© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
Thanks for your reply, Adam. The draft version of the documentation is certainly much better, and I noticed a few updates which solved problems I had. I am kind of surprised though that there is a separate draft copy - I think a wiki would work much, much better.
I copied down what I had to do to make client user authentication with LDAP work for logons. I will definitely try following the new docs the next time I reload a client, but I think there is probably a lot still unclear.
This is what I used:
Note: ldapsearch looks at /etc/ldap/
0: Install ldap-utils
apt-get install ldap-utils
1: Install LDAP Client
apt-get install libnss-ldap
Enter ldap://
Enter the base DN like dc=example,dc=com
Select ldap v3
No for 'Make local root db admin' (no idea what this does)
No for 'db requires login'
Note: if not prompted for some options, enter dpkg-reconfigure ldap-auth-config
2: Manual LDAP Config
(only if you want) nano /etc/ldap.conf
3: Copy Config
cp /etc/ldap.conf /etc/ldap/ldap.conf
4: Use the auth-client-config script to add config settings:
nano /etc/auth-
(replace all with the following text)
[open_ldap]
nss_
nss_
nss_
nss_
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
#the following line (containing pam_group.so) must be placed before pam_ldap.so
#for ldap users to be placed in local groups such as fuse, plugdev, scanner, etc ...
auth required pam_group.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam_
account sufficient pam_ldap.so
account required pam_deny.so
pam_
pam_
session required pam_mkhomedir.so skel=/etc/skel/
session required pam_unix.so
session optional pam_ldap.so
(then run the following command)
auth-
(only run this once! otherwise configs look messy with backups.)
5: Add LDAP users to necessary groups.
nano /etc/security/
(add the following line at the end)
*; *; *; Al0000-
(not sure why, but didn't seem to need this in testing)
6: Enable cached credentials:
apt-get install nss-updatedb libnss-db libpam-ccreds
nss_updatedb ldap
nano /etc/nsswitch.conf
(edit the passwd and group entries to the following)
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
(create a cron job to update the db daily)
echo '#!/bin/sh' | sudo tee /etc/cron.
echo `which nss_updatedb` ldap | sudo tee -a /etc/cron.
sudo chmod +x /etc/cron.
nano /etc/pam.
(replace with the following text)
auth [success=done default=ignore] pam_unix.so nullok_secure try_first_pass
# If LDAP is unavailable, go to next line. If authentication via LDAP is successful, skip 1 line.
# If LDAP is available, but authentication is NOT successful, skip 2 lines.
auth [authinfo_
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
7: Restart before logging in!