Ubuntu LDAP Client Setup








 

  1. make sure your ldap server is reachable:
    • ping ldap.example.org
  2. install required packages
    • aptitude install auth-client-config ldap-auth-client ldap-auth-config libnss-db libnss-ldap libpam-ldap nscd nss-updatedb
      • Configuring ldap-auth-config:
        • Should debconf manage LDAP configuration? Yes
        • LDAP server Uniform Resource Identifier: ldaps:ldap.neuroimaging.org.au (Note: use ldap: if the server does not enable TLS)
        • Distinguished name of the search base: dc=example,dc=org
        • LDAP version to use: 3
        • Make local root Database admin: Yes
        • Does the LDAP database require login? No
        • LDAP account for root: cn=admin,dc=example,dc=org
        • LDAP root account password: XXXXXXXX
        • Local crypt to use when changing passwords: md5
  3. If server enables TLS
    • copy the CA certificate from the server:
      • mkdir /etc/ldap/certs; scp root@ldap:/etc/ldap/certs/cacert.pem /etc/ldap/certs/
    • edit /etc/ldap.conf (There are two ldap.conf files. /etc/ldap.conf and /etc/ldap/ldap.conf)
      • vim /etc/ldap.conf
        • host ldap.example.org
        • base dc=example,dc=org
        • uri ldap://ldap.example.org
        • rootbinddn cn=admin,dc=example,dc=org
        • bind_policy soft
        • ssl on
        • ssl start_tls
        • tls_cacertfile /etc/ldap/certs/cacert.pem
  4. Now you can test it with following commands
    • getent passwd should return the accounts from ldap server.
    • nss_updatedb ldap should succeed.
    • If above do not work
      • check /var/log/auth.log
      • vim /etc/ldap.conf
        • bind_policy hard
        • tls_checkpeer no
        • try getent passwd and nss_updatedb ldap again
      • Files needs to look at:
        • /etc/ldap.conf
        • /etc/ldap.secret (Note: you need to update thisfile if you have changed rootpw.)
  5. Edit ldap-auth-config
    • vi /etc/auth-client-config/profile.d/ldap-auth-config
      • [lac_ldap]
      • nss_passwd=passwd: files ldap [NOTFOUND=return] db
      • nss_group=group: files ldap [NOTFOUND=return] db
      • nss_shadow=shadow: files ldap
      • pam_auth=auth sufficient pam_ldap.so
      • auth required pam_unix.so nullok_secure use_first_pass
      • pam_account=account sufficient pam_ldap.so
      • account required pam_unix.so
      • pam_password=password sufficient pam_ldap.so
      • password required pam_unix.so nullok obscure min=4 max=8 md5
      • pam_session=session required pam_unix.so
      • session required pam_mkhomedir.so skel=/etc/skel/
      • session optional pam_ldap.so
      • session optional pam_foreground.so
    • auth-client-config -a -p lac_ldap (note: lac_ldap is the profile name defined in /etc/auth-client-config/profile.d/ldap-auth-config file. Do not use the file name here.)
  6. enable nss_db cache
    • vi /etc/cron.hourly/nss_updatedb-ldap.sh
      • #!/bin/bash
      • /usr/sbin/nss_updatedb ldap
    • To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this:
      • passwd: files ldap [NOTFOUND=return] db
      • group: files ldap [NOTFOUND=return] db
    • This means:
      • look first in the local files (/etc/passwd and /etc/group)
      • if not found, use LDAP
      • when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
      • if the LDAP server was not reachable, proceed with using the cached data
See also:



No comments:

Post a Comment