This document describes how users and groups that are defined in an LDAP server can log in to your system. Whether a user is known to the system is managed through an NSS module and the authentication is done with a PAM module.
If you are using Debian you should be able to skip these steps, install the libnss-ldapd and libpam-ldapd packages, answer the configuration questions and have it just work. See the Debian wiki for more information. Other distributors may also provide helper tools for configuring nss-pam-ldapd.
This guide covers the most common configurations but nss-pam-ldapd also supports TLS encryption, authenticating to the LDAP server using Kerberos, using Active Directory and much more. See the sample configuration, manual pages and included README for more details.
This guide assumes that you have an LDAP server set up and working and have the relevant data available in there (searchable with ldapsearch). You need the following information:
To import existing data into LDAP look into MigrationTools.
If your distribution comes with a packaged version of nss-pam-ldapd you should probably use that instead of compiling by hand. Compiling from source follows the usual procedure. You can pass --help to configure for more options.
% ./configure % make % make install
Create a dedicated user and group for running nslcd and configure those in /etc/nslcd.conf (uid and gid options). Also set up an init script to start nslcd at boot.
The source package includes an annotated template configuration file for the nslcd daemon. Also, a nslcd.conf(5) manual page is available that lists all the options.
At the very least the uri (the location of the LDAP server) option
should be set. It is recommended to also set the base option to
the LDAP search base of the server.
Set the uid and gid options to the created user and group.
For other options the defaults should be fine in most set-ups.
A minimal configuration would contain:
uri ldap://198.51.100.389 base dc=example,dc=com uid nslcd gid nslcd
After making any modifications to /etc/nslcd.conf the nslcd daemon should be (re)started.
Add ldap to at least the passwd, group and shadow maps. Whether you should also change the other maps depends on the information in your LDAP directory. You should include ldap after local lookups.
It is better to use files than compat unless you use the special +/- syntax in /etc/passwd or are also using NIS. Your /etc/nsswitch.conf will contain something like:
passwd: files ldap group: files ldap shadow: files ldap
To enable logins using both LDAP and local users (e.g. you want to keep root logins) you should edit files under /etc/pam.d (or /etc/pam.conf if your system uses that). Everywhere that pam_unix is called you should also call pam_ldap. A very basic snippet is included below.
auth sufficient pam_unix.so auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_ldap.so minimum_uid=1000 account required pam_permit.so session required pam_unix.so session optional pam_ldap.so minimum_uid=1000 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so minimum_uid=1000 try_first_pass password required pam_deny.so
There are many different ways to configure PAM and the above is only a suggestion.
To ensure that everything is working correctly you can run getent passwd. This should return users from LDAP. As root, getent shadow should also return information from LDAP.
To test authentication log in with an LDAP user. One way to do that is to run su - USER as a normal user (where USER is an LDAP user) or su - nobody -c 'su - USER' as root.
To troubleshoot problems you can run nslcd in debug mode (remember to stop nscd when debugging). Debug mode should return a lot of information about the LDAP queries that are performed and errors that may arise.
# /etc/init.d/nscd stop # /etc/init.d/nslcd stop # nslcd -d