This page explains what use of LDAP can be made on a Debian system.
LDAP (Lightweight Directory Access Protocol) is an open, vendor-neutral, industry standard application protocol for accessing distributed directory information services over an Internet Protocol (IP) network
LDAP is a protocol for querying a directory (database). However, the term is often used to refer to LDAP as if it were the database and protocol both.
An LDAP database stores information on objects in a hierarchical manner. Objects have attributes that contain the information that is stored about the object. Objects also have classes that define which attributes must and may be stored on the object. Objects in an LDAP database are distinguished by their Distinguished Name (DN) which indicates their place in the hierarchical tree.
You generally need an LDAP server somewhere that serves information and configured services/clients to use that information.
Contents
Server Setup
LDAP/OpenLDAPSetup - Instructions for installing and configuring the OpenLDAP server
Client setup
Different parts of a Debian system can be configured to use LDAP.
User authentication
There are basically two ways to configure PAM to use an LDAP server. Both solutions depend on nslcd and have their pros and cons:
LDAP/NSS - Get user names, groups and other information that is usually stored in /etc/passwd from an LDAP server, and authenticate using password hashes received from the server using NSS. This method is required if using getent shadow to return password hashes when run as root.
LDAP/PAM - Use a PAM module to check credentials against a LDAP server. The pure PAM solution allows limiting logins by how users are stored in the directory (e.g. only allow logins for users in a certain piece of the directory, require some attribute, etc). It can be used to change passwords remotely. It also requires less access rights to the LDAP directory and does not expose password hashes.
Other
Samba - Setting up a Samba file server or Domain Controller using an LDAP backend
LDAP/Kerberos - How to use Kerberos for authentication and LDAP for authorization + account data
LDAP/PowerDNSSetup - How to set up PowerDNS server to use an LDAP backend
LDAP/AutoFSSetup - How to get automounter maps from LDAP
Debian-LAN implements most of these features
Usage
LDAP directory management
LDAP/LDAPUtils - Instructions for querying and modifying the LDAP database
LDAP/ldapscripts - Scripts for managing LDAP posix accounts
luma - QT-based LDAP client
ldap-account-manager - webfrontend for managing accounts in an LDAP directory
LDAP/phpldapadmin - web based interface for administering LDAP servers
cpu - a console based LDAP user management tool
ldapvi - perform an LDAP search and update results using a text editor
diradm - script for managing POSIX users and groups stored in a LDAP directory
Self Service Password - PHP application that allows users to change their password in an LDAP directory
Populating the Server(s)
LDAP/MigrationTools - Migrate /etc flat file databases/Authentication and Name Services (NSS) to LDAP
LDAP/ExampleEntries - Formats for various LDAP entries
External links
Some of these links may be out of date and not reflect the current state of Debian LDAP administration.
LDAP Wiki - wiki about LDAP, Authentication and Authorization
LDAP.com – Lightweight Directory Access Protocol: Understanding LDAP Schema
Tyler's LDAP guides: Configuring LDAP Authentication on Debian Stretch, Configuring OpenLDAP for Linux Authentication, Installing OpenLDAP from Source on Debian Stretch, How To Backup and Restore OpenLDAP, OpenLDAP memberOf overlay, LDAP Search filters, Backup and Restore OpenLDAP
Load-balanced Active-Active LDAP cluster (Spanish): Part 2, Part 3, Part 4
CategorySoftware | CategoryNetwork | CategorySystemAdministration