Ubuntu LDAP Client Setup
- make sure your ldap server is reachable:
- ping ldap.example.org
- install required packages
- aptitude install auth-client-config ldap-auth-client ldap-auth-config libnss-db libnss-ldap libpam-ldap nscd nss-updatedb
- Configuring ldap-auth-config:
- Should debconf manage LDAP configuration? Yes
- LDAP server Uniform Resource Identifier: ldaps:ldap.neuroimaging.org.au (Note: use ldap: if the server does not enable TLS)
- Distinguished name of the search base: dc=example,dc=org
- LDAP version to use: 3
- Make local root Database admin: Yes
- Does the LDAP database require login? No
- LDAP account for root: cn=admin,dc=example,dc=org
- LDAP root account password: XXXXXXXX
- Local crypt to use when changing passwords: md5
- Configuring ldap-auth-config:
- aptitude install auth-client-config ldap-auth-client ldap-auth-config libnss-db libnss-ldap libpam-ldap nscd nss-updatedb
- If server enables TLS
- copy the CA certificate from the server:
- mkdir /etc/ldap/certs; scp root@ldap:/etc/ldap/certs/cacert.pem /etc/ldap/certs/
- edit /etc/ldap.conf (There are two ldap.conf files. /etc/ldap.conf and /etc/ldap/ldap.conf)
- vim /etc/ldap.conf
- host ldap.example.org
- base dc=example,dc=org
- uri ldap://ldap.example.org
- rootbinddn cn=admin,dc=example,dc=org
- bind_policy soft
- ssl on
- ssl start_tls
- tls_cacertfile /etc/ldap/certs/cacert.pem
- vim /etc/ldap.conf
- copy the CA certificate from the server:
- Now you can test it with following commands
- getent passwd should return the accounts from ldap server.
- nss_updatedb ldap should succeed.
- If above do not work
- check /var/log/auth.log
- vim /etc/ldap.conf
- bind_policy hard
- tls_checkpeer no
- try getent passwd and nss_updatedb ldap again
- Files needs to look at:
- /etc/ldap.conf
- /etc/ldap.secret (Note: you need to update thisfile if you have changed rootpw.)
- Edit ldap-auth-config
- vi /etc/auth-client-config/profile.d/ldap-auth-config
- [lac_ldap]
- nss_passwd=passwd: files ldap [NOTFOUND=return] db
- nss_group=group: files ldap [NOTFOUND=return] db
- nss_shadow=shadow: files ldap
- pam_auth=auth sufficient pam_ldap.so
- auth required pam_unix.so nullok_secure use_first_pass
- pam_account=account sufficient pam_ldap.so
- account required pam_unix.so
- pam_password=password sufficient pam_ldap.so
- password required pam_unix.so nullok obscure min=4 max=8 md5
- pam_session=session required pam_unix.so
- session required pam_mkhomedir.so skel=/etc/skel/
- session optional pam_ldap.so
- session optional pam_foreground.so
- auth-client-config -a -p lac_ldap (note: lac_ldap is the profile name defined in /etc/auth-client-config/profile.d/ldap-auth-config file. Do not use the file name here.)
- vi /etc/auth-client-config/profile.d/ldap-auth-config
- enable nss_db cache
- vi /etc/cron.hourly/nss_updatedb-ldap.sh
- #!/bin/bash
- /usr/sbin/nss_updatedb ldap
- To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this:
- passwd: files ldap [NOTFOUND=return] db
- group: files ldap [NOTFOUND=return] db
- This means:
- look first in the local files (/etc/passwd and /etc/group)
- if not found, use LDAP
- when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
- if the LDAP server was not reachable, proceed with using the cached data
- vi /etc/cron.hourly/nss_updatedb-ldap.sh
See also:
page revision: 12, last edited: 25 Jun 2008 06:22