This isn’t the gospel way, but this will get things up and running.
Table of Contents
sudo apt-get install libnss-ldapd libpam-ldapd
Installing those packages will ask a few questions. If you aren’t sure what to put, just accept the defaults. We’ll replace the configs in the next steps anyway.
Install the SSL certificate
Install the SSL certificate for the LDAP server to
/etc/nslcd.conf in an editor and configure the following (this is a very minimal example):
uid nslcd gid nslcd uri ldaps://ldapserver.orgname.net base dc=ldapsvr,dc=orgname,dc=net ldap_version 3 timelimit 60 bind_timelimit 30 ssl on tls_cacertfile /etc/ssl/certs/servername.pem tls_reqcert demand # This is handy for pointing home directories somewhere else on the system: #map passwd homeDirectory "/home/$uid"
nslcd.conf file on your system will be decently commented for other options.
If your LDAP server is Apple Open Directory:
Don’t bother with
rootbinddn and things to get password changes to work. Open Directory no longer stores passwords in LDAP, Apple uses PasswordService, so this won’t work anyway. Maybe in the future (shakes fist @ Apple).
A word about
nscd will try to cache service requests. Unfortunately, it’s kind of infamously quirky for a lot of folks. I’ve had a number of experiences where lookups fail when it’s running. That said, I leave it disabled. If you run into problems with failed lookups or other such bizarre things, I suggest disabling it.
In any event, if it’s running and you’ve just setup your
nslcd.conf, you’ll need to restart it:
This was probably already setup for you by libnss-ldapd. Just make sure it’s looking at
ldap for the relevant entries:
/etc/nsswitch.conf and make it look like the following:
passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files aliases: ldap netgroup: nis
Execute the following:
You should get a whole slew of users from the LDAP directory.
Additionally, execute the following:
id <your LDAP username>
You should see the appropriate LDAP info for your user – your UID and groups.
/etc/pam.d/common-auth and enable the
ignore_authinfo_unavail option for
auth [success=1 default=ignore] pam_ldap.so use_first_pass ignore_authinfo_unavail
Do the same for
password [success=1 default=ignore] pam_ldap.so try_first_pass ignore_authinfo_unavail
This will ignore the pam_ldap module if the LDAP server is unreachable. If you don’t have this, you’ll likely be “locked out” of the system if your LDAP server is unavailable (even from a local console login). At minimum, you’ll likely have a very delayed login and session.
The above will get you up and running. There’s a lot more you can configure to have much more granular and special settings on a server, but those are outside the scope of this document.
Do note, by default, PAM will not create home directories for LDAP users. So when you login as an LDAP user that doesn’t have a home on the local machine, you’ll get a (harmless) error. This can be configured in the appropriate PAM configs.
Also note, it’s a good idea to lock SSHD down to a specific list of groups. Check for the
AllowGroups directive in
AllowGroups adm admin unixadmins
In this example, I’m letting members of the local groups
admin login via SSH as well as members of my
unixadmins LDAP group.
Keep in mind, if you’re setting this up on a web server that end-users use with
SFTP, you’ll need to allow them as well. For example, you might add those users to an LDAP group called
sftpusers or something.
For some more info on SSH hardening, see this document.
ldapd vs ldap
In this document, I installed
libpam-ldapd (note the trailing ‘d’). On Debian derivatives, there’s also the “classic” libpam-ldap and libnss-ldap.
From Debian’s wiki (emphasis is mine):
There are currently two packages available to configure NSS lookups through LDAP: the libnss-ldap package and the libnss-ldapd package. Which one to choose depends on the needs. In general libnss-ldapd is simpler but newer and libnss-ldap is more mature but more complex. Also libnss-ldap has some known issues with serving host information and lookups during boot which should be addressed in libnss-ldapd. In addition, libnss-ldap breaks setuid programs (su, sudo) when using LDAP+SSL (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579647).
I haven’t run into any issues using libnss-ldapd over libnss-ldap. In fact, it has the obvious immediate benefit of working with
sudo when using LDAP+SSL (maybe this is fixed by now).