How to add ldap authentication to Debian server. It suppose that a running ldap server is running and that the ldap tree is filled correctly with account informations.
libnss-ldapd installation
The client need the libnss-ldapd package that is a fork of the historical libnss-ldap for better efficiency
# apt-get install libnss-ldapd
For the configuration it ask the following information:
- URI of the LDAP server. better as an IP to prevent any DNS resolution problem
- The root base where to look for the information (DN)
- The name services to configure: aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, rpc,services, shadow. for LDAP authentication group, passwd and shadow should be selected.
Set identification credential for LDAP connexion
If the connexion to the LDAP server need an authentication you can specify it in
the /etc/nslcd.conf file by uncommenting and adjusting the following
variables:
binddn cn=nss,dc=example,dc=com
bindpw my_password
After modification, restart nslcd service:
# /etc/init.d/nslcd restart
Testing
To test if it is working, we need to ask for information that are store locally
and in the LDAP server. To get information about account we need to use the
getent command followed by the name of the database we want to retrieve.
For example to retrieve all the content of the passwd database we use
the following command:
$ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[...]
It should show entries that are present on the local database but also in the LDAP directory.
We can also limit to a particular entry, like root account:
# getent passwd root
root:x:0:0:root:/root:/bin/bash
And here for root group:
# getent group root
root:x:0:admin
Home directory creation
The creation of the home directory is normally done when creating the user.
However for LDAP user they might not have been created on the current system and
therefore did not have any home directory. If you want that it is created
automatically at the connexion of the user if it does not exist you need to edit
the /etc/pam.d/common-session file and add at the end the following
line:
session required pam_mkhomedir.so skel=/etc/skel