https://wiki.archlinux.org/api.php?action=feedcontributions&user=Bcrescimanno&feedformat=atomArchWiki - User contributions [en]2024-03-29T07:22:46ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=LDAP_authentication&diff=307018LDAP authentication2014-03-25T23:15:06Z<p>Bcrescimanno: Updating the reference for nss-pam-ldapd to the official repo instead of AUR</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Related articles start}}<br />
{{Related|OpenLDAP}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).<br />
<br />
The guide is divided into two parts. The first part deals with how to setup an [[OpenLDAP]] server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the second part.<br />
<br />
=== NSS and PAM ===<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}}, {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== LDAP Server Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Set up access controls ===<br />
<br />
To make sure that no-one can read the (encrypted) passwords from the LDAP server, but a user can edit their own password, add the following to {{ic|/etc/openldap/slapd.conf}} and restart {{ic|slapd.service}} afterwards:<br />
<br />
{{hc|slapd.conf|2=<br />
access to attrs=userPassword<br />
by self write<br />
by anonymous auth<br />
by * none<br />
<br />
access to *<br />
by self write<br />
by * read<br />
}}<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a temporarily file called {{ic|base.ldif}} with the following text.<br />
{{note|If you have a different domain name then alter "example" and "org" to your needs}}<br />
<br />
{{hc|base.ldif|<nowiki><br />
# example.org<br />
dn: dc=example,dc=org<br />
dc: example<br />
o: Example Organization<br />
objectClass: dcObject<br />
objectClass: organization<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
objectClass: organizationalRole<br />
objectClass: top<br />
roleOccupant: dc=example,dc=org<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Groups, example.org<br />
dn: ou=Groups,dc=example,dc=org<br />
ou: Groups<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
</nowiki>}}<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
=== Adding users ===<br />
To manually add a user, create an {{ic|.ldif}} file like this:<br />
{{hc|user_joe.ldif|<nowiki><br />
dn: uid=johndoe,ou=People,dc=example,dc=org<br />
objectClass: top<br />
objectClass: person<br />
objectClass: organizationalPerson<br />
objectClass: inetOrgPerson<br />
objectClass: posixAccount<br />
objectClass: shadowAccount<br />
uid: johndoe<br />
cn: John Doe<br />
sn: Doe<br />
givenName: John<br />
title: Guinea Pig<br />
telephoneNumber: +0 000 000 0000<br />
mobile: +0 000 000 0000<br />
postalAddress: AddressLine1$AddressLine2$AddressLine3<br />
userPassword: {CRYPT}xxxxxxxxxx<br />
labeledURI: https://archlinux.org/<br />
loginShell: /bin/bash<br />
uidNumber: 9999<br />
gidNumber: 9999<br />
homeDirectory: /home/johndoe/<br />
description: This is an example user<br />
</nowiki>}}<br />
<br />
The {{ic|xxxxxxxxxx}} in the {{ic|userPassword}} entry should be replaced with the value in {{ic|/etc/shadow}} or use the {{ic|slappasswd}} command. Now add the user:<br />
<br />
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f user_joe.ldif<br />
<br />
{{Note|You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's [http://www.padl.com/OSS/MigrationTools.html Migration Tools].}}<br />
<br />
== Client Setup ==<br />
<br />
Install the OpenLDAP client as described in [[OpenLDAP]]. Make sure you can query the server with {{ic|ldapsearch}}.<br />
<br />
Next, [[pacman|install]] {{pkg|nss-pam-ldapd}} from the [[official repositories]].<br />
<br />
=== NSS Configuration ===<br />
NSS is a system facility which manages different sources as configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database, which stores the user accounts.<br />
<br />
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
Edit {{ic|/etc/nslcd.conf}} and change the {{ic|base}} and {{ic|uri}} lines to fit your ldap server setup.<br />
<br />
Start {{ic|nslcd.service}} using systemd.<br />
<br />
You now should see your LDAP users when running {{ic|getent passwd}} on the client.<br />
<br />
=== PAM Configuration ===<br />
The basic rule of thumb for PAM configuration is to include {{ic|pam_ldap.so}} wherever {{ic|pam_unix.so}} is included. Arch moving to {{pkg|pambase}} has helped decrease the amount of edits required. For more details about configuring pam, the [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/PAM_Configuration_Files.html RedHat Documentation] is quite good. You might also want the upstream documentation for [http://arthurdejong.org/nss-pam-ldapd nss-pam-ldapd].<br />
<br />
{{Tip|If you want to prevent UID clashes with local users on your system, you might want to include {{ic|minimum_uid&#61;10000}} or similar on the end of the {{ic|pam_ldap.so}} lines. You'll have to make sure the LDAP server returns uidNumber fields that match the restriction.}}<br />
