Hi again,
if the server should be a ldap client as well depends on what you want. It can be, but it doesn't have to. Technically it's no harm in any case, but remember to always have a local (non-LDAP) root user that can access the server even if LDAP breaks. And security wise you usually wouldn't want to have normal users log on to your servers.
The pam settings as well as the /etc/ldap.conf and /etc/nsswitch.conf settings are needed on all clients that should use ldap authentication.
The /etc/ldap/ldap.conf is needed on the server in any case.
I have no current documentation for LDAP client auth lying around here, as we use kerberos. However I sumbled upon an older config that you can look at. Not sure if it works with karmic though and it doesn't utilize cached credentials.
You'd need the package ldap-auth-client.
This is the content of the /etc/ldap.conf:
Code:
# Pre-configured values
base dc=home,dc=ro
uri ldap://ldap.home.ro
ldap_version 3
pam_password md5
# Own settings
ssl start_tls
tls_checkpeer yes
use_sasl yes
bind_policy soft
nss_base_passwd ou=users,ou=accounts,dc=home,dc=ro?one
nss_base_group ou=groups,ou=accounts,dc=home,dc=ro?one
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,saned,sync,sys,syslog,uucp,vboxadd,www-data
/etc/ldap/ldap.conf:
Code:
BASE dc=home,dc=ro
URI ldap://ldap.home.ro
TLS_REQCERT demand
TLS_CACERT /etc/ssl/certs/cacert_home.pem
/etc/nsswitch.conf:
Code:
...
passwd: files ldap
group: files ldap
...
/etc/pam.d/common-auth:
Code:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account:
Code:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
/etc/pam.d/common-password:
Code:
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
/etc/pam.d/common-session:
Code:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0027
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_ck_connector.so nox11
Hope it can give you an idea at least.
Cheers,
Robert
Bookmarks