How to configure Ubuntu as an LDAP client?

Solution 1:

The contents of this post are based on this guide. It should work fine in 12.04.

  1. Issue the following command:

    sudo apt-get install ldap-utils libpam-ldap libnss-ldap nslcd
    

    Note: During the installation of the above packages a dialog will pop up and ask about some LDAP configuration. Be sure to enter the correct values for your LDAP configuration.

  2. Edit /etc/nsswitch.conf (via sudo). Append "ldap" to these lines:

    #Original file looks like this 
    passwd: compat 
    group : compat  
    shadow: compat 
    
    #After appending "ldap" lines look like these
    passwd: compat ldap
    group : compat ldap  
    shadow: compat ldap 
    
  3. Comment out the line rootbinddn, I'm not sure why we need to do that.

  4. Edit /etc/pam.d/login (via sudo) and paste:

    session required pam_mkhomedir.so skel=/etc/skel umask=0022 
    
  5. Edit /etc/pam.d/lightdm (via sudo) and paste:

    session required pam_mkhomedir.so skel=/etc/skel umask=0022 
    
  6. Issue this command:

    sudo update-rc.d nslcd enable
    

You should be able to log in as an LDAP user after a reboot. If you don't reboot the machine, you must restart nscd with:

/etc/init.d/nscd restart

Likely problems and solutions:

  • Logging in as an LDAP user takes a very long time (minutes): It's very likely that nss-lap is having problems finding the user's group. Make sure that the user is in a group recognized locally, or that the user is in a group defined in LDAP. Make sure that, if the group is defined in LDAP, that it's a real POSIX group.
  • Always check the /var/log/auth.log log file. If you see "unable to contact ldap server", check whether the LDAP server is reachable and the port is open.
  • Try to ping the LDAP server by name
  • Try to check whether the LDAP port is open:
    • LDAP can listen on different ports, but can usually be found on 389 and 636
    • You can check that a port is open by using telnet:
    • telnet 389 or telnet 636
    • If you see any characters on the console then the port is open and the LDAP server should be running.
    • If you see nothing or get an error message, either the LDAP server is not running or something (such as a firewall) is preventing the connection.

Solution 2:

To get the home directory automatically created on login, I had to put the line:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

into /etc/pam.d/common-session instead of /etc/pam.d/login - when I just had it in the later my home directory was not created.

Solution 3:

sudo apt-get install ldap-utils libpam-ldap libnss-ldapd nslcd

Use libnss-ldapd instead.

Per bug:https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/1024475