This document tries to describe the steps needed to have a basic setup of having account and group information in LDAP. It does not describe how to set up an LDAP server (there are better documents for that and look into migrationtools), only the client-side stuff.
This document is work-in-progress and specific for Debian.
Another place where you should be able to find some more documentation is the Debian wiki.
Before you begin
You have have an LDAP server available that contains the correct information and is accessable from the client machine.
Step 1: Install packages
apt-get install nslcd libnss-ldapd libpam-ldapd nscd
Answer the installation questions configuring the correct LDAP server (if not all of these questions are asked, don't worry the defaults are usually fine).
- LDAP server URI: enter the URI of the LDAP server (or servers)
- LDAP server search base: enter the search base for the searches
- Name services to configure: choose group, passwd and shadow
- PAM profiles to enable: ensure tha "LDAP Authentication" is selected
Step 2: test
getent passwd
should list users from LDAP
su - nobody -c 'su - USER'
where USER is an LDAP user.
Miscelanious notes
-
One alternative to using an LDAP PAM module is to expose userPassword
attributes through LDAP in shadow entries.
I don't consider this to be a good idea because:
- it is a lot less flexible since that limits you to the password schemes that are supported by pam_unix instead of that in the server and
- the authentication is done on the client instead of on the server which exposes the hashed password to the client.