[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: pam ldap help - answer
While some people don't feel this is the place for help configuring
pam/nss with LDAP support, well, I've done it, and it's easy, so here it
goes. As always, YMMV. If you get stuck, the padl.com lists *are* the
best places for help, but there seem to be enough people trying to do this
here that this may be of use.
Installing pam-ldap and libnss-ldap on Debian is *easy*. Install the
packages with 'apt-get install libpam-ldap libnss-ldap'. Configure the
/etc/pam_ldap.conf and /etc/libnss-ldap.conf files as appropriate -
basically 'host', 'base', 'ldap_version', 'binddn' and 'bindpw' are the
major options (the rest worked out of the box for me). FWIW, I recommend
setting up a seperate ldap user and ACL for access to userpassword fields,
but you can certainly test/configure using the admin/root user, if you'd
like.
/etc/nsswitch.conf just needs the passwd: shadow: and groups: set
to 'files ldap'.
PAM configuration is a bit tricky, but my login file reads like:
auth requisite pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth sufficient pam_ldap.so
auth required pam_unix.so nullok use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8
man pam.conf if you don't understand how the pam configs work. For
instance, only 'auth' is required for sudo, and 'password' is not required
for su.
Finally, note that the padl.com stuff only lets you specify *one* LDAP
server to bind, thus if it's down, you won't be able to log in, except
local users. Some people have said they've had luck configuring the Linux
Virtual Server, so that may be an option. I myself have been looking at
modifying the padl.com modules to support multiple servers, but have been
busy of as late.