After Sun had made the big announcement that they were open-sourcing and making free their Sun Java Enterprise System suite, there now exists another viable alternative to OpenLDAP.

The following guide is intended only for readers wishing to authenticate Ubuntu clients off an existing Sun Java Enterprise System Directory Server.

Users wishing to authenticate off an OpenLDAP server should use the LDAPClientAuthentication page instead.

Name Switch Server Setup

The first step is to setup nss-ldap, the LDAP-specific name switch server package. During installation, accept all the defaults:

ncampbell@naaman:~$ sudo apt-get install libnss-ldap

In order to authenticate using LDAP, /etc/nsswitch.conf will need to be edited:

ncampbell@naaman:~$ sudo vi /etc/nsswitch.conf

# perform the following vi commands
:1,$s/compat/files ldap/g

The /etc/libnss-ldap.conf file is where all the settings are configured. For brevity, the example libnss-ldap.conf is attached and not listed in this document - libnss-ldap.conf

To test the setup of nss-ldap, perform the following command to see a listing of LDAP shadow entries:

ncampbell@naaman:~$ getent shadow

Pluggable Authentication Modules Setup

The next step requires pam-ldap, the LDAP-specific PAM package. Answer <No> to the 2 questions asked during installation:

ncampbell@naaman:~$ sudo apt-get install libpam-ldap

The configuration file provided with the libpam-ldap package is unneccesary and can be replaced by libnss-ldap.conf:

ncampbell@naaman:~$ sudo rm /etc/pam_ldap.conf
ncampbell@naaman:~$ sudo ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf

To complete the configuration of the pam-ldap package, the following files in the /etc/pam.d directory need to be changed:

ncampbell@naaman:~$ cd /etc/pam.d
ncampbell@naaman:/etc/pam.d$ sudo vi common-account

  account sufficient
  account required

ncampbell@naaman:/etc/pam.d$ sudo vi common-auth

  auth  sufficient
  auth  required nullok_secure use_first_pass

ncampbell@naaman:/etc/pam.d$ sudo vi common-password

  password  sufficient nullok
  password  required nullok obscure min=4 max=8 md5

ncampbell@naaman:/etc/pam.d$ sudo vi common-session

  session sufficient
  session required

ncampbell@naaman:/etc/pam.d$ cd ~

To test the setup of the pam-ldap package, attempt to logon as an LDAP user.

Name Caching Service Daemon Setup

The final step in the LDAP client setup is to install nscd, the name service caching daemon, to prevent excess LDAP traffic:

ncampbell@naaman:~$ sudo apt-get install nscd
ncampbell@naaman:~$ sudo mkdir -p /var/db/nscd /var/run/nscd
ncampbell@naaman:~$ sudo /etc/init.d/nscd start


SunLDAPClientAuthentication (last edited 2009-04-30 14:53:55 by fooka)