add LDAP logins to Ubuntu 10.04

So, I have a new Ubuntu 10.04 server, and need to get LDAP authentication working on it.  I have a cut-and-paste template for Ubuntu 9, but this is the first Ubuntu 10 box I have.  There’s a document at https://help.ubuntu.com/community/LDAPClientAuthentication, but it’s obsolete.  The only useful hint is at the bottom.  So I run:

# apt-get install ldap-auth-client

This brings up a libdialog-type script and prompts me for the auth server name, the search base, and so on.  My local root is certainly not an LDAP admin, and I allow anonymous binding.

It’s installed everything, and set up some config files.  I have config files that work on earlier versions of Ubuntu, all nicely tweaked to fit my environment.

First, I install my private root CA certificate in /usr/local/etc/ssl.  This isn’t the normal Ubuntu location, but it’s where the SSL cert is on every other machine I run, across multiple operating systems.

/etc/ldap/ldap.conf contains only commented-out entries.  I enter the correct values:

BASE    dc=domain,dc=com
URI     ldap://ldap1.domain.com ldap://ldap2.domain.com
ssl start tls
tls_cacert /usr/local/etc/ssl/domain.root.crt

Verify that the file is world readable, but not writable.

To check my work so far, I must use an LDAP client.

# apt-get install ldap-utils

# ldapsearch -WxZD “cn=Manager,dc=domain,dc=com”
ldap_start_tls: Connect error (-11)
Enter LDAP Password:
ldap_result: Can’t contact LDAP server (-1)

That’s odd, why?  It’s a SSL error, so I check my SSL work.  I copied SSL cert to /usr/local/etc/ rather than /usr/local/etc/ssl.  Move the cert, try again, and this time I get a dump of my LDAP database.

Then /etc/ldap.conf, which the system uses.

#$Id$
host ldap1.domain.com
base dc=domain,dc=com
ldap_version 3
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_lookup_policy yes
nss_base_passwd ou=people,dc=domain,dc=com
nss_base_group  ou=groups,dc=domain,dc=com
pam_groupdn cn=systems,ou=groups,dc=domain,dc=com

#for sudo
serviceSearchDescriptor: sudoers: ou=sudo,dc=domain,dc=com
sudoers_base ou=sudo,dc=domain,dc=com
sudoers_debug 2

#for TLS
ssl start_tls
tls_cacertfile /usr/local/etc/ssl/domain.root.crt

nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,statd,sync,sys,syslog,uucp,www-data

And I have to /etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        ldap files

In theory, Ubuntu’s ldap-auth-client package configures /etc/pam.d for us.  Which is good, because I really don’t like messing with PAM.  Verify this by SSHing in as a test user, and watch /var/log/auth.log  The login works, except for:

Could not chdir to home directory /home/mwltest: No such file or directory
/usr/bin/X11/xauth:  error in locking authority file /home/mwltest/.Xauthority

We need pam_mkhomedir.  It’s already installed, I just have to activate it in /etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session required        pam_mkhomedir.so        umask=0022 skel=/etc/skel
session optional                        pam_ldap.so

My test user now gets his home directory.  Other admins people can now log in with their LDAP accounts.  Thanks to the group restriction, LDAP users who are not a member of the “system” group cannot log in.

Onward!