Friday, 12 March 2010

LDAP Client Howto (8.04 LTS)

This is where we configure our client to authenticate with our LDAP server.

PLATFORM: Ubuntu 8.04 LTS (Hardy)

We are going to set up a Hardy client on a server machine, which involves using NFS for mounting the user homes)

apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd ldap-utils

You will again be asked a bunch of questions, the answers are the same;

LDAP server Uniform Resource Identifier: ldap://
Distinguished name of the search base: dc=example,dc=com
ldap:// 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=example,dc=com
LDAP root password: password

Now we need to edit the following files;

vi /etc/ldap.conf and add this line;

bind_policy soft

vi /etc/ldap/ldap.conf

BASE dc=example,dc=com
URI ldap://

DEREF never

vi /etc/pam.d/common-account

account sufficient
account required

vi /etc/pam.d/common-auth

auth sufficient
auth required nullok_secure use_first_pass

vi /etc/pam.d/common-password

password sufficient
password required nullok obscure min=4 max=8 crypt

vi /etc/pam.d/common-session

session required
session required skel=/etc/skel/
session optional

vi /etc/nsswitch.conf

passwd: files ldap
group: files ldap
shadow: files ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

Now update nss to use ldap.

nss_updatedb ldap

If you get an error;
Failed to enumerate nameservice: No such file or directory

Check that your uri line in /etc/ldap.conf is correct.

You should now be able to check the server with;

ldapsearch -x

getent passwd

Mount a directory for users homes using NFS.

Create a mountpoint

mkdir /home/users

Add the following to /etc/fstab

servername:/home/users /home/users nfs defaults 0 0

You should now be able to login via ssh using the user "fred"s credentials

For Gnome Desktop users.

Assigning users to the correct groups at login

vi /etc/security/group.conf


We need to override HALs behaviourl

vi /etc/dbus-1/system.d/hal.conf

Find and remove the following lines;

<deny send_interface="org.freedesktop.Hal.Device.Volume"/>
<deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>

We also need to tell pam to use the group.conf settings;

vi /etc/pam.d/gdm

Add this line;

auth optional

Reboot your PC and you should be able to login to gnome using ldap!

1 comment:

Anonymous said...

Thanks. Saved some time.