LDAP Ubuntu Client Setup

Install the client application:
sudo apt-get update
sudo apt-get -y install libnss-ldapd libpam-ldapd ldap-utils nscd
 
During the installation, some variables must be provided as follows:
  1. LDAP server URI: ldaps://LDAPSERVER:PORTNUMBER/
  2. Distinguished name should be as : “dc=kimconnect,dc=com”
  3. LDAP version to use: [default]
  4. Make local root Database admin: [default]
  5. Does the LDAP database require login? No
  6. LDAP account for root: [default or “cn=root,dc=kimconnect,dc=com”]
  7. LDAP root account password: [none or {Your-LDAP-root-password}]
Modify LDAP configs: sudo vim /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldaps://LDAPSERVER:PORTNUMBER/
base dc=kimconnect,dc=com
 
# These are manually added to enable SSL
ssl on
tls_reqcert never
tls_cacertfile /etc/ssl/certs/kimconnect.com.pem
 
Configure authentication:
sudo vim /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
 
Set Home Directory:
sudo vim /etc/pam.d/common-session
# Add this line to EOF
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Assign local group to users: run sudo vim /etc/pam.d/common-auth and edit the “primary” block
 
# this is not used currently
auth required pam_group.so use_first_pass
 
# This is used currently
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
Add Certificates: vim /etc/ldap/ldap.conf
TLS_REQCERT never
TLS_CACERT /etc/ssl/certs/kimconnect.com.pem
TLS_CRLCHECK = allo
 
Configure machine to create home directory for ldap users:
sudo vim /etc/fstab
#### FILESERVER01 HOME DIRECTORY for LDAP USERS ####
FILESERVER01:/mnt/array1/kimconnect_homes /nfs/home nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0
 
Reload LDAP:
sudo pam-auth-update
sudo /etc/init.d/nscd restart
 
Test commands:
id
id {username}
getent passwd
getent shadow
getent group
 
Note: when login using a new account, authentication will build a profile in the background. There shall be a blank page for short while, then user is redirected back to the login screen once more. A second login will successfully connect.

Leave a Reply

Your email address will not be published. Required fields are marked *