the problem is that that guide is wrong, or at least sub-optimal.
/etc/pam.d/common-auth should have:
auth sufficient pam_unix.so nullok_secure nodelay
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
that says that either pam_unix or pam_ldap are sufficient to login, and any login failing both of those is denied. it tries local unix login first - which is extremely useful if your LDAP server is down or unreachable and you still need to login as a local user.
it also uses 'use_first_pass' rather than 'try_first_pass'...they are very similar except that it won't prompt for a password again if the first is wrong.
see the man pages for pam_unix and pam_ldap for more details.
BTW, adding the following to /etc/pam.d/common-session is very useful:
session required pam_limits.so
it allows you to use /etc/security/limits.conf and access.conf etc to have very fine control over which users are allowed to login (e.g. i limit ssh logins on my servers to members of the admins group), and also set resource limits (memory, maxlogins, nice priority, etc) for their login.
The short answer
Use ldapmodify exactly like you would on a regular ldap entry with multi-valued attributes.
That's pretty much what I expected, but I wasn't 100% sure, due to the {N} indexing that you see when you run an ldap search for the schema.
The long answer
First, find your schema's dn. Something like cn={4}test,cn=schema,cn=config
Then write an ldif file and apply it to your directory. On Ubuntu 12.04 I applied it as root with:
ldapmodify -Q -Y EXTERNAL -H ldapi:// -f test.ldif
The part I had issues with was the ldif modify syntax, and what to do with the {N} indexes.
So, the start of your ldif file should be something like:
version: 1
dn: cn={N}test,cn=schema,cn=config
changetype: modify
To modify an objectClass:
delete: olcObjectClasses
olcObjectClasses: <old value>
-
add: olcObjectClasses
olcObjectClasses: <new value>
To modify an attribute:
delete: olcAttributeTypes
olcAttributeTypes: <old value>
-
add: olcAttributeTypes
olcAttributeTypes: <new value>
Some tips I figured out about syntax:
- Ignore the {N} indexes in your ldif file. They get fixed automatically.
- You do need the {N} in your schema's DN.
- Remember the '-' between statements.
- Don't put a new line after the '-'. ldapmodify stops at that new line, so anything after it will not be executed.
- Add new attributes before you modify the objectClass to include them.
- Eliminate all tab characters. They cause the system to produce gibberish.
Best Answer
Can you ping/access the ldap server from the client ? What about the other way around ?
You'll also want to make sure that ports 389 (ldap) or 636 (ldapSSL) are opened. A tool like nmap (apt-get install nmap):
Will usually let you know if your ports are closed, filtered or opened.