add LDAP logins to Ubuntu 10.04

So, I have a new Ubuntu 10.04 server, and need to get LDAP authentication working on it.  I have a cut-and-paste template for Ubuntu 9, but this is the first Ubuntu 10 box I have.  There’s a document at, but it’s obsolete.  The only useful hint is at the bottom.  So I run:

# apt-get install ldap-auth-client

This brings up a libdialog-type script and prompts me for the auth server name, the search base, and so on.  My local root is certainly not an LDAP admin, and I allow anonymous binding.

It’s installed everything, and set up some config files.  I have config files that work on earlier versions of Ubuntu, all nicely tweaked to fit my environment.

First, I install my private root CA certificate in /usr/local/etc/ssl.  This isn’t the normal Ubuntu location, but it’s where the SSL cert is on every other machine I run, across multiple operating systems.

/etc/ldap/ldap.conf contains only commented-out entries.  I enter the correct values:

BASE    dc=domain,dc=com
URI     ldap:// ldap://
ssl start tls
tls_cacert /usr/local/etc/ssl/domain.root.crt

Verify that the file is world readable, but not writable.

To check my work so far, I must use an LDAP client.

# apt-get install ldap-utils

# ldapsearch -WxZD “cn=Manager,dc=domain,dc=com”
ldap_start_tls: Connect error (-11)
Enter LDAP Password:
ldap_result: Can’t contact LDAP server (-1)

That’s odd, why?  It’s a SSL error, so I check my SSL work.  I copied SSL cert to /usr/local/etc/ rather than /usr/local/etc/ssl.  Move the cert, try again, and this time I get a dump of my LDAP database.

Then /etc/ldap.conf, which the system uses.

base dc=domain,dc=com
ldap_version 3
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_lookup_policy yes
nss_base_passwd ou=people,dc=domain,dc=com
nss_base_group  ou=groups,dc=domain,dc=com
pam_groupdn cn=systems,ou=groups,dc=domain,dc=com

#for sudo
serviceSearchDescriptor: sudoers: ou=sudo,dc=domain,dc=com
sudoers_base ou=sudo,dc=domain,dc=com
sudoers_debug 2

#for TLS
ssl start_tls
tls_cacertfile /usr/local/etc/ssl/domain.root.crt

nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,statd,sync,sys,syslog,uucp,www-data

And I have to /etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        ldap files

In theory, Ubuntu’s ldap-auth-client package configures /etc/pam.d for us.  Which is good, because I really don’t like messing with PAM.  Verify this by SSHing in as a test user, and watch /var/log/auth.log  The login works, except for:

Could not chdir to home directory /home/mwltest: No such file or directory
/usr/bin/X11/xauth:  error in locking authority file /home/mwltest/.Xauthority

We need pam_mkhomedir.  It’s already installed, I just have to activate it in /etc/pam.d/common-session

session [default=1]           
session requisite             
session required              
session required
session required        umask=0022 skel=/etc/skel
session optional              

My test user now gets his home directory.  Other admins people can now log in with their LDAP accounts.  Thanks to the group restriction, LDAP users who are not a member of the “system” group cannot log in.


4 Replies to “add LDAP logins to Ubuntu 10.04”

  1. Hy

    I tryed this but sadly no success.
    I have 2 ubuntu x64 servers both configured use ldap witch is running on one of them, the authentication works on both but on the one that is not running the ldap server i get the
    “/usr/bin/xauth: timeout in locking authority file /mnt/shares/users2/ga72vuk/.Xauthority” error
    witch messes up the X session, this dosen’t happen on the ldap server (everything works fine on that machine).
    The only clue i have is that its due to the fact that the ldap server machine has ga72vuk as a local user since it was created there and the other machine doesen’t and this effects /usr/bin/xauth somehow
    Any idea on this matter?

  2. Sorry for such a late reply

    The server, samba and the client are all configured with ldap so the user is unique,

    on the server:

    ga72vuk@MatlabSlave:~$ id ga72vuk
    uid=1001(ga72vuk) gid=1001(ga72vuk) groups=4(adm),20(dialout),24(cdrom),27(sudo),46(plugdev),108(sambashare),109(admin),121(gdm),1001(ga72vuk)
    ga72vuk@MatlabSlave:~$ ls -la
    total 144
    drwxr-xr-x 21 ga72vuk ga72vuk 4096 2011-07-02 23:00 .
    drwxrwxrwx 10 root root 4096 2011-06-28 16:53 ..
    -rwx—— 1 ga72vuk ga72vuk 4251 2011-07-02 23:00 .bash_history
    -rw-r–r– 1 ga72vuk ga72vuk 220 2010-04-19 04:15 .bash_logout
    -rw-r–r– 1 ga72vuk ga72vuk 3103 2010-04-19 04:15 .bashrc

    drwx—— 2 ga72vuk ga72vuk 4096 2011-06-14 17:38 .ssh
    -rw-r–r– 1 ga72vuk ga72vuk 0 2011-06-28 10:15 .sudo_as_admin_successful
    drwx—— 2 ga72vuk ga72vuk 4096 2011-06-07 18:07 .update-notifier
    -rw——- 1 ga72vuk ga72vuk 165 2011-06-29 16:36 .Xauthority

    and touch foo works

    on the client:

    ga72vuk@MatlabSlave:~$ id ga72vuk
    uid=1001(ga72vuk) gid=1001(ga72vuk) groups=4(adm),20(dialout),24(cdrom),46(plugdev),108(sambashare),109(admin),121(gdm),1001(ga72vuk)
    ga72vuk@MatlabSlave:~$ ls -la
    total 60
    drwxr-xr-x 21 ga72vuk ga72vuk 0 2011-07-02 23:00 .
    drwxrwxrwx 10 root root 0 2011-06-28 16:53 ..
    -rwx—— 1 ga72vuk ga72vuk 4251 2011-07-02 23:00 .bash_history
    -rw-r–r– 1 ga72vuk ga72vuk 220 2010-04-19 04:15 .bash_logout
    -rw-r–r– 1 ga72vuk ga72vuk 3103 2010-04-19 04:15 .bashrc

    -rw——- 1 ga72vuk ga72vuk 165 2011-06-29 16:36 .Xauthority
    ga72vuk@MatlabSlave:~$ touch foo
    touch: cannot touch `foo’: Permission denied
    ga72vuk@MatlabSlave:~$ sudo touch foo
    [sudo] password for ga72vuk:
    touch: cannot touch `foo’: Permission denied

    not even sudo works, i have tried different configurations for samba and yet it seems to ignore them, i am completely out of ideas, maybe i am doing something fundamentally wrong here…

  3. A cute design actually But one thing that troubled me, the double News’ menu.. I think one is enough But overall, I LIKE IT!!! Good job friends!!!

Comments are closed.