Saturday, 24 April 2010

HOWTO: LDAP Client on 10.04 Lucid Lynx

This is essentially the same as my previous Hardy Heron LDAP howto but with some steps removed. Rather than edit the old article I thought I'd just reproduce it with the appropriate parts omitted. This howto is also relevant to Jaunty and Karmic. The LDAP Server howto can be found here.

PLATFORMS TESTED: Ubuntu 10.04 LTS (Lucid), Ubuntu 11.04 LTS (Natty)

PREREQUISITES:
* A vanilla Ubuntu 10.04 (or later) desktop or server install.
* You have shared your user home directories from an NFS server
* You have successfully installed a working LDAP server

Network overview;
* domain name: tuxnetworks.com
* Servername/IP: ldap.tuxnetworks.com 10.1.1.5
* The user "brettg" is a valid LDAP user on your server.

We are going to set up a Lucid client connected to an LDAP server. We should aready have our home directories mounted via NFS.

~$ sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils

You will again be asked a bunch of questions;

LDAP server Uniform Resource Identifier: ldap://ldap.tuxnetworks.com
Distinguished name of the search base: dc=tuxnetworks,dc=com
ldap://ldap.tuxnetworks.com 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=tuxnetworks,dc=com
LDAP root password: (The server LDAP root password)


Now we need to edit the following files;

~$ sudo vi /etc/ldap.conf

and edit these lines to look like this;

bind_policy soft

pam_password crypt


Find the line that begins with uri ldapi:// . . .

Comment the line out and replace it with a line like so;

uri ldap://ldap.tuxnetworks.com/

Edit this file;

~$ sudo vi /etc/ldap/ldap.conf

Edit it to look like this;
BASE    dc=tuxnetworks,dc=com
URI ldap://ldap.tuxnetworks.com

SIZELIMIT 0
TIMELIMIT 0
DEREF never

Edit nsswitch.conf

~$ sudo vi /etc/nsswitch.conf

Enter the following lines;

passwd: files ldap
group: files ldap
shadow: files ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

Now update nss to use ldap.

~$ sudo nss_updatedb ldap
passwd... done.
group... done.


Note:
If you get an error . . .
Failed to enumerate nameservice: No such file or directory

. . . then check that your uri line in /etc/ldap.conf is correct and the address is pingable.


You should now be able to check the server with;

~$ ldapsearch -x

That command should output a tonne of stuff from the server LDAP directory.

getent passwd

You should now be able to login to the client via ssh using the user "brettg"s credentials
brettg@jupiter:~$ ssh brettg@galileo
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)

* Documentation: https://help.ubuntu.com/

Last login: Fri Jun 24 14:13:05 2011 from 10.1.1.80
brettg@galileo:~$


Take a look at your passwd file to make double sure you are not logging in using local auth;

grep brettg /etc/passwd

If that returns a line then you are probably logged in using a local user. Remove that line from /etc/passwd and try again.

For Gnome Desktop users.

Assigning users to the correct groups at login, create a new file called group.conf and place the following line in it;
vi /etc/security/group.conf

gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner


We also need to tell pam to use the group.conf settings;
vi /etc/pam.d/gdm 

Add this line;

auth optional pam_group.so

Reboot your PC and you should be able to login to gnome using ldap!

47 comments:

Master David said...

Everything seems to work until getent. Even the ldap search command works.... any suggestions?

Brett said...

Check your /etc/ldap/ldap.conf

There is a line that should say;

URI ldap://ldap.example.com

Check that yours is correct. The default one looks very similar

URI ldapi:///ldap.example.com

Note the "i" at the end of "ldap" and the three backslashes.

Other than that I can't say what the problem is. I've set up several machines now just cut and pasting from this guide and it has worked perfectly.

Is your LDAP server properly setup? Do you have other clients working on it?

Master David said...

Brett Great Doc but here are some things I had to do.... (took 3 weeks and 5 different web docs, yours was the most complete but needed 4 others to correct problems)
changed apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd ldap-utils to apt-get install libpam-ldap (libnss-ldapd) nss-updatedb libnss-db nfs-common nscd ldap-utils
this fixed the getent passwd

created additional links to /etc/ldap.config /etc/pam_ldap.conf & /etc/ldap/ldap.conf

modified host line and removed rootbinddn in ldap.conf

but I got it working :) thanks for the doc. BTW I'm running Redhat DS with Ubuntu 10.04 client

- David

Mike said...

thats great however my family prefer KDE over Gnome, any tips on setting up the groups for use with KDM/KDE.

