Thanks for your reply, Adam. The draft version of the documentation is
certainly much better, and I noticed a few updates which solved problems
I had. I am kind of surprised though that there is a separate draft copy
- I think a wiki would work much, much better.
I copied down what I had to do to make client user authentication with
LDAP work for logons. I will definitely try following the new docs the
next time I reload a client, but I think there is probably a lot still
unclear.
This is what I used:
Note: ldapsearch looks at /etc/ldap/ldap.conf, but the config goes to
/etc/ldap.conf
0: Install ldap-utils
apt-get install ldap-utils
1: Install LDAP Client
apt-get install libnss-ldap
(nonstandard) Yes when prompted to use debconf
(nonstandard) Exop used for local password crypt (no idea what's right
here)
Enter ldap://auth.example.com/ for the server.
Enter the base DN like dc=example,dc=com
Select ldap v3
No for 'Make local root db admin' (no idea what this does)
No for 'db requires login'
Note: if not prompted for some options, enter dpkg-reconfigure
ldap-auth-config
2: Manual LDAP Config
(only if you want) nano /etc/ldap.conf
3: Copy Config
cp /etc/ldap.conf /etc/ldap/ldap.conf
4: Use the auth-client-config script to add config settings:
nano /etc/auth-client-config/profile.d/ldap-auth-config
(replace all with the following text)
[open_ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files ldap
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
#the following line (containing pam_group.so) must be placed before
pam_ldap.so
#for ldap users to be placed in local groups such as fuse, plugdev,
scanner, etc ...
auth required pam_group.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/
session required pam_unix.so
session optional pam_ldap.so
(then run the following command)
auth-client-config -a -p open_ldap
(only run this once! otherwise configs look messy with backups.)
5: Add LDAP users to necessary groups.
nano /etc/security/group.conf
(add the following line at the end)
*; *; *;
Al0000-2400;audio,cdrom,floppy,plugdev,video,fuse,scanner,dip
(not sure why, but didn't seem to need this in testing)
6: Enable cached credentials:
apt-get install nss-updatedb libnss-db libpam-ccreds
nss_updatedb ldap
nano /etc/nsswitch.conf
(edit the passwd and group entries to the following)
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
(create a cron job to update the db daily)
echo '#!/bin/sh' | sudo tee /etc/cron.daily/upd-local-nss-db
echo `which nss_updatedb` ldap | sudo tee -a
/etc/cron.daily/upd-local-nss-db
sudo chmod +x /etc/cron.daily/upd-local-nss-db
nano /etc/pam.d/common-auth
(replace with the following text)
auth [success=done default=ignore] pam_unix.so nullok_secure
try_first_pass
# If LDAP is unavailable, go to next line. If authentication via LDAP
is successful, skip 1 line.
# If LDAP is available, but authentication is NOT successful, skip 2
lines.
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so
use_first_pass
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
7: Restart before logging in!
--
OpenLDAP doc page is horrible
https://bugs.launchpad.net/bugs/355400
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
