Foreword
After Sun had made the big announcement that they were open-sourcing and making free their Sun Java Enterprise System suite, there now exists another viable alternative to OpenLDAP.
The following guide is intended only for readers wishing to authenticate Ubuntu clients off an existing Sun Java Enterprise System Directory Server.
Users wishing to authenticate off an OpenLDAP server should use the LDAPClientAuthentication page instead.
Name Switch Server Setup
The first step is to setup nss-ldap, the LDAP-specific name switch server package. During installation, accept all the defaults:
ncampbell@naaman:~$ sudo apt-get install libnss-ldap
In order to authenticate using LDAP, /etc/nsswitch.conf will need to be edited:
ncampbell@naaman:~$ sudo vi /etc/nsswitch.conf # perform the following vi commands :1,$s/compat/files ldap/g :x!
The /etc/libnss-ldap.conf file is where all the settings are configured. For brevity, the example libnss-ldap.conf is attached and not listed in this document - libnss-ldap.conf
To test the setup of nss-ldap, perform the following command to see a listing of LDAP shadow entries:
ncampbell@naaman:~$ getent shadow
Pluggable Authentication Modules Setup
The next step requires pam-ldap, the LDAP-specific PAM package. Answer <No> to the 2 questions asked during installation:
ncampbell@naaman:~$ sudo apt-get install libpam-ldap
The configuration file provided with the libpam-ldap package is unneccesary and can be replaced by libnss-ldap.conf:
ncampbell@naaman:~$ sudo rm /etc/pam_ldap.conf ncampbell@naaman:~$ sudo ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf
To complete the configuration of the pam-ldap package, the following files in the /etc/pam.d directory need to be changed:
ncampbell@naaman:~$ cd /etc/pam.d ncampbell@naaman:/etc/pam.d$ sudo vi common-account account sufficient pam_ldap.so account required pam_unix.so ncampbell@naaman:/etc/pam.d$ sudo vi common-auth auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass ncampbell@naaman:/etc/pam.d$ sudo vi common-password password sufficient pam_ldap.so nullok password required pam_unix.so nullok obscure min=4 max=8 md5 ncampbell@naaman:/etc/pam.d$ sudo vi common-session session sufficient pam_ldap.so session required pam_unix.so ncampbell@naaman:/etc/pam.d$ cd ~
To test the setup of the pam-ldap package, attempt to logon as an LDAP user.
Name Caching Service Daemon Setup
The final step in the LDAP client setup is to install nscd, the name service caching daemon, to prevent excess LDAP traffic:
ncampbell@naaman:~$ sudo apt-get install nscd ncampbell@naaman:~$ sudo mkdir -p /var/db/nscd /var/run/nscd ncampbell@naaman:~$ sudo /etc/init.d/nscd start
References
Making a Debian or Ubuntu Machine an LDAP Authentication Client - more suited to an OpenLDAP environment
Installing and configuring iPlanet Directory Server for Solaris9 - namely Step 4: Configure RedHat Linux LDAP Client (OpenLDAP+PADL libraries) - also a good source of information on setting up a Sun Directory Server