Brett said...

Sorry Mike, I don't use KDE at all, no idea how it should be set up.

Dhyaan said...

Hi great tutorial. used the server and samba ones and they worked flawlessly.
When i try to use the client one when i update i get the error below any ideas

Failed to enumerate nameservice: Transport endpoint is not connected
passwd... nameservice unavailable.

Brett said...

Dhyaan

Your ldap.conf is not configured correctly. The uri line is easily misread, check it again.

Craig said...

Brett, thanks for this great tutorial.
I have joined 5 ubuntu lucid clients to our Lucid LDAP server and it works perfect.
One thing: I realize that password expiration does not trigger, even when sambaPwdMustChange is 0, the lucid client can still login.
Could you please point me in the right direction?

Brett said...

Sorry Craig, I have no idea about that. I've been having trouble with passwords expiring myself. If you get an answer I'd appreciate if you posted it here!

snarf said...

Hi, very good global tuto from what I already checked on the net.
It worked well nearly up to the end but I can't log my client (ubuntu 10.04) against the server.
I got two errors pop up after the login screen:could not update ICEauthority file /home/myuser/.ICEauthority and then usr/lib/ligconf2-4/gconf-sanity-check-2 exited with status 256..
It appears that the /home/users is not mounted (so probably the rest of the problem (nautilus can create /home...).
Even manually: mount -t nfs IP_ldap_server:/home/users /home/users
the mount is not active. NFS problem ?
thanks for any help

snarf said...

sorry for my previous comment, I missed the nfs share ... login is now successful. My last problem is that samba share is browseable but i can't access it (NT_STATUS_LOGON_FAILURE) when logged in with an ldap user.
Any hints are welcome
Thanks again for your work !!

ikke said...

Here's a tip about something that took me a lot of time.
If you configure a LDAP based addressbook in Thunderbird nothing will happen, it doesn't even ask for a password.
This is because Thunderbird, in my opinion, acts extremely stupid.
Only when you enter at least one character in the search box in the address book panel Thunderbird will ask for a password and the addresses will start displaying.
If the search box is cleared the list of addresses is emptied.

It took me 2 hours before I realised this.

Anonymous said...

In order to have 'gentent passwd' working, I had to re-enter the URI line from /etc/ldap.conf in /etc/nslcd.conf plus '/etc/init.d/nslcd restart'. After that, 'getent passwd' worked like a charm.
I love Ubuntu for changes like that :-(

charaoui said...

I'm having the same problem as snarf. I can login on a client using my UID and PW but then as I login I get errors:

1. Could not update ICEauthority file /home/myuser/.ICEauthority and
2. usr/lib/ligconf2-4/gconf-sanity-check-2 exited with status 256..
3. Nautilus cant create ....

I noticed that this thread says that the prerequisites are to have an NFS server to export home directories... as a newbie, I'm wondering how to install an NFS server as this isnt included in the tutorial. I was also under the assumption that SAMBA and (SMB) function as an NFS server... no? Please help. Just want to be able to login using my UID and PW and have a mounted home directory on the ubuntu desktop.

Thanks!

Jonathan said...

Hi there Brett,

I have a couple of questions I wanted to ask you about this tutorial. I followed your tutorial about setting up an ldap server and that was a great tutorial very easy to understand and follow.

My questions for this tutorial are:

Add the following to /etc/fstab

'servername:/home/users /home/users nfs defaults 0 0' Could you tell me what I need to put there as in the name of the machine the runs the ldap server or should it be left as it is?

Thanks in advance for your help Brett

Cheers
Jonny

Brett said...

Jonathon,

You need to put the name of the server with the NFS share you want to mount.

Jonathan said...

Hi Brett,

Thanks for replying so quickly. I guessed that is what I would need to do but having a senior moment last night and thought I should just double check

Thanks again, and great how to guides. I would certainly recommend these to a friend.

akshat said...

Hello Brett...

I hv used ur blog and put the settings as defined by you but I m facing the following issues:

I hv a problem in authenticating with the LDAP Server...

Its not able to bind the user with Crypt passwords but the other password algorithms like MD5, SSHA, SHA are working fine, the problem is that I have migrated all the accounts from NIS so all the old accounts are having crypt password..

