HowTo: OpenLDAP and Karmic

[calitaco]

Hey guys,

I'm new to ldap and I am having a little trouble with this. I followed the directions in the first post and it seems like everything is working. I then set up an ldap client and install the required packages, libpam-ldap libnss-ldap nss-updatedb libnss-db, and did the necessary configurations. End result, I can't seem to log into the client with a user account. I installed ldapfinger on the client and was able to finger all the users I've set up on the server, but still don't understand why it wouldn't allow logins. Am I missing something?

Forgot to add that it's running Ubuntu 9.10 64bit server.

Thanks!

[Yanlux]

From the very bottom of my very limited knowledge I think I had a similar problem: I had to change domain in all the oocurences in the files posted above, and than I also had to change LDAP password, changing it in the files (also the encrypted one). Can't say more, I'm really a newbie.

[calitaco]

Yes, I had to do that too to match my domain. I have a feeling I must have missed something along the way. And I thought NIS+ was bad

[calitaco]

I've made some progress. By changing uri ldap:/// to uri ldap:// I was able to su to the user now but still can't log in normally on the client. Why it defaulted to the 3 slashes, I don't know Also, when I tried to chown the user's directory to the user's login name on the server, it complains that the user doesn't exist. I shared the /home directory from the server to client to have a common home directory for all users. Is this the correct way to do it?

Another Question:
Does the user's home directory get auto created during user account creation? Currently I have to manually create them. FYI, I'm using ldapadduser that came with the package ldapscripts.

Does the ldap server be it's own client?

Any help is appreciated.

[apalacheno]

Hey calitaco,
well, LDAP Client Authentication is another issue really, but it works in Karmic as well.

First, home directory creation has to be activated manually by adding this line to /etc/pam.d/common-session (quite at top of the file; depending on your setup):

Code:

session		required	pam_mkhomedir.so skel=/etc/skel/ umask=0027

For the authentication issue have a look at this thread.

Cheers,
Robert

[calitaco]

Thanks for the response, Robert.

The thing that confuses me is that there's no mention of what machine these setting need to be on, client or server.

I added that line on the server and when I run ldapadduser, it created the user but not the home directory. But it did automatically created it on the client when I su to the user. Still can't log in to the client though even after modifying the files suggested in that link you sent.

Does the server also need to be an ldap client? Currently it isn't. I've made so many different changes that I think I might need to start from scratch again

Thanks,
Pete

[apalacheno]

Hi again,

if the server should be a ldap client as well depends on what you want. It can be, but it doesn't have to. Technically it's no harm in any case, but remember to always have a local (non-LDAP) root user that can access the server even if LDAP breaks. And security wise you usually wouldn't want to have normal users log on to your servers.

The pam settings as well as the /etc/ldap.conf and /etc/nsswitch.conf settings are needed on all clients that should use ldap authentication.

The /etc/ldap/ldap.conf is needed on the server in any case.

I have no current documentation for LDAP client auth lying around here, as we use kerberos. However I sumbled upon an older config that you can look at. Not sure if it works with karmic though and it doesn't utilize cached credentials.

You'd need the package ldap-auth-client.

This is the content of the /etc/ldap.conf:

Code:

# Pre-configured values 
base				dc=home,dc=ro 
uri				ldap://ldap.home.ro 
ldap_version			3 
pam_password			md5 

# Own settings 
ssl				start_tls 
tls_checkpeer			yes 
use_sasl			yes 
bind_policy			soft 
nss_base_passwd			ou=users,ou=accounts,dc=home,dc=ro?one 
nss_base_group			ou=groups,ou=accounts,dc=home,dc=ro?one	 
nss_initgroups_ignoreusers	avahi,avahi-autoipd,backup,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,saned,sync,sys,syslog,uucp,vboxadd,www-data

/etc/ldap/ldap.conf:

Code:

BASE		dc=home,dc=ro 
URI		ldap://ldap.home.ro 
TLS_REQCERT	demand 
TLS_CACERT      /etc/ssl/certs/cacert_home.pem

/etc/nsswitch.conf:

Code:

...
passwd:         files ldap
group:          files ldap
...

/etc/pam.d/common-auth:

Code:

auth	[success=2 default=ignore]	pam_unix.so nullok_secure 
auth	[success=1 default=ignore]	pam_ldap.so use_first_pass 
auth	requisite			pam_deny.so 
auth	required			pam_permit.so

/etc/pam.d/common-account:

Code:

account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 
account	[success=1 default=ignore]	pam_ldap.so 
account	requisite			pam_deny.so 
account	required			pam_permit.so

/etc/pam.d/common-password:

Code:

password	[success=2 default=ignore]	pam_unix.so obscure sha512 
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so use_authtok try_first_pass 
password	requisite			pam_deny.so 
password	required			pam_permit.so

/etc/pam.d/common-session:

Code:

session	required			pam_mkhomedir.so skel=/etc/skel/ umask=0027
session	[default=1]			pam_permit.so 
session	requisite			pam_deny.so 
session	required			pam_permit.so 
session	required			pam_unix.so 
session	optional			pam_ldap.so 
session	optional			pam_ck_connector.so nox11

Hope it can give you an idea at least.

Cheers,
Robert

[calitaco]

Finally got it to work. I installed the client on a different machine and it worked. I must have messed something up on the old client. This is all I did on the new client.

apt-get install libnss-ldap
auth-client-config -t nss -p lac_ldap
pam_auth_update

#/etc/ldap.conf file
base dc=removed,dc=com
uri ldap://172.20.0.46/
ldap_version 3
rootbinddn cn=admin,dc=removed,dc=com
bind_policy soft
pam_password md5
nss_base_passwd ou=people,dc=removed,dc=com?one
nss_base_group ou=groups,dc=removed,dc=com?one

#/etc/pam.d/common-session add entry
session required pam_mkhomedir.so skel=/etc/skel/ umask=0027

Here's a strange thing though, every user's home directory is created with "nobody" as the owner but the group name is normal. Any ideas?

[apalacheno]

Great it works now!

Regarding the home directory owner... hmm no idea. That's strange indeed and I haven't experienced something similiar. A user's home directory should be created with the user's uid as owner and his primary group cn as group.

[mamnmamn]

Hi,

I have followed the how to. When I try to login via phpldapadmin, it lets me but the domain is still set to dc=example,dc=com. ie: I and get;

Logged in as: cn=admin,dc=my,dc=domain,dc=org
---> dc=example,dc=com

Can anyone point me to the silly mistake I must have made?

Thanks!