I posted a similar question over on super user
I'm trying to configure Ubuntu to login to ldap. I've come across several related posts, but I'm still confused:
How does pam_ldap find ldap users? Do I have to manually create an entry in /etc/passwd for every user in ldap?
The reason I ask is because I seem to be able to authenticate against ldap as long as I have a username inside the /etc/passwd file that corresponds to uid in ldap.
For example, user1 has a local account (that I created with adduser). There is also a ldap user uid=user1,ou=people,dc=mydomain,dc=com. The local password for user1 is different than the password for the ldap with the same uid. I can login with both passwords. Also, if I comment out the pam_unix line in common-auth, it will only let me in using the password defined in ldap.
So, I'm pretty sure pam_ldap is working. But when I try to log in using a user defined in ldap (but who does NOT have an entry in /etc/passwd), auth.log shows "invalid user".
So, I must be missing a step? Is there a way to sync ldap users into /etc/passwd? Or perhaps a config option to have pam_ldap create a corresponding local account when an ldap user first attempts to login?
You should have an entry in
nsswitch.confusing the ldap module for passwd. A user's passwd entry is unassociated with their authentication mechanism; it's just handy to keep them both in LDAP if that's a good solution for you.is a good entry.
You'll also need to make sure that your
/etc/ldap.conffile is properly configured, although the defaults (except the base and host of course ;)) might work just fine. And lastly, ensure that the ldap nss module is installed.You may have to add a directive to
common-passwordto load up pam-ldap as well. The pam ldap module should have options for user creation from ldap.Edit: user/homedir creation actually taken care of from another module, not pam-ldap.
Debian has a very nice extensive guide here: http://wiki.debian.org/LDAP/PAM
Take a look at pam_mkhomedir's usage on that page.