Getting user information from LDAP
libnss-ldap package handles fetching account information from LDAP.
Also make sure that
nscd is installed, otherwise bad things may happen.
libnss-ldap where to look, you need to edit
/etc/libnss-ldap.conf. At the very least, you'll need to
give the host and base (
To tell libc to use
libnss-ldap, you need to amend the appropriate lines in
passwd: files ldap group: files ldap shadow: files ldap
The other databases are best left alone; we don't bother putting host information or such like in LDAP because we don't see much benefit.
getent program is useful for testing.
Authenticating with LDAP
libpam-ldap package is used for authentication against LDAP. You need to configure
/etc/pam_ldap.conf along the same lines as
/etc/libnss_ldap.conf. A typical example is:
host piper base dc=tardis,dc=ed,dc=ac,dc=uk rootbinddn cn=admin,dc=tardis,dc=ed,dc=ac,dc=uk ldap_version 3 # NSS lookups need to be restricted to the appropriate parts of the tree. # If other lookups are added to /etc/nsswitch.conf, they need to be put # here too. nss_base_passwd ou=People,dc=tardis,dc=ed,dc=ac,dc=uk nss_base_group ou=Group,dc=tardis,dc=ed,dc=ac,dc=uk nss_base_shadow ou=People,dc=tardis,dc=ed,dc=ac,dc=uk # Use funky generic LDAP password changing. pam_password exop
PAM needs to be told to use
libpam-ldap, as well as the normal authentication for
# ** Use trick from /usr/share/doc/libpam-ldap/README.Debian # auth [success=1 default=ignore] pam_unix.so nullok_secure auth required pam_ldap.so use_first_pass auth required pam_permit.so
use_first_pass option. Without it logins will ask for a password for pam_unix, then one for pam_ldap, and so on, causing every other attempt to enter your password to fail even when you get it right. You need to set up
/etc/pam.d/common-account in the same way.