[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam ldap help - answer

While some people don't feel this is the place for help configuring
pam/nss with LDAP support, well, I've done it, and it's easy, so here it
goes.  As always, YMMV.  If you get stuck, the padl.com lists *are* the
best places for help, but there seem to be enough people trying to do this
here that this may be of use.

Installing pam-ldap and libnss-ldap on Debian is *easy*.  Install the
packages with 'apt-get install libpam-ldap libnss-ldap'.  Configure the
/etc/pam_ldap.conf and /etc/libnss-ldap.conf files as appropriate -
basically 'host', 'base', 'ldap_version', 'binddn' and 'bindpw' are the
major options (the rest worked out of the box for me).  FWIW, I recommend
setting up a seperate ldap user and ACL for access to userpassword fields,
but you can certainly test/configure using the admin/root user, if you'd

/etc/nsswitch.conf just needs the passwd: shadow: and groups: set
to 'files ldap'.

PAM configuration is a bit tricky, but my login file reads like:

auth       requisite  pam_securetty.so
auth       required   pam_nologin.so
auth       required   pam_env.so
auth       sufficient pam_ldap.so
auth       required   pam_unix.so nullok use_first_pass
account    sufficient pam_ldap.so
account    required   pam_unix.so
session    sufficient pam_ldap.so
session    required   pam_unix.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard noenv
password   sufficient pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8

man pam.conf if you don't understand how the pam configs work.  For
instance, only 'auth' is required for sudo, and 'password' is not required
for su.

Finally, note that the padl.com stuff only lets you specify *one* LDAP
server to bind, thus if it's down, you won't be able to log in, except
local users.  Some people have said they've had luck configuring the Linux
Virtual Server, so that may be an option.  I myself have been looking at
modifying the padl.com modules to support multiple servers, but have been
busy of as late.