd, so you must create one.

The easiest way to do this, is to copy and edit the SSSD profile. Run the following commands as root to do so:

# cp -Rp /usr/share/authselect/default/sssd /etc/authselect/custom/nslcd# cd /etc/authselect/custom/nslcd# sed -i 's/sss/ldap/g' fingerprint-auth# sed -i 's/sss/ldap/g' password-auth# sed -i 's/sss/ldap/g' smartcard-auth# sed -i 's/sss/ldap/g' system-auth# sed -i 's/sss/ldap/g' nsswitch.conf# sed -i 's/SSSD/NSLCD/g' REQUIREMENTS

The sed commands above replace the SSSD related text with the NSLCD equivalent in the relevant files.

Enable and Test LDAP

Before you enable and test your configuration, create a home directory for your test user. If you used my guide on configuring the server, the commands below will work as is.

# mkdir /home/testuser# chown 5000:5000 /home/testuser

Before enabling your configuration, create a backup of the affected files. Run the following commands as root:

# cd /etc# tar cf /root/pre_ldap_config.tar nsswitch.conf pam.d

The authselect program will update your /etc/nsswitch.conf and /etc/pam.d/ for you. Run the following command to make the changes necessary to enable LDAP:

# authselect select custom/nslcd --force

If you run into problems and need to disable LDAP:

# cd /etc# tar xf /root/pre_ldap_config.tar

Now test the configuration by trying to resolve UIDs and GIDs.

# ls -l /home

Working configuration:

# ls -l /hometotal 8drwxr-xr-x 2 testuser testgroup 4096 Jul 24 16:03 testuserdrwxr-xr-x 2 tyler tyler 4096 May 22 2016 tyler

Broken configuration:

# ls -l /hometotal 8drwxr-xr-x 2 5000 5000 4096 Jul 24 16:03 testuserdrwxr-xr-x 2 tyler tyler 4096 May 22 2016 tyler

If your ls command shows /home is owned by your test user and group instead of the numeric UID and GID, your configuration is working. If it isn’t working, try restarting nslcd. Then I would check /var/log/messages for clues. You could also try running nslcd in debug mode. The following command will do this. Press Ctrl+C to stop nslcd when you are finished:

# systemctl stop nslcd# nslcd -d

Some potential causes:

  • The client and server(s) fail to negotiate a cipher suite. Adjust tls_ciphers in nslcd.conf
  • The certificate authority certificate(s) that signed the server certs is not in your tls_cacertfile. Obtain the necessary certificates and add them to your file.
  • The TLS certificate subject does not match the host name of the server. Make sure you use fully qualified domain names (FQDN)s on your uri lines. You may be able to add /etc/hosts entries if you cannot resolve the FQDNs via DNS.
  • You are suppling incorrect credentials on your binddn and bindpw lines.
  • Your search base lines don’t match your directory servers.
  • Nslcd can’t read the CA certificates file.

Test LDAP Authentication

Try logging in with your testuser:

# ssh -l testuser localhost

Notes

  1. SELinux is a form of mandatory access control. SELinux permissions can override discretionary access control (DAC) permissions typically covered by Linux permissions guides. In other words, even if the DAC permissions allow access, SELinux can still block access. RHEL based distributions, such as CentOS, enforce SELinux labels by default.
  2. References

Configuring LDAP Authentication on CentOS 8 - Tyler's Guides (2025)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Neely Ledner

Last Updated:

Views: 5923

Rating: 4.1 / 5 (62 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Neely Ledner

Birthday: 1998-06-09

Address: 443 Barrows Terrace, New Jodyberg, CO 57462-5329

Phone: +2433516856029

Job: Central Legal Facilitator

Hobby: Backpacking, Jogging, Magic, Driving, Macrame, Embroidery, Foraging

Introduction: My name is Neely Ledner, I am a bright, determined, beautiful, adventurous, adventurous, spotless, calm person who loves writing and wants to share my knowledge and understanding with you.