Ubuntu 8.04 Hardy LDAP Client

Ubuntu 7.10 was a nightmare when it came to setting up ldap, but 8.04 improves this process quite a bit.

We are going to set up a Hardy client on a desktop machine, which involves using NFS (for /home) and allowing all desktop users to do desktop tasks.

apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd

Answer the questions; unlike Debian they should actually be put in the configuration file.

Make sure to transfer over your certifiate if you use SSL. I like to use /etc/ldap/ssl

Edit /etc/ldap.conf (which both libnss and libpam use).

host 192.168.1.1
base dc=example,dc=com

#This is important! Don't use ldap:///192.168.1.1
uri ldap://example.com/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/cert.pem
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data

Now edit /etc/ldap/ldap.conf

BASE    dc=example,dc=com
URI    ldap://example.com
TLS_CACERT /etc/ldap/ssl/cert.pem
TLS_REQCERT never

/etc/pam.d/common-account

account    sufficient   pam_ldap.so
account    required     pam_unix.so

/etc/pam.d/common-auth

auth       sufficient   pam_ldap.so
auth       required     pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password

password   sufficient   pam_ldap.so
password   required     pam_unix.so nullok obscure min=4 max=8 md5

/etc/pam.d/common-session

session    required     pam_unix.so
session    required     pam_mkhomedir.so skel=/etc/skel/
session    optional     pam_ldap.so

/etc/nsswitch.conf


passwd: files ldap
group: files ldap
shadow: files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

Now we want to make sure users are assigned to the correct groups when they log in, so add the following to /etc/security/groups.conf
gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner

Hal does not recognize this, however, so delete the following entries from /etc/dbus-1/system.d/hal.conf


<deny send_interface="org.freedesktop.Hal.Device.Volume"/>
<deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>

We need to edit /etc/pam.d/gdm for the groups.conf file to take effect, so add the following

auth optional pam_group.so

As root, run

nss_updatedb ldap

To mount /home over NFS, add the following to /etc/fstab

192.168.1.1:/home       /home   nfs defaults 0 0

11 Responses to “Ubuntu 8.04 Hardy LDAP Client”

  1. Ben says:

    nice post.
    I have a problem: users can’t change password inside gnome, but in the shell works fine.
    any help ?

  2. termina says:

    My only suggestion would be to check out auth.log for when this happens; I’m guessing that it’s only using PAM instead of LDAP.

    What does your /etc/pam.d/gdm file contain?

  3. Aurelio says:

    Hi, it didn’t work for me. 🙁
    In login screen, only local user appears. If I login with it, in console, if I type “id “, I receive data from that user.
    Any idea?

  4. Henke says:

    Can’t get it to work…
    I get:
    “Failed to enumerate nameservice: Transport endpoint is not connected
    passwd… nameservice unavailable.”
    When I run:
    “nss_updatedb ldap”

    What I´m I doing wrong? Thx.

  5. termina says:

    Important update.

    In /etc/ldap.conf, you should have something like

    uri://server.com/

    not

    uri:///192.168.1.1

    This should fix problems with the client not binding properly, and passwd failing with

    passwd: Authentication service cannot retrieve authentication info
    passwd: password unchanged

    and

    Sep 22 08:30:00 imac passwd[9022]: pam_unix(passwd:chauthtok): user “mike” does not exist in /etc/passwd
    Sep 22 08:30:00 imac passwd[9022]: pam_ldap: ldap_starttls_s: Can’t contact LDAP server

  6. deeps says:

    Can’t get it to work…
    I get:
    “Failed to enumerate nameservice: Transport endpoint is not connected
    passwd… nameservice unavailable.”
    When I run:
    “nss_updatedb ldap”

  7. The style of writing is very familiar . Have you written guest posts for other blogs?

  8. David says:

    Very Good Article realy helped me out….. but now i have a problem…. i want to take backup of all ldap users… and if some thing happed to the server…how would i restore it in ubuntu…?

  9. termina says:

    David,

    The command ‘slapcat’ as root will give you your LDAP database in LDIF format, so if you ever want to restore it you could with ldapadd.

  10. Are you aware your web site seems really odd inside Chrome on my office personal computer A linux systemunix .

Leave a Reply to Ben Cancel reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.