Testing an LDAP connection
# Add the certificate to /etc/ssl/certs/ca-certificates.crt # Can get the cert from Apache Ldap Studio maybe? # Use SSL, simple auth, run query ldapsearch -x -H 'ldaps://shared-dc-prd-2.shared.sydney.edu.au' -D 'CN=pfowler,OU=People,DC=shared,DC=sydney,DC=edu,DC=au' -b 'OU=People,DC=shared,DC=sydney,DC=edu,DC=au' -W "(cn=pfowler)"
Setting Up LDAP Authentication
Remember to setup Services for Unix on the AD server, otherwise this will not work…
/etc/ldap.conf
host adserver base DC=newioit,DC=com,DC=au ldap_version 3 binddn CN=LDAPUser,OU=Users,DC=newioit,DC=com,DC=au bindpw password port 389 # 3268 for global catalog scope sub pam_login_attribute SAMAccountName nss_base_passwd dc=newioit,dc=com,dc=au nss_base_shadow dc=newioit,dc=com,dc=au nss_base_group dc=newioit,dc=com,dc=au nss_map_objectclass posixAccount User nss_map_attribute uniqueMember posixMember nss_map_attribute homeDirectory unixHomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute cn sAMAccountName ssl no pam_password md5
/etc/nsswitch.conf
... passwd: files ldap shadow: files ldap group: files ldap ...
/etc/pam.d/system-auth
# Add the pam_ldap.so (installed via nss_ldap) auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_ldap.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_ldap.so session required pam_unix.so
