add LDAP logins to Ubuntu 10.04

So, I have a new Ubuntu 10.04 server, and need to get LDAP authentication working on it.  I have a cut-and-paste template for Ubuntu 9, but this is the first Ubuntu 10 box I have.  There’s a document at https://help.ubuntu.com/community/LDAPClientAuthentication, but it’s obsolete.  The only useful hint is at the bottom.  So I run:

# apt-get install ldap-auth-client

This brings up a libdialog-type script and prompts me for the auth server name, the search base, and so on.  My local root is certainly not an LDAP admin, and I allow anonymous binding.

It’s installed everything, and set up some config files.  I have config files that work on earlier versions of Ubuntu, all nicely tweaked to fit my environment.

First, I install my private root CA certificate in /usr/local/etc/ssl.  This isn’t the normal Ubuntu location, but it’s where the SSL cert is on every other machine I run, across multiple operating systems.

/etc/ldap/ldap.conf contains only commented-out entries.  I enter the correct values:

BASE    dc=domain,dc=com
URI     ldap://ldap1.domain.com ldap://ldap2.domain.com
ssl start tls
tls_cacert /usr/local/etc/ssl/domain.root.crt

Verify that the file is world readable, but not writable.

To check my work so far, I must use an LDAP client.

# apt-get install ldap-utils

# ldapsearch -WxZD “cn=Manager,dc=domain,dc=com”
ldap_start_tls: Connect error (-11)
Enter LDAP Password:
ldap_result: Can’t contact LDAP server (-1)

That’s odd, why?  It’s a SSL error, so I check my SSL work.  I copied SSL cert to /usr/local/etc/ rather than /usr/local/etc/ssl.  Move the cert, try again, and this time I get a dump of my LDAP database.

Then /etc/ldap.conf, which the system uses.

#$Id$
host ldap1.domain.com
base dc=domain,dc=com
ldap_version 3
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_lookup_policy yes
nss_base_passwd ou=people,dc=domain,dc=com
nss_base_group  ou=groups,dc=domain,dc=com
pam_groupdn cn=systems,ou=groups,dc=domain,dc=com

#for sudo
serviceSearchDescriptor: sudoers: ou=sudo,dc=domain,dc=com
sudoers_base ou=sudo,dc=domain,dc=com
sudoers_debug 2

#for TLS
ssl start_tls
tls_cacertfile /usr/local/etc/ssl/domain.root.crt

nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,statd,sync,sys,syslog,uucp,www-data

And I have to /etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        ldap files

In theory, Ubuntu’s ldap-auth-client package configures /etc/pam.d for us.  Which is good, because I really don’t like messing with PAM.  Verify this by SSHing in as a test user, and watch /var/log/auth.log  The login works, except for:

Could not chdir to home directory /home/mwltest: No such file or directory
/usr/bin/X11/xauth:  error in locking authority file /home/mwltest/.Xauthority

We need pam_mkhomedir.  It’s already installed, I just have to activate it in /etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session required        pam_mkhomedir.so        umask=0022 skel=/etc/skel
session optional                        pam_ldap.so

My test user now gets his home directory.  Other admins people can now log in with their LDAP accounts.  Thanks to the group restriction, LDAP users who are not a member of the “system” group cannot log in.

Onward!

4 Replies to “add LDAP logins to Ubuntu 10.04”

  1. Hy

    I tryed this but sadly no success.
    I have 2 ubuntu x64 servers both configured use ldap witch is running on one of them, the authentication works on both but on the one that is not running the ldap server i get the
    “/usr/bin/xauth: timeout in locking authority file /mnt/shares/users2/ga72vuk/.Xauthority” error
    witch messes up the X session, this dosen’t happen on the ldap server (everything works fine on that machine).
    The only clue i have is that its due to the fact that the ldap server machine has ga72vuk as a local user since it was created there and the other machine doesen’t and this effects /usr/bin/xauth somehow
    Any idea on this matter?

  2. Sorry for such a late reply

    The server, samba and the client are all configured with ldap so the user is unique,

    on the server:

    ga72vuk@MatlabSlave:~$ id ga72vuk
    uid=1001(ga72vuk) gid=1001(ga72vuk) groups=4(adm),20(dialout),24(cdrom),27(sudo),46(plugdev),108(sambashare),109(admin),121(gdm),1001(ga72vuk)
    ga72vuk@MatlabSlave:~$ ls -la
    total 144
    drwxr-xr-x 21 ga72vuk ga72vuk 4096 2011-07-02 23:00 .
    drwxrwxrwx 10 root root 4096 2011-06-28 16:53 ..
    -rwx—— 1 ga72vuk ga72vuk 4251 2011-07-02 23:00 .bash_history
    -rw-r–r– 1 ga72vuk ga72vuk 220 2010-04-19 04:15 .bash_logout
    -rw-r–r– 1 ga72vuk ga72vuk 3103 2010-04-19 04:15 .bashrc

    drwx—— 2 ga72vuk ga72vuk 4096 2011-06-14 17:38 .ssh
    -rw-r–r– 1 ga72vuk ga72vuk 0 2011-06-28 10:15 .sudo_as_admin_successful
    drwx—— 2 ga72vuk ga72vuk 4096 2011-06-07 18:07 .update-notifier
    -rw——- 1 ga72vuk ga72vuk 165 2011-06-29 16:36 .Xauthority

    and touch foo works

    on the client:

    ga72vuk@MatlabSlave:~$ id ga72vuk
    uid=1001(ga72vuk) gid=1001(ga72vuk) groups=4(adm),20(dialout),24(cdrom),46(plugdev),108(sambashare),109(admin),121(gdm),1001(ga72vuk)
    ga72vuk@MatlabSlave:~$ ls -la
    total 60
    drwxr-xr-x 21 ga72vuk ga72vuk 0 2011-07-02 23:00 .
    drwxrwxrwx 10 root root 0 2011-06-28 16:53 ..
    -rwx—— 1 ga72vuk ga72vuk 4251 2011-07-02 23:00 .bash_history
    -rw-r–r– 1 ga72vuk ga72vuk 220 2010-04-19 04:15 .bash_logout
    -rw-r–r– 1 ga72vuk ga72vuk 3103 2010-04-19 04:15 .bashrc

    -rw——- 1 ga72vuk ga72vuk 165 2011-06-29 16:36 .Xauthority
    ga72vuk@MatlabSlave:~$ touch foo
    touch: cannot touch `foo’: Permission denied
    ga72vuk@MatlabSlave:~$ sudo touch foo
    [sudo] password for ga72vuk:
    touch: cannot touch `foo’: Permission denied

    not even sudo works, i have tried different configurations for samba and yet it seems to ignore them, i am completely out of ideas, maybe i am doing something fundamentally wrong here…

  3. A cute design actually But one thing that troubled me, the double News’ menu.. I think one is enough But overall, I LIKE IT!!! Good job friends!!!

Comments are closed.