HannibalWiki

Tested on Debian-4.0, Debian-3.1 and Ubuntu-Jeos-7.10.

Install the necessary software

apt-get install libnss-ldap libpam-ldap

Add ldap to /etc/nsswitch.conf

passwd:      compat ldap
group:       compat ldap
shadow:      compat
hosts:       files dns
networks:    files
protocols:   db files
services:    db files
ethers:      db files
rpc:         db files
netgroup:    nis

Edit /etc/libnss-ldap.conf

host ldap.intra.example.com
base dc=intra,dc=example,dc=com
ldap_version 3
timelimit 30
bind_timelimit 30
pam_filter objectclass=posixAccount
pam_password md5
bind_policy soft
ssl start_tls

Edit /etc/pam_ldap.conf

host ldap.intra.example.com
base dc=intra,dc=example,dc=com
ldap_version 3
timelimit 30
bind_timelimit 30
pam_filter objectclass=posixAccount
pam_password md5
bind_policy soft
ssl start_tls

Edit /etc/pam.d/common-account

account sufficient       pam_ldap.so
account required         pam_unix.so try_first_pass

Edit /etc/pam.d/common-auth

auth sufficient       pam_ldap.so
auth required         pam_unix.so try_first_pass

Edit /etc/pam.d/common-password

password sufficient       pam_ldap.so md5
password required         pam_unix.so md5 try_first_pass

Edit /etc/pam.d/common-session

session sufficient       pam_ldap.so
session required         pam_unix.so

Edit /etc/ldap/ldap.conf

URI     ldap://ldap.intra.example.com
BASE dc=intra,dc=example,dc=com
HOST ldap.intra.example.com
TLS_CACERTDIR /etc/ldap/cacerts/
TLS_REQCERT allow
#TLS_REQCERT allow  # for a Ubuntu-desktop?

Create the directory for the public certificates of Certificate Authorities

mkdir /etc/ldap/cacerts

Now we have to convert the public CA-certificate of the Fedora Directory Server (which was created by the setupssl.sh script, see our FDS documentation for more information on this procedure) for usage with libnss/pam. The script puts the cacert.asc file in the directory /opt/fedora-ds/alias . Copy it to your client (the server or virtual server you're working on right now is a LDAP-client) and run (you might need to install the openssl package first if that isn't already available on your system):

apt-get install openssl
cp cacert.asc /etc/ldap/cacerts/`openssl x509 -noout -hash -in cacert.asc`.0

At this moment PAM and NSS should be able to connect to your corporate LDAP-server. This example should list your local Unix-users and also your LDAP-users with a properly configured POSIX-account.

getent passwd

Check /etc/libnss-ldap.secret for the correct password (in case of non-anonymous bind; configured in /etc/libnss-ldap.conf in the attribute rootbinddn).

One very handy feature of the pam_ldap.so module is the possibility to create a configuration per individual service. This is done by pointing the module to a specific configuration file. For instance we want to add a customized pam filter for services like 'ssh' and 'login' that we don't want to use for other services. Of course this is just an example. It's not limited to 'pam account'!

...
account sufficient       pam_ldap.so config=/etc/pam_ldap.conf-access
...

Example filter we use for 'ssh' and 'login' (line in /etc/pam_ldap.conf-access). We use the trust-schema in LDAP to limit access to our hosts:

...
pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=xendns)
...

There seemed to be a problem with libnss-ldap on Ubuntu Dapper. We just can't get it to work properly. As a workaround we keep the TLS configuration in PAM (i.c the file /etc/pam_ldap.conf) and we comment the start_tls line in libnss-ldap (i.c. the file /etc/libnss-ldap.conf). This results in a somewhat less ideal situation, however passwords still go encrypted over the network.

Only on Ubuntu Dapper(!) edit /etc/libnss-ldap.conf

...
# ssl start_tls
...  

To prevent the startup of the X desktop during boot, add in /etc/ldap.conf:

bind_policy soft

See also: https://help.ubuntu.com/community/LDAPClientAuthentication for Ubuntu 7.10 and newer.