2nd thing is that if I am creating a new account or modifying the previous account password to other password algorithm and logging through SSH on the server with the username/password but after giving passwd command its changing the password automatically to crypt algorithm, how can I restrict it to a certain algorithm and moreover if the password is having crypt algorithm it is not able to change the password it is not taking the old password and displaying...

Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:

Please help me out, i m stucked in this from last 1 week......:(

John Rose said...

I'm tearing my hair out. I get:
administrator@Ubuntu:~$ sudo nss_updatedb ldapFailed to enumerate nameservice: No such file or directory
passwd... nameservice unavailable.

My URI line in /etc/ldap/ldap.conf is:
URI ldap://ldap.d2c.local

I'm using Ubuntu 10.04 to connect to SME Server 7.5.1. Any ideas please?

PS there is a line
pam_password md5
in /etc/ldap.conf.
Should it have a # put in front of it?

F. Schoubben said...

Thanks for this tutorial, it helps me a lot for our school.
Would you mind if i publish a translation (in french), adapted for Belgian (Wallonia) school ? I haven't seen a license on your work, and i'd like to put it under Creative-commons By-Sa...

John Rose said...

I got Ubuntu 10.04.1 connected to SME Server with the following changes:
sudo apt-get install libpam-ldapd libnss-ldapd nss-updatedb libnss-db nfs-common nscd ldap-utils (note the d's)
For URI, use ldap://ldap.serverip (e.g 10.1.1.5)
In popup window labelled Configuring libnss-ldapd: select (using spacebar) passwd, group & shadow
No need to edit /etc/ldap.conf (in fact, doesn't exist)
Edit /etc/ldap/ldap.conf using serverip rather than example.com
No need to edit /etc/nsswitch.conf

However, if I login to a Ubuntu user who is not set up on the LDAP server, it's allowed without any error message. Should this happen?

lex said...

thanks for the article. There aren't many cookbook explanations using modern versions of openldap and ubuntu.

though I'm not clear why you are installing nss-updatedb. this seem to be only used for storing local db cache copies. https://help.ubuntu.com/community/PamCcredsHowtois a good explanation of configuring it.

David Hamilton said...

Thank you! A great tutorial. After days of struggling with this, your help was exactly what I need.

Anonymous said...

Hi, I've followed this guide to set up a network with ubuntu 10.4 LTS ans winxp pro sp3 clients, with xp clients it works perfectly but I've some troubles with linux clients...
First I've got to add add this lines in the the /etc/ldap.conf
uri ldap://@ipserver
uri ldaps://@ipserver
uri ldapi://@ipserver
otherwise the getent passwd doesn't work.
But even if the getent passwd works, the ldapsearh -x command show me a thing like "32 results, No such objet."
When I try to logon with gnome I've got this erreur : authentification failed.
(I'm sur my logon and password is correct.)

Adam smith said...

hi Brett thans for the great tutorial it is really good ut wirjed wonders for me I just have a small concern I cannot log in as a local user of the machine, as the root user. I want it to tchek the etc/passwd before going to the LDAP database, any ideas? Please I really need this to work.

Anonymous said...

Hi, I solved the problem, and I can now logon on the consol.

But with gnome I'v got this error :
Could not update /home/user/.ICEauthority.
I changed the owner with chown to the user but, it doesn't change anything.
I can only logon with window user's on the ubuntu server but with ubuntu clients it work only in consol mode....
It's cool but a little sad.

samylinux said...

Hi Brett,
Thanks for the wonderful document with the help of the doc i have configured the ldap server with samba completely.Now I do where to create the user for the domian users in the PHP Ldapadmin, and also please guide me how to configure the ldap in Windows.

Charles said...

Same issue as some others:

1. Could not update ICEauthority file /home/myuser/.ICEauthority and
2. usr/lib/ligconf2-4/gconf-sanity-check-2 exited with status 256..
3. Nautilus cant create ....

My issue is that I need to not use NFS for home dirs (which I know this tutorial is based on). This is because I have a laptop that will not always be on the LDAP network, so I need to have local homes. I have found some articles on using pam_ccreds, but I'm wondering if anyone knows an easier way?

drei said...

same here. can only login in console mode but not in gnome
by the way, its a very cool tutorial, thx

Akiriza Lydea said...

hey drei and all the others with the same challenge as drei,did anyone finally figure out the solution?!ive been at this for hours and days and wks and havnot yet succeeded!any help would b greatly appreciated!
Riza

Jonny said...

