This document details the steps required to make an Ubuntu or Debian machine an LDAP client for authentication purposes.
- About Ubuntu Linux
- About Debian GNU/Linux
- About OpenLDAP
So you've got an LDAP server floating around and you'd like to have your Ubuntu or Debian client authenticate against it. It's assumed here that you already have an LDAP server and you or your admin can provide the answers to some of the questions asked upon configuration. Firstly, you'll need to open up your favourite package manager and install libpam-ldap and libnss-ldap:
$ apt-get install libpam-ldap libnss-ldap
This command will bring down all the required libraries to enable you to have your machine authenticating against the LDAP server of your dreams. Once the packages start being unpacked you'll be hit up for a few questions:
- IP address / hostname of the LDAP server. ie: ldap.my.domain
- The search base of your LDAP domain. ie: dc=my,dc=domain
- You'll be asked the version of LDAP server you're connecting to, "Version 3" ought to be safe in most cases.
- A screen titled "Configuring LIBNSS-LDAP will appear with only the "OK" option. Select it :)
- On the next screen you'll be asked if you want to make root the DB admin. The best answer is "yes".
- Now you'll be asked whether the DB requires logging in, say "No"
- You'll be asked for the root login account for LDAP. It is often something like: cn=manager,dc=my,dc=domain
- Then you'll need to enter the LDAP password for the aforementioned LDAP account
That will see all the packages installed and the base configurations satisfied. If your LDAP server is already populated with content then at this point you should be able to run commands such as "getent passwd <username>" and if that username is unique to LDAP and you get a response then you answered all the questions correctly. Now you need to customise PAM to make it use LDAP for authentication.You'll need to run the following command:
$ sudo vi /etc/pam.d/sudo
Once deep in the bowells of the sudo file, you need to add one line above the existing line, something like this:
auth sufficient pam_ldap.so
auth required pam_unix.so
(Note: From Ubuntu 5.10 (Breezy) and Debian 3.1 (Sarge) you no longer need to edit /etc/pam.d/sudo.) This process now gets repeated for four more files, so I'll show the vi command and then the changes required:
$ sudo vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
$ sudo vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure
$ sudo vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
$ sudo vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
Last but not least we need to edit nsswitch.conf:
$ sudo vi /etc/nsswitch.conf
and once you're in that file, run this command:
:%s/compat/ldap files/g
Tada! If you've entered in all your local configuration information correctly, you'll have a living breathing LDAP authentication client. Enjoy :)
October 16, 2008 - 00:14
Gracias por el post, era muy interesante leer
October 3, 2008 - 08:04
Password authentication for users in ldap works fine. Now I would like to boost security and make users log in using ssh keys. Just copying the public key to ~/.ssh/authorized_keys2 wont do the job for users in ladap and not in /etc/passwd. Anyone knows how to ?.
Regards
Franz
June 27, 2008 - 07:41
Also, when you have a server which has ldap running on it and is set up to use the same ldap for local logins, you should use
:%s/compat/files ldap/g
in the last step. Otherwise it will have problem booting.
October 11, 2007 - 00:27
i am using ubuntu (fiesty fawn) 7.04 and sudo file looks as such:
@include common-auth
@include common-account
should i edit it?
February 15, 2007 - 16:20
Hey everyone,i tried to set up authentication of my eft installtion againt our ldap which worked fine (with some modifications). Now i have to solve two problems before beeing completely happy (with ubuntu):1. It would be nice to map some groups from ldap to local groups. How is that possible ? e.g. user: john (ldap) with groups sysadmin & staff (ldap) -> group admin (local), video (local), plugdev (local)... my first idea was to try pam_group but i was not very successfull2. after setting up all the libnss and ldap-stuff the gnome-volume-manager doesn't pmount a new device. So if i plug in a new usb-stick there will apear no new icon on my desktop. I already tried to add a new group "nvram" to /etc/group but nothing changed. I was wondering if the author of the above guide or anyone of you hasn't had the same problems and solved them ?ThanksMichael
September 21, 2007 - 10:46
that possible ? e.g. user: john (ldap) with groups sysadmin & staff (ldap) -> group admin (local), video (local), plugdev (local)... my first idea was to try pam_group but i was not very successfull2. after setting up all the libnss and ldap-stuff the gnome
November 20, 2006 - 07:25
Fantastic HOWTO: short, sweet, precise. Thanks!
