Thanks for your reply, Adam. The draft version of the documentation is certainly much better, and I noticed a few updates which solved problems I had. I am kind of surprised though that there is a separate draft copy - I think a wiki would work much, much better.
I copied down what I had to do to make client user authentication with LDAP work for logons. I will definitely try following the new docs the next time I reload a client, but I think there is probably a lot still unclear.
This is what I used:
Note: ldapsearch looks at /etc/ldap/ldap.conf, but the config goes to /etc/ldap.conf
0: Install ldap-utils
apt-get install ldap-utils
1: Install LDAP Client
apt-get install libnss-ldap (nonstandard) Yes when prompted to use debconf (nonstandard) Exop used for local password crypt (no idea what's right here)
Enter ldap://auth.example.com/ for the server.
Enter the base DN like dc=example,dc=com
Select ldap v3
No for 'Make local root db admin' (no idea what this does)
No for 'db requires login'
Note: if not prompted for some options, enter dpkg-reconfigure ldap-auth-config
2: Manual LDAP Config
(only if you want) nano /etc/ldap.conf
(edit the passwd and group entries to the following)
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
(create a cron job to update the db daily)
echo '#!/bin/sh' | sudo tee /etc/cron.daily/upd-local-nss-db
echo `which nss_updatedb` ldap | sudo tee -a /etc/cron.daily/upd-local-nss-db
sudo chmod +x /etc/cron.daily/upd-local-nss-db
nano /etc/pam.d/common-auth
(replace with the following text)
auth [success=done default=ignore] pam_unix.so nullok_secure try_first_pass
# If LDAP is unavailable, go to next line. If authentication via LDAP is successful, skip 1 line.
# If LDAP is available, but authentication is NOT successful, skip 2 lines.
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
Thanks for your reply, Adam. The draft version of the documentation is certainly much better, and I noticed a few updates which solved problems I had. I am kind of surprised though that there is a separate draft copy - I think a wiki would work much, much better.
I copied down what I had to do to make client user authentication with LDAP work for logons. I will definitely try following the new docs the next time I reload a client, but I think there is probably a lot still unclear.
This is what I used:
Note: ldapsearch looks at /etc/ldap/ ldap.conf, but the config goes to /etc/ldap.conf
0: Install ldap-utils
apt-get install ldap-utils
1: Install LDAP Client
(nonstandard) Yes when prompted to use debconf
(nonstandard) Exop used for local password crypt (no idea what's right here) auth.example. com/ for the server.
apt-get install libnss-ldap
Enter ldap://
Enter the base DN like dc=example,dc=com
Select ldap v3
No for 'Make local root db admin' (no idea what this does)
No for 'db requires login'
Note: if not prompted for some options, enter dpkg-reconfigure ldap-auth-config
2: Manual LDAP Config
(only if you want) nano /etc/ldap.conf
3: Copy Config
cp /etc/ldap.conf /etc/ldap/ldap.conf
4: Use the auth-client-config script to add config settings: client- config/ profile. d/ldap- auth-config
nano /etc/auth-
(replace all with the following text)
[open_ldap] passwd= passwd: files ldap group=group: files ldap shadow= shadow: files ldap netgroup= netgroup: files ldap account= account sufficient pam_unix.so password= password sufficient pam_unix.so nullok md5 shadow
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so session= session required pam_limits.so
nss_
nss_
nss_
nss_
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
#the following line (containing pam_group.so) must be placed before pam_ldap.so
#for ldap users to be placed in local groups such as fuse, plugdev, scanner, etc ...
auth required pam_group.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam_
account sufficient pam_ldap.so
account required pam_deny.so
pam_
pam_
session required pam_mkhomedir.so skel=/etc/skel/
session required pam_unix.so
session optional pam_ldap.so
(then run the following command)
auth- client- config -a -p open_ldap
(only run this once! otherwise configs look messy with backups.)
5: Add LDAP users to necessary groups. group.conf
nano /etc/security/
(add the following line at the end)
*; *; *; Al0000- 2400;audio, cdrom,floppy, plugdev, video,fuse, scanner, dip
(not sure why, but didn't seem to need this in testing)
6: Enable cached credentials:
apt-get install nss-updatedb libnss-db libpam-ccreds
nss_updatedb ldap
nano /etc/nsswitch.conf
(edit the passwd and group entries to the following)
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
(create a cron job to update the db daily)
echo '#!/bin/sh' | sudo tee /etc/cron. daily/upd- local-nss- db daily/upd- local-nss- db daily/upd- local-nss- db
echo `which nss_updatedb` ldap | sudo tee -a /etc/cron.
sudo chmod +x /etc/cron.
nano /etc/pam. d/common- auth
(replace with the following text)
auth [success=done default=ignore] pam_unix.so nullok_secure try_first_pass unavail= ignore success=1 default=2] pam_ldap.so use_first_pass
# If LDAP is unavailable, go to next line. If authentication via LDAP is successful, skip 1 line.
# If LDAP is available, but authentication is NOT successful, skip 2 lines.
auth [authinfo_
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
7: Restart before logging in!