This is a short tutorial describing how to setup a Debian client to use an existing LDAP server for user authentication.
Right, so I assume you're using Debian sarge (aka stable) on the client machines. I'll further suppose that the LDAP server is already configured and running correctly.
On the client side, let's start with the installation of the needed packages:
apt-get install libnss-ldap libpam-ldap
The Debian Configuration screen will ask you about the following things:
- LDAP server - This is just the IP address of the LDAP server you want to use
- Distinguished name of search base - In our example, this is dc=stoop,dc=home
- LDAP version - We're using version 3.
- Database requires login? - Can be answered no in our case
- Make configuration readable/writable by owner only? - Since we do not store any security relevant info, it is safe to no here.
The contents of /etc/pam_ldap.conf and /etc/libnss-ldap.conf can be obtained here (pam_ldap.conf) and here (libnss-ldap.conf).
Please note: I did not make too many changes to these files. In fact, all I did was to make sure that the host and the base entries in both files are pointing to my LDAP server and to the correct base DC, respectively.
Important: As far as I know, these two files must be world-readable. Don't store any passwords in them. If you can't bind to your LDAP server anonymously, use the file /etc/ldap.secret (probably a Debian thing only) to store the password and chmod it 700.
NSS & PAM configuration
You should change the first three configuration directives in /etc/nsswitch.conf according to:
passwd: compat ldap group: compat ldap shadow: compat ldap
You can leave the rest as is. The lines above tell your system it should ask the LDAP server for the contents of the files /etc/passwd, /etc/group and /etc/shadow. You can test if this works by issuing, for example
getent passwd
You should get a list of all user accounts, including those from the LDAP server. If you can only see local accounts, check your configuration and, especially, check the system logs on the client.
Okay, let's care about PAM authentication. My version of the files looks as follows:
# /etc/pam.d/common-account: account sufficient pam_ldap.so account required pam_unix.so try_first_pass
# /etc/pam.d/common-auth: auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure try_first_pass
# /etc/pam.d/common-password: password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass
# /etc/pam.d/common-session: session required pam_ldap.so use_first_pass session sufficient pam_unix.so
This configures PAM to ask the LDAP server first and then fall back to the plain files (/etc/shadow etc.) when the LDAP server is not available.
I did not change any of the other files around in /etc/pam.d/. They all somewhere include the four files above using @include <filename>.
IMPORTANT: Once LDAP/PAM is working, you have to make sure that you do not have the same username(s) and group(s) in /etc/passwd, /etc/shadow and /etc/group. Otherwise, strange behaviour may occur. One very weird, but common result is that you can login successfully (ie. the password authentification works), but when you try to list/see your own files (ls -l etc.), you get a
ls .: Permission denied
jpitffek wrote, on August 21, 2009 at 1:41 p.m.:
AOHoQu <a href="http://hymcandfmnfa.com/">hymcandfmnfa</a>, [url=http://jcgvrgrhygun.com/]jcgvrgrhygun[/url], [link=http://rimdvnqswaqy.com/]rimdvnqswaqy[/link], http://gppwmxvbsoyr.com/