Ubuntu 8.04 Hardy LDAP Client

Ubuntu 7.10 was a nightmare when it came to setting up ldap, but 8.04 improves this process quite a bit.

We are going to set up a Hardy client on a desktop machine, which involves using NFS (for /home) and allowing all desktop users to do desktop tasks.

apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd

Answer the questions; unlike Debian they should actually be put in the configuration file.

Make sure to transfer over your certifiate if you use SSL. I like to use /etc/ldap/ssl

Edit /etc/ldap.conf (which both libnss and libpam use).

base dc=example,dc=com

#This is important! Don't use ldap:///
uri ldap://example.com/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/cert.pem
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data

Now edit /etc/ldap/ldap.conf

BASE    dc=example,dc=com
URI    ldap://example.com
TLS_CACERT /etc/ldap/ssl/cert.pem


account    sufficient   pam_ldap.so
account    required     pam_unix.so


auth       sufficient   pam_ldap.so
auth       required     pam_unix.so nullok_secure use_first_pass


password   sufficient   pam_ldap.so
password   required     pam_unix.so nullok obscure min=4 max=8 md5


session    required     pam_unix.so
session    required     pam_mkhomedir.so skel=/etc/skel/
session    optional     pam_ldap.so


passwd: files ldap
group: files ldap
shadow: files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

Now we want to make sure users are assigned to the correct groups when they log in, so add the following to /etc/security/groups.conf

Hal does not recognize this, however, so delete the following entries from /etc/dbus-1/system.d/hal.conf

<deny send_interface="org.freedesktop.Hal.Device.Volume"/>
<deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>

We need to edit /etc/pam.d/gdm for the groups.conf file to take effect, so add the following

auth optional pam_group.so

As root, run

nss_updatedb ldap

To mount /home over NFS, add the following to /etc/fstab       /home   nfs defaults 0 0

11 thoughts on “Ubuntu 8.04 Hardy LDAP Client”

  1. My only suggestion would be to check out auth.log for when this happens; I’m guessing that it’s only using PAM instead of LDAP.

    What does your /etc/pam.d/gdm file contain?

  2. Hi, it didn’t work for me. 🙁
    In login screen, only local user appears. If I login with it, in console, if I type “id “, I receive data from that user.
    Any idea?

  3. Can’t get it to work…
    I get:
    “Failed to enumerate nameservice: Transport endpoint is not connected
    passwd… nameservice unavailable.”
    When I run:
    “nss_updatedb ldap”

    What I´m I doing wrong? Thx.

  4. Important update.

    In /etc/ldap.conf, you should have something like




    This should fix problems with the client not binding properly, and passwd failing with

    passwd: Authentication service cannot retrieve authentication info
    passwd: password unchanged


    Sep 22 08:30:00 imac passwd[9022]: pam_unix(passwd:chauthtok): user “mike” does not exist in /etc/passwd
    Sep 22 08:30:00 imac passwd[9022]: pam_ldap: ldap_starttls_s: Can’t contact LDAP server

  5. Can’t get it to work…
    I get:
    “Failed to enumerate nameservice: Transport endpoint is not connected
    passwd… nameservice unavailable.”
    When I run:
    “nss_updatedb ldap”

  6. Very Good Article realy helped me out….. but now i have a problem…. i want to take backup of all ldap users… and if some thing happed to the server…how would i restore it in ubuntu…?

  7. David,

    The command ‘slapcat’ as root will give you your LDAP database in LDIF format, so if you ever want to restore it you could with ldapadd.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.