Home / ubuntu / Questions / 127389
In Process
felip3
Asked: 2012-04-29 16:13:39 +0800 CST

How to configure Ubuntu as an LDAP client?

  • 772

How to configure Ubuntu 12.04 as LDAP client with PAM modules?

ldap client

5 Answers

  1. The contents of this post are based on this guide. It should work fine in 12.04.

    1. Issue the following command:

      sudo apt-get install ldap-utils libpam-ldap libnss-ldap nslcd

      Note: During the installation of the above packages a dialog will pop up and ask about some LDAP configuration. Be sure to enter the correct values for your LDAP configuration.

    2. Edit /etc/nsswitch.conf (via sudo). Append "ldap" to these lines:

      #Original file looks like this 
passwd: compat 
group : compat  
shadow: compat 

#After appending "ldap" lines look like these
passwd: compat ldap
group : compat ldap  
shadow: compat ldap

    3. Comment out the line rootbinddn, I'm not sure why we need to do that.

    4. Edit /etc/pam.d/login (via sudo) and paste:

      session required pam_mkhomedir.so skel=/etc/skel umask=0022

    5. Edit /etc/pam.d/lightdm (via sudo) and paste:

      session required pam_mkhomedir.so skel=/etc/skel umask=0022

    6. Issue this command:

      sudo update-rc.d nslcd enable

    You should be able to log in as an LDAP user after a reboot. If you don't reboot the machine, you must restart nscd with:

    /etc/init.d/nscd restart

    Likely problems and solutions:

    • Logging in as an LDAP user takes a very long time (minutes): It's very likely that nss-lap is having problems finding the user's group. Make sure that the user is in a group recognized locally, or that the user is in a group defined in LDAP. Make sure that, if the group is defined in LDAP, that it's a real POSIX group.
    • Always check the /var/log/auth.log log file. If you see "unable to contact ldap server", check whether the LDAP server is reachable and the port is open.
    • Try to ping the LDAP server by name
    • Try to check whether the LDAP port is open:
      • LDAP can listen on different ports, but can usually be found on 389 and 636
      • You can check that a port is open by using telnet:
      • telnet 389 or telnet 636
      • If you see any characters on the console then the port is open and the LDAP server should be running.
      • If you see nothing or get an error message, either the LDAP server is not running or something (such as a firewall) is preventing the connection.
    • 16

  2. To get the home directory automatically created on login, I had to put the line:

    session required pam_mkhomedir.so skel=/etc/skel umask=0022

    into /etc/pam.d/common-session instead of /etc/pam.d/login - when I just had it in the later my home directory was not created.

    • 5 
  3. sudo apt-get install ldap-utils libpam-ldap libnss-ldapd nslcd

    Use libnss-ldapd instead.

    Per bug:https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/1024475

    • 2

  4. In order to have the option to type in usernames, you have to modify the lightdm configuration with the following command:

    /usr/lib/lightdm/lightdm-set-defaults -m true
    • 1

  5. Regarding typing usernames into the ligthdm greeter, as of 16.04, the lightdm-set-defaults command is gone.

    Instead, you can add the option for typing usernames to the lightdm config file. For example, create the file /etc/lightdm/lightdm.conf and add the following lines: 

    [SeatDefaults]
greeter-show-manual-login=true
    • 0