LDAP client config
Darryl Moore
darryl at moores.ca
Tue Apr 7 19:53:52 UTC 2009
Hi all,
I am hoping some LDAP guru out there somewhere can offer a bit of a
critique and advise so I can finish off the client configuration.
I put together the following script which I can run after a clean 8.04
or 8.10 install.
It seems to work except for two things.
1) I need to reboot first. So there is obviously some daemon running
somewhere which needs to restart. Which one?
2) After I log in with my username and password from my server I am
prompted for a second "LDAP Password". For the moment all the passwords
are the same so I just need to enter my password again. How do I change
this to remove the second password prompt.
3) Is there anyway I can auto answer the questions I am prompted with
when I run apt-get ....
A few words of advice from someone better than me would be very welcome.
thanks.
--------------------------------------------------
#!/bin/bash
SERVER=10.10.10.4
PASSWORD=mypass
apt-get install ldap-utils libnss-ldap libpam-ldap nscd nss-updatedb
libnss-db nfs-kernel-server
# answer menus as follows
#LDAP server Uniform Resource Identifier: 10.10.10.4
#Distinguished name of the search base: dc=moores,dc=ca
#LDAP version to use: 3
#Make local root Database admin: YES
#Does the LDAP database require login? NO
#LDAP account for root: cn=admin,dc=moores,dc=ca
#LDAP root account password: XXXXXX
echo "
host ${SERVER}
base dc=moores,dc=ca
rootbinddn cn=admin,dc=moores,dc=ca
" > /etc/libnss-ldap.conf
echo "${PASSWORD}" > /etc/libnss-ldap.secret
echo "
#host ${SERVER}
base dc=moores,dc=ca
rootbinddn cn=admin,dc=moores,dc=ca
URI ldap://${SERVER}
" >/etc/pam_ldap.conf
#needed to make these changes in /etc/ldap/ldap.conf
echo "
BASE dc=moores,dc=ca
URI ldap://${SERVER}
" >> /etc/ldap/ldap.conf
echo "
host ${SERVER}
# change ldapi:///lkjdflskdjf to ldap://SERVER
" >> /etc/ldap.conf
sed 's/ldapi:.*/ldap:\/\/${SERVER}/' /etc/ldap.conf > temp ; mv temp
/etc/ldap.conf
echo "${PASSWORD}" > /etc/pam_ldap.secret
######################################
#
# Services which need to authenticate via LDAP are in the pam.d directory
# update each service in the form [auth] sufficient pam_ldap.so
#
#
echo "
account sufficient pam_ldap.so
account required pam_unix.so
#if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent
" >> /etc/pam.d/common-account
echo "
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
" >> /etc/pam.d/common-auth
echo "
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
" >> /etc/pam.d/common-password
echo "
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.so
" >>/etc/pam.d/common-session
echo "
auth sufficient pam_ldap.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix_auth.so
account sufficient pam_ldap.so
account required pam_unix_acct.so
password required pam_ldap.so
session sufficient pam_ldap.so
session required pam_unix_session.so
auth optional pam_group.so
" >> etc/pam.d/gdm
#################################################
#
# information which we need to access via LDAP
#
#
sed 's/passwd:.*/passwd: files ldap/' /etc/nsswitch.conf > temp ; mv
temp /etc/nsswitch.conf
sed 's/group:.*/group: files ldap/' /etc/nsswitch.conf > temp ; mv temp
/etc/nsswitch.conf
sed 's/shadow:.*/shadow: files ldap/' /etc/nsswitch.conf > temp ; mv
temp /etc/nsswitch.conf
################################################
#
# make home directories accesable via NFS
#
#
echo "
${SERVER}:/export/home /home nfs auto 0 0
" >> /etc/fstab
mount /home
##################################################
#
# restart for GDM login
#
#
/etc/init.d/nscd restart
More information about the ubuntu-ca
mailing list