NOTE: This was done on Debian 5 Lenny. This does not apply to Squeeze. A new guide will be released shortly.

Generally your LDAP clients will connect to the ldap server to get user details and authentication. A lot of people will have the ldap server and client run on the same machine which is probably your setup.
Here is how to install the necessary software and configure it so that your server can contact the ldap server and users can authenticate with ease.

* If both server and client are same machine, use 127.0.0.1 for the following questions regarding the hostname or url of the ldap db *

First get da stuff:
# apt-get install libnss-ldap libpam-ldap nscd

Here’s the answers for most (not all) the questions u cheater:

 LDAP Account for root: cn=admin,dc=yourdomain,dc=com<br></br>
Password: XXXX<br></br>  
Make local root database admin: yes<br></br>  
Database require logging in: No<br></br>  
Root login account: cn=admin,dc=yourshit,dc=net<br></br>  
Root login password: XXXX```

**NOTE**: your admin account will be asked for twice, once from libnss and once from libpam

There are some files you should edit (some may be already populated correcctly):

*/etc/libnss-ldap.conf*  

host ldap

base dc=domain,dc=com


rootbinddn cn=admin,dc=yourdomain,dc=com```

/etc/libnss-ldap.secret
ldapserverpassword<br></br>/etc/pam_ldap.conf

 host ldap<br></br>
base dc=yourshit<br></br>  
reootbinddn cn=admin,dc=yourshit,dc=net```

*/etc/pam_ldap.secret*  
`ldapserverpassword<br></br>`*/etc/pam.d/common-account*  

account sufficient pamldap.so < mainly you will just add this line.

account required pam
unix.so

if you want user homedir to be created on first login

session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent```

/etc/pam.d/common-auth

 auth sufficient pam_ldap.so < just gonna need to add this. all following lines should already be in the file<br></br>
auth required pam_unix.so nullok_secure use_first_pass```

*/etc/pam.d/common-password*  

password sufficient pamldap.so < again the following line should be there already

password required pam
unix.so nullok obscure min=4 max=8 md5```

/etc/pam.d/common-session

 session sufficient pam_ldap.so < should just have to add this.<br></br>
session required pam_unix.so<br></br>  
session optional pam_foreground.so```

Now its time to edit the nsswitch file located at /etc/ adding “ldap” to only these three sections:  

passwd: files ldap

group: files ldap


shadow: files ldap```

This dictates where the os will look to authenticate users. first at the local passwd file, then at the ldap db.

One last thing to do is to edit the ldap.conf file in /etc/ldap/ (or /etc):
uncomment BASE and enter in your dc values
add the line “bind_policy soft”

Now just restart the nscd daemon
# /etc/init.d/nscd restart

Your client is all set.

Now mess around with the client. The first time you try this it may not work and throwback an error.
try again and it should work. this was my experience with it.
This has been done on Debian Lenny in November of 2010

Blog Logo

Mario Loria


Published

Image

./scriptthe.net

Because 127.0.0.1 gets old after a while.

Back to Overview