How to configure Ubuntu as an LDAP client?

Question

How to configure Ubuntu 12.04 as LDAP client with PAM modules?

Answer 1

The contents of this post are based on this guide. It should work fine in 12.04.

1. Issue the following command:

   sudo apt-get install ldap-utils libpam-ldap libnss-ldap nslcd
   

   Note: During the installation of the above packages a dialog will pop up and ask about some LDAP configuration. Be sure to enter the correct values for your LDAP configuration.

2. Edit /etc/nsswitch.conf (via sudo). Append "ldap" to these lines:

   #Original file looks like this 
   passwd: compat 
   group : compat  
   shadow: compat 
   
   #After appending "ldap" lines look like these
   passwd: compat ldap
   group : compat ldap  
   shadow: compat ldap 
   

3. Comment out the line rootbinddn, I'm not sure why we need to do that.

4. Edit /etc/pam.d/login (via sudo) and paste:

   session required pam_mkhomedir.so skel=/etc/skel umask=0022 
   

5. Edit /etc/pam.d/lightdm (via sudo) and paste:

   session required pam_mkhomedir.so skel=/etc/skel umask=0022 
   

6. Issue this command:

   sudo update-rc.d nslcd enable
   

You should be able to log in as an LDAP user after a reboot. If you don't reboot the machine, you must restart nscd with:

/etc/init.d/nscd restart

Likely problems and solutions:

• Logging in as an LDAP user takes a very long time (minutes): It's very likely that nss-lap is having problems finding the user's group. Make sure that the user is in a group recognized locally, or that the user is in a group defined in LDAP. Make sure that, if the group is defined in LDAP, that it's a real POSIX group.
• Always check the /var/log/auth.log log file. If you see "unable to contact ldap server", check whether the LDAP server is reachable and the port is open.
• Try to ping the LDAP server by name
• Try to check whether the LDAP port is open:
  • LDAP can listen on different ports, but can usually be found on 389 and 636
  • You can check that a port is open by using telnet:
  • telnet 389 or telnet 636
  • If you see any characters on the console then the port is open and the LDAP server should be running.
  • If you see nothing or get an error message, either the LDAP server is not running or something (such as a firewall) is preventing the connection.

Answer 2

To get the home directory automatically created on login, I had to put the line:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

into /etc/pam.d/common-session instead of /etc/pam.d/login - when I just had it in the later my home directory was not created.

Answer 3

sudo apt-get install ldap-utils libpam-ldap libnss-ldapd nslcd

Use libnss-ldapd instead.

Per bug:https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/1024475

Answer 4

In order to have the option to type in usernames, you have to modify the lightdm configuration with the following command:

/usr/lib/lightdm/lightdm-set-defaults -m true

Answer 5

Regarding typing usernames into the ligthdm greeter, as of 16.04, the lightdm-set-defaults command is gone.

Instead, you can add the option for typing usernames to the lightdm config file. For example, create the file /etc/lightdm/lightdm.conf and add the following lines:

[SeatDefaults]
greeter-show-manual-login=true