Friday, 12 March 2010

LDAP Client Howto (8.04 LTS)

This is where we configure our client to authenticate with our LDAP server.

PLATFORM: Ubuntu 8.04 LTS (Hardy)

We are going to set up a Hardy client on a server machine, which involves using NFS for mounting the user homes)

apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd ldap-utils

You will again be asked a bunch of questions, the answers are the same;

LDAP server Uniform Resource Identifier: ldap://ldap.example.com
Distinguished name of the search base: dc=example,dc=com
ldap://ldap.example.com 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=example,dc=com
LDAP root password: password

Now we need to edit the following files;

vi /etc/ldap.conf and add this line;

bind_policy soft

vi /etc/ldap/ldap.conf

BASE    dc=example,dc=com
URI     ldap://ldap.example.com 

SIZELIMIT       0
TIMELIMIT       0
DEREF           never


vi /etc/pam.d/common-account

account    sufficient   pam_ldap.so
account    required     pam_unix.so

vi /etc/pam.d/common-auth

auth       sufficient   pam_ldap.so
auth       required     pam_unix.so nullok_secure use_first_pass

vi /etc/pam.d/common-password

password   sufficient   pam_ldap.so
password   required     pam_unix.so nullok obscure min=4 max=8 crypt

vi /etc/pam.d/common-session

session    required     pam_unix.so
session    required     pam_mkhomedir.so skel=/etc/skel/
session    optional     pam_ldap.so

vi /etc/nsswitch.conf

passwd: files ldap
group: files ldap
shadow: files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files


Now update nss to use ldap.

nss_updatedb ldap


If you get an error;
Failed to enumerate nameservice: No such file or directory

Check that your uri line in /etc/ldap.conf is correct.

You should now be able to check the server with;

ldapsearch -x

getent passwd

Mount a directory for users homes using NFS.

Create a mountpoint

mkdir /home/users

Add the following to /etc/fstab

servername:/home/users       /home/users   nfs defaults 0 0

You should now be able to login via ssh using the user "fred"s credentials

For Gnome Desktop users.

Assigning users to the correct groups at login

vi /etc/security/group.conf

gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner


We need to override HALs behaviourl

vi /etc/dbus-1/system.d/hal.conf

Find and remove the following lines;

<deny send_interface="org.freedesktop.Hal.Device.Volume"/>
<deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>


We also need to tell pam to use the group.conf settings;

vi /etc/pam.d/gdm

Add this line;

auth optional pam_group.so


Reboot your PC and you should be able to login to gnome using ldap!
Posted by at
Labels: , , , , ,

1 comment:

Anonymous said...

Thanks. Saved some time.

1 June 2010 at 11:09 pm

Post a Comment

Subscribe to: Post Comments (Atom)