Ubuntu – LDAP System Authentication in Ubuntu

ldapopenldapUbuntu

I'm having a bit of an issue with system authentication against LDAP in Ubuntu.
The LDAP server is OpenLDAP on Ubuntu 10.10, and the client is Ubuntu 10.10 also. I've set up the client by following the "LDAP Authentication" steps at https://help.ubuntu.com/10.10/serverguide/C/openldap-server.html

apt-get install libnss-ldap; auth-client-config -t nss -p lac_ldap; pam-auth-update

I've done these steps on the server and been able to see LDAP users when running getent passwd. Doing the same steps on the client, getent passwd does not return any LDAP users.

Any ideas?

Best Answer

Can you ping/access the ldap server from the client ? What about the other way around ?

You'll also want to make sure that ports 389 (ldap) or 636 (ldapSSL) are opened. A tool like nmap (apt-get install nmap):

nmap <IP address> -p389 or
nmap <IP address> -p636

Will usually let you know if your ports are closed, filtered or opened.

Related Solutions

Linux – Ubuntu OS X LDAP Authentication

the problem is that that guide is wrong, or at least sub-optimal.

/etc/pam.d/common-auth should have:

auth sufficient pam_unix.so nullok_secure nodelay
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

that says that either pam_unix or pam_ldap are sufficient to login, and any login failing both of those is denied. it tries local unix login first - which is extremely useful if your LDAP server is down or unreachable and you still need to login as a local user.

it also uses 'use_first_pass' rather than 'try_first_pass'...they are very similar except that it won't prompt for a password again if the first is wrong.

see the man pages for pam_unix and pam_ldap for more details.

BTW, adding the following to /etc/pam.d/common-session is very useful:

session required pam_limits.so

it allows you to use /etc/security/limits.conf and access.conf etc to have very fine control over which users are allowed to login (e.g. i limit ssh logins on my servers to members of the admins group), and also set resource limits (memory, maxlogins, nice priority, etc) for their login.

LDAP Attribute – How to Add a New Attribute to an Existing LDAP Objectclass

The short answer

Use ldapmodify exactly like you would on a regular ldap entry with multi-valued attributes.

That's pretty much what I expected, but I wasn't 100% sure, due to the {N} indexing that you see when you run an ldap search for the schema.

The long answer

First, find your schema's dn. Something like cn={4}test,cn=schema,cn=config Then write an ldif file and apply it to your directory. On Ubuntu 12.04 I applied it as root with:

ldapmodify -Q -Y EXTERNAL -H ldapi://  -f test.ldif

The part I had issues with was the ldif modify syntax, and what to do with the {N} indexes.

So, the start of your ldif file should be something like:

version: 1

dn: cn={N}test,cn=schema,cn=config
changetype: modify

To modify an objectClass:

delete: olcObjectClasses
olcObjectClasses: <old value>
-
add: olcObjectClasses
olcObjectClasses: <new value>

To modify an attribute:

delete: olcAttributeTypes
olcAttributeTypes: <old value>
-
add: olcAttributeTypes
olcAttributeTypes: <new value>

Some tips I figured out about syntax:

Ignore the {N} indexes in your ldif file. They get fixed automatically.
You do need the {N} in your schema's DN.
Remember the '-' between statements.
Don't put a new line after the '-'. ldapmodify stops at that new line, so anything after it will not be executed.
Add new attributes before you modify the objectClass to include them.
Eliminate all tab characters. They cause the system to produce gibberish.