Friday 12 March 2010

LDAP Client Howto (8.04 LTS)

This is where we configure our client to authenticate with our LDAP server.

PLATFORM: Ubuntu 8.04 LTS (Hardy)

We are going to set up a Hardy client on a server machine, which involves using NFS for mounting the user homes)

apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd ldap-utils

You will again be asked a bunch of questions, the answers are the same;

LDAP server Uniform Resource Identifier: ldap://ldap.example.com
Distinguished name of the search base: dc=example,dc=com
ldap://ldap.example.com 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=example,dc=com
LDAP root password: password

Now we need to edit the following files;

vi /etc/ldap.conf and add this line;

bind_policy soft

vi /etc/ldap/ldap.conf

BASE dc=example,dc=com
URI ldap://ldap.example.com

SIZELIMIT 0
TIMELIMIT 0
DEREF never


vi /etc/pam.d/common-account

account sufficient pam_ldap.so
account required pam_unix.so

vi /etc/pam.d/common-auth

auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

vi /etc/pam.d/common-password

password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 crypt

vi /etc/pam.d/common-session

session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so

vi /etc/nsswitch.conf

passwd: files ldap
group: files ldap
shadow: files ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files


Now update nss to use ldap.

nss_updatedb ldap


If you get an error;
Failed to enumerate nameservice: No such file or directory

Check that your uri line in /etc/ldap.conf is correct.

You should now be able to check the server with;

ldapsearch -x

getent passwd

Mount a directory for users homes using NFS.

Create a mountpoint

mkdir /home/users

Add the following to /etc/fstab

servername:/home/users /home/users nfs defaults 0 0

You should now be able to login via ssh using the user "fred"s credentials

For Gnome Desktop users.

Assigning users to the correct groups at login

vi /etc/security/group.conf

gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner


We need to override HALs behaviourl

vi /etc/dbus-1/system.d/hal.conf

Find and remove the following lines;

<deny send_interface="org.freedesktop.Hal.Device.Volume"/>
<deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>


We also need to tell pam to use the group.conf settings;

vi /etc/pam.d/gdm

Add this line;

auth optional pam_group.so


Reboot your PC and you should be able to login to gnome using ldap!

1 comment:

Anonymous said...

Thanks. Saved some time.