Purpose - make an Ubuntu install authenticate against a Leopard Server with an Open Directory Master running on it.

Details taken from [ "LDAPClientAuthentication" ]. Here's a quick how-to on how to get authenticating (partially) successfully against a Leopard and Tiger Server.

  • apt-get install libpam-ldap libnss-ldap nss-updatedb

To complete this recipe you will need:

  • host "ip for your server"
  • Open Directory Search Base - from Server Admin, Open Directory Overview
  • * LDAP Search Base: dc=blah,dc=blah,dc=blah
  • * call this "SearchBase"

I ended up just editing the /etc/ldap.conf file manually. The only lines I needed to change were:

  • host "IP ADDRESS"
  • base "SearchBase"

  • * i.e. base dc=blah,dc=blah,dc=blah

(this was noted as needing to be * base cn=users,"SearchBase" for Leopard, and will work for users, but won't find groups properly)

New for 8.04 it seems we need to also ignore the "root" user in the Open Directory. So add to your /etc/ldap.conf

  • pam_filter !(uid=root)

Thanks for figuring this out, Bart.

Then edit /etc/nsswitch.conf and change the passwd, group, and shadow lines to resemble:

  • passwd: files ldap
  • group: files ldap
  • shadow: files ldap

Have /etc/pam.d/common-account read

  • account sufficient pam_ldap.so
  • account required pam_unix.so

Have /etc/pam.d/common-auth read

  • auth sufficient pam_ldap.so
  • auth required pam_unix.so nullok_secure try_first_pass

Have /etc/pam.d/common-passwd read

  • password sufficient pam_ldap.so md5
  • password required pam_unix.so nullok obscure md5
  • password optional pam_smbpass.so nullok use_authtok try_first_pass missingok

Finally, have /etc/pam.d/common-session read

  • session sufficient pam_ldap.so
  • session required pam_unix.so

You should be good to go. Test with a command like:

  • getent passwd

You should see your local accounts followed by your Open Directory accounts. Now you can try to "su" to one of the OD users. Finally try to ssh in as one of the OD users.

OSXLDAPClientAuthentication (last edited 2009-04-07 00:38:53 by 206-80-210-142)