Ubuntu 8.04 Hardy LDAP Client

Ubuntu 7.10 was a nightmare when it came to setting up ldap, but 8.04 improves this process quite a bit.

We are going to set up a Hardy client on a desktop machine, which involves using NFS (for /home) and allowing all desktop users to do desktop tasks.

apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd

Answer the questions; unlike Debian they should actually be put in the configuration file.

Make sure to transfer over your certifiate if you use SSL. I like to use /etc/ldap/ssl

Edit /etc/ldap.conf (which both libnss and libpam use).

host 192.168.1.1
base dc=example,dc=com

#This is important! Don't use ldap:///192.168.1.1
uri ldap://example.com/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/cert.pem
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data

Now edit /etc/ldap/ldap.conf

BASE    dc=example,dc=com
URI    ldap://example.com
TLS_CACERT /etc/ldap/ssl/cert.pem
TLS_REQCERT never

/etc/pam.d/common-account

account    sufficient   pam_ldap.so
account    required     pam_unix.so

/etc/pam.d/common-auth

auth       sufficient   pam_ldap.so
auth       required     pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password

password   sufficient   pam_ldap.so
password   required     pam_unix.so nullok obscure min=4 max=8 md5

/etc/pam.d/common-session

session    required     pam_unix.so
session    required     pam_mkhomedir.so skel=/etc/skel/
session    optional     pam_ldap.so

/etc/nsswitch.conf


passwd: files ldap
group: files ldap
shadow: files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

Now we want to make sure users are assigned to the correct groups when they log in, so add the following to /etc/security/groups.conf
gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner

Hal does not recognize this, however, so delete the following entries from /etc/dbus-1/system.d/hal.conf


<deny send_interface="org.freedesktop.Hal.Device.Volume"/>
<deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>

We need to edit /etc/pam.d/gdm for the groups.conf file to take effect, so add the following

auth optional pam_group.so

As root, run

nss_updatedb ldap

To mount /home over NFS, add the following to /etc/fstab

192.168.1.1:/home       /home   nfs defaults 0 0

11 thoughts on “Ubuntu 8.04 Hardy LDAP Client”

  1. My only suggestion would be to check out auth.log for when this happens; I’m guessing that it’s only using PAM instead of LDAP.

    What does your /etc/pam.d/gdm file contain?

  2. Hi, it didn’t work for me. 🙁
    In login screen, only local user appears. If I login with it, in console, if I type “id “, I receive data from that user.
    Any idea?

  3. Can’t get it to work…
    I get:
    “Failed to enumerate nameservice: Transport endpoint is not connected
    passwd… nameservice unavailable.”
    When I run:
    “nss_updatedb ldap”

    What I´m I doing wrong? Thx.

  4. Important update.

    In /etc/ldap.conf, you should have something like

    uri://server.com/

    not

    uri:///192.168.1.1

    This should fix problems with the client not binding properly, and passwd failing with

    passwd: Authentication service cannot retrieve authentication info
    passwd: password unchanged

    and

    Sep 22 08:30:00 imac passwd[9022]: pam_unix(passwd:chauthtok): user “mike” does not exist in /etc/passwd
    Sep 22 08:30:00 imac passwd[9022]: pam_ldap: ldap_starttls_s: Can’t contact LDAP server

  5. Can’t get it to work…
    I get:
    “Failed to enumerate nameservice: Transport endpoint is not connected
    passwd… nameservice unavailable.”
    When I run:
    “nss_updatedb ldap”

  6. Very Good Article realy helped me out….. but now i have a problem…. i want to take backup of all ldap users… and if some thing happed to the server…how would i restore it in ubuntu…?

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.