Ubuntu 7.10 was a nightmare when it came to setting up ldap, but 8.04 improves this process quite a bit.
We are going to set up a Hardy client on a desktop machine, which involves using NFS (for /home) and allowing all desktop users to do desktop tasks.
apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd
Answer the questions; unlike Debian they should actually be put in the configuration file.
Make sure to transfer over your certifiate if you use SSL. I like to use /etc/ldap/ssl
Edit /etc/ldap.conf (which both libnss and libpam use).
host 192.168.1.1
base dc=example,dc=com
#This is important! Don't use ldap:///192.168.1.1
uri ldap://example.com/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/cert.pem
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data
Now edit /etc/ldap/ldap.conf
BASE dc=example,dc=com
URI ldap://example.com
TLS_CACERT /etc/ldap/ssl/cert.pem
TLS_REQCERT never
/etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
/etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
/etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
Now we want to make sure users are assigned to the correct groups when they log in, so add the following to /etc/security/groups.conf
gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner
Hal does not recognize this, however, so delete the following entries from /etc/dbus-1/system.d/hal.conf
<deny send_interface="org.freedesktop.Hal.Device.Volume"/>
<deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
We need to edit /etc/pam.d/gdm for the groups.conf file to take effect, so add the following
auth optional pam_group.so
As root, run
nss_updatedb ldap
To mount /home over NFS, add the following to /etc/fstab
192.168.1.1:/home /home nfs defaults 0 0
nice post.
I have a problem: users can’t change password inside gnome, but in the shell works fine.
any help ?
My only suggestion would be to check out auth.log for when this happens; I’m guessing that it’s only using PAM instead of LDAP.
What does your /etc/pam.d/gdm file contain?
Hi, it didn’t work for me. 🙁
In login screen, only local user appears. If I login with it, in console, if I type “id “, I receive data from that user.
Any idea?
Can’t get it to work…
I get:
“Failed to enumerate nameservice: Transport endpoint is not connected
passwd… nameservice unavailable.”
When I run:
“nss_updatedb ldap”
What I´m I doing wrong? Thx.
Important update.
In /etc/ldap.conf, you should have something like
uri://server.com/
not
uri:///192.168.1.1
This should fix problems with the client not binding properly, and passwd failing with
and
Can’t get it to work…
I get:
“Failed to enumerate nameservice: Transport endpoint is not connected
passwd… nameservice unavailable.”
When I run:
“nss_updatedb ldap”
The style of writing is very familiar . Have you written guest posts for other blogs?
Nope, this is the only blog I’ve ever done. 🙂
Very Good Article realy helped me out….. but now i have a problem…. i want to take backup of all ldap users… and if some thing happed to the server…how would i restore it in ubuntu…?
David,
The command ‘slapcat’ as root will give you your LDAP database in LDIF format, so if you ever want to restore it you could with ldapadd.
Are you aware your web site seems really odd inside Chrome on my office personal computer A linux systemunix .