This is an old revision of the document!
Kerberos is still used for doing forced password updates at login and password changes, this is currently not working with just nslcd 08/09/12 - walter
nss-pam-ldapd
krb5
pam-krb5 (aur)
krb5.conf
[libdefaults] default_realm = ACM.CS [realms] ACM.CS = { kdc = ad1.acm.cs kdc = ad2.acm.cs admin_server = ad.acm.cs default_domain=ACM.CS } [domain_realm] .acm.cs = ACM.CS acm.cs = ACM.CS
To test run
kinit username@ACM.CS
LDAP lookups and auth use nslcd as opposed to the old nss-ldap/pam-ldap packages. Nslcd is faster and more reliable than the old libs.
Make sure nslcd.conf can only be read by root
nslcd.conf
uid nslcd gid nslcd uri ldaps://172.29.10.254/ uri ldaps://172.29.13.10/ ldap_version 3 base dc=acm,dc=cs binddn apacheacm@acm.cs bindpw <ask admin> rootpwmoddn acmpwadmin@acm.cs rootpwmodpw <ask admin> base group ou=ACMGroups,dc=acm,dc=cs base passwd ou=ACMUsers,dc=acm,dc=cs base shadow ou=ACMUsers,dc=acm,dc=cs bind_timelimit 30 timelimit 30 ssl on tls_reqcert allow **Uncomment the 'Mappings for Active Directory' section** pagesize 1000 referrals off idle_timelimit 800 filer passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (objectClass=group)
Edit the passwd, shadow, and group lines to this
nsswitch.conf
passwd: compat ldap [NOTFOUND=return] shadow: compat ldap [NOTFOUND=return] group: compat ldap [NOTFOUND=return]
Test
getent passwd
The LDAP user list should show up
getent group
The LDAP group list should show up
To give admins sudo
sudoers
%AcmLanAdmins ALL=(ALL) ALL
These files are in /etc/pam.d