Debian/Ubuntu Tips & Tricks
Debuntu.org: .deb packages, Unix/Linux Tutorials and Articles.
Navigation
Poll
Syndicate
Search
User login
Get Firefox
Tips
How-To set up a LDAP server and its clients -- page 2
2. Configuring the clients
Each client will need a set of packages. So, now that you are logged on one of your clients, install:
#apt-get install libnss-ldap libpam-ldap nscd
LDAP Account for root: cn=admin,dc=debuntu,dc=local
Password: XXXX
Make local root database admin: yes
Database require logging in: No
Root login account: cn=admin,dc=debuntu,dc=local
Root login password: XXXX
libnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won't be questionned any time the authentication as to be done.
Now, let's edit the files and make sure you get the following setting:
#vi /etc/libnss-ldap.conf
host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local
#vi /etc/libnss-ldap.secret
XXXXX
#vi /etc/pam_ldap.conf
host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local
#vi /etc/pam_ldap.secret
XXXXX
pam configuration files need to be modfied a bit like:
#vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
#if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent
#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
#vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
#vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.so
Finally, let's edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.
# vim /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
With this settings, login is going to be tried agains the local system users first. If it cannot find a match, it will then try to authenticate against the ldap server.
Now, you should be able to connect on any client by using any LDAP user details.
This tutorial is far from being complete, but you should be able to get started :).
- Printer-friendly version
- Login or register to post comments
Submitted by chantra on Thu, 2007-02-22 22:18.
Fixing the Reboot LDAP Lock out
Hi All,
We noticed a lot of people being locked out of their machine after reboot. Our team had the same problem and after 5-6 attempts we found the solution. We use Ubuntu Server Edition 7.10 (Gutsy) so the results may vary.
1) We setup the Server exactly as part one of the Tutorial.
2) We installed the client tools mentioned in the client setup part.
This is where we made the changes to the tutorial's recipe:
3) We didn't edit any of the files mentioned.
Instead we edited /etc/ldap.conf and changed the base (line 27)
to our dc:
base dc=minds,dc=nuim,dc=ieWe also changed the bind policy to soft on line 72:
bind_policy soft4) Once that was done, we used the auth_client_config script to integrate ldap
into the login system. More about it here: https://wiki.ubuntu.com/AuthClientConfig
The command was:
sudo auth_client_config -a -p lac_ldap5) A reboot later and we had a perfect ldap setup.
We hope this helps anyone having trouble with ldap. Great tutorial by the way. It really helped us get off the ground. Keep up the good work.
Systems Administrator.
Maynooth Information and Network
Development Society, Ireland.
http://www.minds.nuim.ie
I am stuck when booting...
After reboot Ubuntu, I can not login either local accounts or LDAP accounts. It will show "Authentication fail" in GUI and "Access dennied" or kick me out directly in SSH.
I am using Solaris as a LDAP server, it is working fine for RedHat/SUSU ldap clients.
I have to login single mode to change configruation files, i believe they are right. I reset the local accounts and made sure nsswitch.conf inclding files, but still can not login locally.
JoeyTian@gmail.com
It is not working as u guys said in my computer...
nsswitch.conf Ubuntu 7.04
if I use (files ldap) or (compat ldap) , nobody can login either GUI or SSH except single mode.
i can only use compat in nsswitch.conf, why?
typo in pam configuration
session optionnal pam_foreground.so <-- optional not optionnal
Thanks
Thank you very much for this tutorial. Using this as a starting point I was able to get Ubuntu Fiesty on Sun hardware to authenticate with our LDAP server using SSL & TLS. BTW, I had to uncomment the uri lines in libnss-ldap.conf in order to make everything work. I didn't have to do this on the CentOs boxes I have but Ubuntu wouldn't talk to the ldap server until I did.
Thanks again.
Thanks for this, the typo is
Thanks for this, the typo is now corrected
Debuntu
this article was giving me
this article was giving me troubles, as it wouldn't let me login no matter what.
i had to restart nscd to allow me to login via ssh, or via su - user (and i spent crapload of hours trying to figure why it wouldn't let me login :/), IMO it would make sense to add that to the tutorial.
btw, thanks for the tutorial, keep up the good work.
nscd restart
The same occured to me. Nscd has to be restarted at the end of the client configuration. Otherwise nothing works until nscd does not sync with the LDAP server.
Can't Login
Everything looks well configured but I can't login on the client with a user from the LDAP database. If I enter an incorrect password, it will simply tell me the login is incorrect, as it should, but if the password is the right one, it will simply drop me back at the Login prompt instead of dropping me into the bash.
I've looked everywhere, can't figure this out. Any ideas?
P.
use_first_pass
Hi,
did you make sure you have:
in /etc/pam.d/common-auth
Debuntu
ldap client not able to logon using ldap-server user database
Hi,
My server is working fine. Whenever i give getent passwd command at client it's listing the ldap-server users. But when i try to log-on to client using that username/passwd, its giving incorrect user name/password error. I just followed this how-to to setup my ldap server and clinet. I just stuck here.
no boot after nsswitch.conf mod
ubuntu hangs on boot after modifying nsswitch.conf to what is shown above. booting into single user mode shows the ubuntu trying to connect to ldap server 127.0.0.1 and failing, using a double back off algorithm for retries, until it hits 64 seconds and then appears to give. The system get a little bit further and then hangs for good.
fixed
instead of compat ldap
use files ldap
that fixed it for me
that's right
Hi,
thanks for reporting this.
I've just check and compat is used for compatibility with the +/- syntax (allowing to include/exclude users and groups from /etc/passwd and /etc/group).
Moreover, compat must be the only source.
I've now change the post, thanks again for pointing this out
Debuntu
libnss file names
there is dash [ - ] , not underscore [ _ ] in the file name, at least on the Debian Etch install I just did.
So the file names are
libnss-ldap.conf and
libnss-ldap.secret
Also thanks for this how to on ldap. It was very helpful.
changed it
Thanks Rob F for reporting this.
Thats right, this is a dash. I've changed the tutorial according to this.
Debuntu