====== OpenLDAP Linux client ======

=== useful files: ===

<cli prompt='#'>
[root@rhtst1 ~]# cat /etc/nsswitch.conf
passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
hosts:      files dns
....
[root@rhtst1 ~]# cat /etc/sysconfig/authconfig
IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USESSSD=yes
USEDB=no
FORCELEGACY=no
USEFPRINTD=no
FORCESMARTCARD=no
USELDAPAUTH=yes
USEPASSWDQC=no
IPAV2NONTP=no
WINBINDKRB5=no
USELDAP=yes
USEECRYPTFS=no
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELOCAUTHORIZE=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
PASSWDALGORITHM=sha512
USEPWQUALITY=yes
USEHESIOD=no

[root@rhtst1 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

###TLS_CACERTDIR        /etc/openldap/certs

# Turning this off breaks GSSAPI used with krb5 when rdns = false
###SASL_NOCANON on

#New config

#ssl             start_tls
#TLS_REQCERT     allow
#SASL_NOCANON    on

URI ldaps://openldap1.tst.lu
BASE dc=mydom,dc=tst
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CERT /etc/openldap/cacerts/client.pem
TLS_KEY /etc/openldap/cacerts/client.pem
TLS_REQCERT allow

[root@rhtst1 ~]# cat /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid ldap

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldaps://openldap1.tst.lu

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
base dc=mydom,dc=tst

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
..........
</cli>

=== process and demon ===

<cli prompt='#'>
[root@rhtst1 ~]# systemctl status nslcd -l
â nslcd.service - Naming services LDAP client daemon.
   Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2016-11-24 17:15:08 CET; 40min ago
  Process: 18043 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
 Main PID: 18044 (nslcd)
   CGroup: /system.slice/nslcd.service
           ââ18044 /usr/sbin/nslcd

Nov 24 17:20:16 rhlabr1 nslcd[18044]: [1b58ba] <group/member="root"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Nov 24 17:20:16 rhlabr1 nslcd[18044]: [1b58ba] <group/member="root"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
...
</cli>

Start in debug mode on the client:
  # nslcd -d