Debian/Ubuntu Tips and Tricks

Debuntu

Debian/Ubuntu Tips and Tricks

How-To set up a LDAP server and its clients — page 2

Posted by chantra on February 22nd, 2007

This entry is part 2 of 2 in the series How-To set up a LDAP server and its clients

2. Configuring the clients

Each client will need a set of packages. So, now that you are logged on one of your clients, install:

#apt-get install libnss-ldap libpam-ldap nscd
LDAP Account for root: cn=admin,dc=debuntu,dc=local
Password: XXXX
Make local root database admin: yes
Database require logging in: No
Root login account: cn=admin,dc=debuntu,dc=local
Root login password: XXXX

libnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won't be questionned any time the authentication as to be done.

Now, let's edit the files and make sure you get the following setting:

#vi /etc/libnss-ldap.conf
host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local

#vi /etc/libnss-ldap.secret
XXXXX

#vi /etc/pam_ldap.conf
host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local

#vi /etc/pam_ldap.secret
XXXXX

pam configuration files need to be modfied a bit like:

#vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
#if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent

#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

#vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5

#vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.so

Finally, let's edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.

# vim /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap

With this settings, login is going to be tried agains the local system users first. If it cannot find a match, it will then try to authenticate against the ldap server.
Now, you should be able to connect on any client by using any LDAP user details.

This tutorial is far from being complete, but you should be able to get started :).

2. Configuring the clients

Each client will need a set of packages. So, now that you are logged on one of your clients, install:

#apt-get install libnss-ldap libpam-ldap nscd
LDAP Account for root: cn=admin,dc=debuntu,dc=local
Password: XXXX
Make local root database admin: yes
Database require logging in: No
Root login account: cn=admin,dc=debuntu,dc=local
Root login password: XXXX

libnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won't be questionned any time the authentication as to be done.

Now, let's edit the files and make sure you get the following setting:

#vi /etc/libnss-ldap.conf
host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local

#vi /etc/libnss-ldap.secret
XXXXX

#vi /etc/pam_ldap.conf
host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local

#vi /etc/pam_ldap.secret
XXXXX

pam configuration files need to be modfied a bit like:

#vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
#if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent

#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

#vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5

#vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.so

Finally, let's edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.

# vim /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap

With this settings, login is going to be tried agains the local system users first. If it cannot find a match, it will then try to authenticate against the ldap server.
Now, you should be able to connect on any client by using any LDAP user details.

This tutorial is far from being complete, but you should be able to get started :).

Series Navigation<< How-To set up a LDAP server and its clients

One Response to “How-To set up a LDAP server and its clients — page 2”

  1. I am in the process of migration a Centos5 OpenLDAP server over to Ubuntu 12.04.3, and I am running in to an issue with the initial configuration. I am trying to replication the structure that was setup by the admin a couple of years back (who is no longer around), but I have been unsuccessful at it. I am hoping that someone could point me in the right direction. The structure of the original install is as follows:

    First the login:

    Login DN: cn=Manager,o=sun

    Structure:
    The top structure only has “o=sun”, no “dc=sun, dc=net”. Then: “ou=Groups, o=sun”,“ou=Users, o=sun”, “sambaDomainName=SUNSERVER”, and “Create new entry here”.

    I am new to OpenLDAP, I have been using the following how-to, successfully, but I have not been able to achieve the desired results.

    http://ideasnet.wordpress.com/2012/1...dition-part-1/

    Thanks in advance,
    Joe

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>