Hi all,

I have followed the guide and have managed to implement the authentication side no problems. Clients authenticate against the server but when I try to implement the home directories section of the tutorial I get several error messages appear and have not yet worked out how to sort this out. If anyone has any idea please help as I need to get the client and servers operational soon. I see others have had the same problem.


The errors I get are:

1. Could not update ICEauthority file /home/myuser/.ICEauthority and
2. usr/lib/ligconf2-4/gconf-sanity-check-2 exited with status 256..
3. Nautilus cant create ....


Please help anyone. I have not been able to solve this. Thanks

Brett said...

Jonny, you don't say what you are trying to do when you get those errors. It would help if you were to provide the commands you are entering and their output.

Joao Dias said...

Hey, does this tutorial also works for a setup between a Natty server and an Maverick Client(mainly for the client)?

Brett said...

I don't know Joao, why don't give it a go and let me know?

Joao Dias said...

Lol sorry, it was my mistake not to mention why i was asking.

I followed all the steps in the tutorial, and I can't login with other users (except for those that are already in my client - the user i called "vbox").

Altough I sort of can login with a user from my LDAP server, but I have to "switch users" (leaving my default client user open) while I login with the "external" one. Once I login with that user, I get the same error that Jonny had yesterday (ICEAuthority) :(

I have another question:
When you mention "'servername:/home/users /home/users nfs defaults 0 0'" In the tutorial, should I leave servername as it is, or should I replace it with my own servername?

this is a bit confusing to me, because it's the first time i'm setting up this kind of network.

Jonny said...

Hi Brett,

Sorry I forgot to mention that. I am getting these errors when I login from an Ubuntu 10.04 desktop. It authenticates against the ldap server but has problems with the home directories and NFS stuff by the looks of things. It does the same with an OpenSuse 11.3 desktop client.

Any ideas?

Cheers in advance for any suggestions and help.

Jonny said...

Hi Brett,

I have tried to follow your tutorial again and I am still getting the same error messages included below.

1. Could not update ICEauthority file /home/myuser/.ICEauthority and
2. usr/lib/ligconf2-4/gconf-sanity-check-2 exited with status 256..
3. Nautilus cant create ....

I am getting these when I enter username and password to logon to the client machine. It authenticates fine but then fails due to the error messages above. I am not entering any commands when I get these, just a username and password on the client login screen.

Any help would be great as I need to get the network running soon.

Many thanks in advance for any help or hints you can give me.

Brett said...

Jonny, I have just gone through the titorial with a brand new Natty client and it worked fine. Are you sure you followed the steps properly?

Or perhaps your server install is flaky?

P.S. While doing the tutorial again I cleaned it up and fleshed it out a bit. Maybe you could try it again.

Anonymous said...

ldapsearch -x works
getent passwd works
getent group works

my problem is, when is start the system, i can only login with local user accounts - any suggestions?

Anonymous said...

Hi Brett,

really nice howto. Worked like a charm, took me only fex minutes to get ldap auth up and running.

But there is one thing left for me. I want to connect to our active directory and therefore I need encryption as well.

So do you have any idea how to add this on top of your configurtion?

Anyway, many thanks for sharing this so far.

regards tcpdump

Anonymous said...

hi brett great tutorial,
but i have some problem,,
ldapsearch -x (worK)
but not have gatent password

Anonymous said...

ZIZOde

tjx for help

cwilk said...

Everything works up to the point that I try to do the sudo nss_updatedb ldap. Get the error

Failed to enumerate nameservice: Bad file descriptor
passwd... nameservice unavailable.

Any ideas?

cwilk said...

Everything worked great up to the

sudo nss_updatedb ldap

I get the

Failed to enumerate nameservice: Bad file descriptor
passwd... nameservice unavailable.

Any ideas?

Brett said...

@CWILK

I expect you cannot ping your ldap server by name

ping ldap

If not, you can enter the details into the hosts file on the client

cwilk said...

Brett I can ping my ldap server. Just can get the nss_updatedb ldap to run correctly.

chetan said...

sir that all i follow n executed it every well . i can login using the username n password on the client machine ... but wht about the rights
how ll i be able to give selected persmision to selected users ... can any 1 pls help me on this