October 14, 2006 - 11:10
I'm trying to get this working with Edgy Eft running under Parallels Desktop. If I enable LDAP in nsswitch.conf, it hangs during startup at 'staring kernel event monitor', with an error 'unable to contact LDAP server 192.168.0.50' (which is the correct IP address.I have been able to get a Mac to authenticate through my LDAP server by enabling it in Directory Access, so the server is working correctly.
October 28, 2006 - 19:32
I had Ubuntu 6.06 up and running with LDAP authentication but after upgrading to 6.10 the LDAP authentication doesn't work. It shows me the same message ubuntu failed to bind ldap server xxx.xxx.xxx.xxx Has anyone came up with any solution about this?
October 31, 2006 - 17:48
Followed instructions above and had a similar problem...so I edited files libnss-ldap.conf and pam_ldap.conf, identically on both files i set the proxy user to binddn cn=search,dc=mydomain,dc=co,dc=id and passwordbindpw myproxyuserpassword And it did the trick
September 21, 2007 - 10:47
It was talking me long enough to write down the messages that I waited the 128 seconds during which it tries to connect to the LDAP server and in the end the boot just times out the operation and goes on
November 12, 2006 - 22:38
Well, I had hoped that the binddn and bindpw would do the trick, but no such luck for me. Does anyone have any other ideas?
November 13, 2006 - 14:52
Actually it is working now. I don't think that the binddn or the bindpw changed anything. I tried a couple of things and then decided to write down the error messages on the boot in preparation for submitting a question to a Debian guru friend of mine. It downs out that the error messages are really warnings. It was talking me long enough to write down the messages that I waited the 128 seconds during which it tries to connect to the LDAP server and in the end the boot just times out the operation and goes on. So, something still needs to be tweaked to make the boot smother, but really my human timeout was too quick. Now that I know that I have set my biological timeout to 192 seconds.
November 14, 2006 - 06:27
I guess something in the boot scripts is trying to use the nsswitch before the network interface is configured. Therefore it can not access the ldap (especially if it is on another machine). It just gives up after 128 seconds and goes on with the boot scripts. Eventually it gets to configure the network interfaces and thereafter it works.
January 5, 2007 - 01:50
Some people have had success with "addgroup --system nvram" to remove the delay at boot time.
January 24, 2007 - 11:09
My system will not time-out and continue to boot so to repair it I'm required to boot to a rescue cd and modify nsswitch.conf and pam.d/common-... back to defaults (is this my only option to recover?). My situation seems to be the same as " network is down at that point" had made... the network is not up when pam tries to connect to the LDAP server (on another host). Is there a way to change the order of network loading to occur before pam looks for the LDAP host?
April 3, 2007 - 02:42
Put files before ldap in the nsswitch.conf files and keep enough information in the local files (/etc/hosts, etc/passwd etc.) to let the system come up.
August 3, 2006 - 00:37
On Ubuntu 6.06: - If you need to make additional changes the /etc/pam_ldap.conf file for whatever reason, make sure that you mirror those changes in the /etc/libnss-ldap.conf file. - After making adjustments, I just used "cp /etc/pam_ldap.conf /etc/libnss-ldap.conf"
May 11, 2007 - 02:23
If these files are identical, use a symbolic link and skip synching them all the time.
June 14, 2006 - 06:52
I used the tutorial above, along with another, to make a script that is very easy to use. I posted it on my site if anyone wants to look at it: http://ameir.net/serendipity/index.php?/archives/2-LDAP-Authentication-PAMNSS-Using-Debian-or-Ubuntu-Bash-Script.html I used use_first_pass and try_first_pass in my script, and that should work around the "sudo foo" problem above.
April 24, 2006 - 17:34
i tried your description and i can see all user in the ldap-server by typing getent passwd. great. but when i make sudo foo, then i have to enter my password 4 times. why?
June 22, 2006 - 02:33
try appending "try_first_pass" after "pam_unix.so" (no quotes)