NOTE: This was done on Debian 5 Lenny. This does not apply to Squeeze. A new guide will be released shortly.
Generally your LDAP clients will connect to the ldap server to get user details and authentication. A lot of people will have the ldap server and client run on the same machine which is probably your setup.
Here is how to install the necessary software and configure it so that your server can contact the ldap server and users can authenticate with ease.
* If both server and client are same machine, use 127.0.0.1 for the following questions regarding the hostname or url of the ldap db *
First get da stuff:
# apt-get install libnss-ldap libpam-ldap nscd
Here’s the answers for most (not all) the questions u cheater:
LDAP Account for root: cn=admin,dc=yourdomain,dc=com<br></br> Password: XXXX<br></br> Make local root database admin: yes<br></br> Database require logging in: No<br></br> Root login account: cn=admin,dc=yourshit,dc=net<br></br> Root login password: XXXX``` **NOTE**: your admin account will be asked for twice, once from libnss and once from libpam There are some files you should edit (some may be already populated correcctly): */etc/libnss-ldap.conf*
host ldap<br></br> base dc=yourshit<br></br> reootbinddn cn=admin,dc=yourshit,dc=net``` */etc/pam_ldap.secret* `ldapserverpassword<br></br>`*/etc/pam.d/common-account*
account sufficient pamldap.so < mainly you will just add this line.
account required pamunix.so
if you want user homedir to be created on first login
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent```
auth sufficient pam_ldap.so < just gonna need to add this. all following lines should already be in the file<br></br> auth required pam_unix.so nullok_secure use_first_pass``` */etc/pam.d/common-password*
password sufficient pamldap.so < again the following line should be there already
password required pamunix.so nullok obscure min=4 max=8 md5```
session sufficient pam_ldap.so < should just have to add this.<br></br> session required pam_unix.so<br></br> session optional pam_foreground.so``` Now its time to edit the nsswitch file located at /etc/ adding “ldap” to only these three sections:
passwd: files ldap
group: files ldap
shadow: files ldap```
This dictates where the os will look to authenticate users. first at the local passwd file, then at the ldap db.
One last thing to do is to edit the ldap.conf file in /etc/ldap/ (or /etc):
uncomment BASE and enter in your dc values
add the line “bind_policy soft”
Now just restart the nscd daemon
# /etc/init.d/nscd restart
Your client is all set.
Now mess around with the client. The first time you try this it may not work and throwback an error.
try again and it should work. this was my experience with it.
This has been done on Debian Lenny in November of 2010