<br />
{{Note|Each facility (auth, session, password, account) forms a separate chain and the order matters. Sufficient lines will sometimes "short circuit" and skip the rest of the section, so the rule of thumb for ''auth'', ''password'', and ''account'' is ''sufficient'' lines before ''required'', but after required lines for the ''session'' section; ''optional'' can almost always go at the end. When adding your {{ic|pam_ldap.so}} lines, don't change the relative order of the other lines without good reason! Simply insert LDAP within the chain.}}<br />
<br />
First edit {{ic|/etc/pam.d/system-auth}}. This file is included in most of the other files in {{ic|pam.d}}, so changes here propagate nicely. Updates to {{pkg|pambase}} may change this file.<br />
<br />
Make {{ic|pam_ldap.so}} sufficient at the top of each section, except in the ''session'' section, where we make it optional.<br />
{{hc|/etc/pam.d/system-auth|<br />
'''auth sufficient pam_ldap.so'''<br />
auth required pam_unix.so try_first_pass nullok<br />
auth optional pam_permit.so<br />
auth required pam_env.so<br />
<br />
'''account sufficient pam_ldap.so'''<br />
account required pam_unix.so<br />
account optional pam_permit.so<br />
account required pam_time.so<br />
<br />
'''password sufficient pam_ldap.so'''<br />
password required pam_unix.so try_first_pass nullok sha512 shadow<br />
password optional pam_permit.so<br />
<br />
session required pam_limits.so<br />
session required pam_unix.so<br />
'''session optional pam_ldap.so'''<br />
session optional pam_permit.so<br />
}}<br />
<br />
Then edit both {{ic|/etc/pam.d/su}} and {{ic|/etc/pam.d/su-l}} identically. The {{ic|su-l}} file is used when the user runs {{ic|su --login}}.<br />
<br />
Make {{ic|pam_ldap.so}} sufficient at the top of each section, and add {{ic|use_first_pass}} to {{ic|pam_unix}} in the ''auth'' section.<br />
{{hc|/etc/pam.d/su|<br />
#%PAM-1.0<br />
'''auth sufficient pam_ldap.so'''<br />
auth sufficient pam_rootok.so<br />
# Uncomment the following line to implicitly trust users in the "wheel" group.<br />
#auth sufficient pam_wheel.so trust use_uid<br />
# Uncomment the following line to require a user to be in the "wheel" group.<br />
#auth required pam_wheel.so use_uid<br />
auth required pam_unix.so '''use_first_pass'''<br />
'''account sufficient pam_ldap.so'''<br />
account required pam_unix.so<br />
'''session sufficient pam_ldap.so'''<br />
session required pam_unix.so<br />
}}<br />
<br />
To enable users to edit their password, edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
{{hc|/etc/pam.d/passwd|2=<br />
#%PAM-1.0<br />
'''password sufficient pam_ldap.so'''<br />
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br />
#password required pam_unix.so sha512 shadow use_authtok<br />
password required pam_unix.so sha512 shadow nullok<br />
}}<br />
<br />
==== Create home folders at login ====<br />
<br />
If you want home folders to be created at login (eg: if you aren't using NFS to store home folders), edit {{ic|/etc/pam.d/system-login}} and add {{ic|pam_mkhomedir.so}} to the ''session'' section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, kdm, gdm, etc. You might choose to edit additional files in the same way, such as {{ic|/etc/pam.d/su}} and {{ic|/etc/pam.d/su-l}} to enable it for {{ic|su}} and {{ic|su --login}}. If you don't want to do this for ssh logins, edit {{ic|system-local-login}} instead of {{ic|system-login}}, etc.<br />
<br />
{{hc|/etc/pam.d/system-login|<br />
...top of file not shown...<br />
session optional pam_loginuid.so<br />
session include system-auth<br />
session optional pam_motd.so motd&#61;/etc/motd<br />
session optional pam_mail.so dir&#61;/var/spool/mail standard quiet<br />
-session optional pam_systemd.so<br />
session required pam_env.so<br />
'''session required pam_mkhomedir.so skel&#61;/etc/skel umask&#61;0022'''<br />
}}<br />
<br />
{{hc|/etc/pam.d/su-l|<br />
...top of file not shown...<br />
'''session required pam_mkhomedir.so skel&#61;/etc/skel umask&#61;0022'''<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
}}<br />
<br />
==== Enable sudo ====<br />
<br />
To enable sudo from an LDAP user, edit {{ic|/etc/pam.d/sudo}}. You'll also need to modify sudoers accordingly.<br />
{{hc|/etc/pam.d/sudo|<br />
#%PAM-1.0<br />
'''auth sufficient pam_ldap.so'''<br />
auth required pam_unix.so '''try_first_pass'''<br />
auth required pam_nologin.so<br />
}}<br />
<br />
== Resources ==<br />
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]<br />
<br />
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]<br />
<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]<br />
<br />
[http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]</div>Bcrescimannohttps://wiki.archlinux.org/index.php?title=LDAP_authentication&diff=307017LDAP authentication2014-03-25T23:05:29Z<p>Bcrescimanno: Removing the section on enabling NSCD. It stated (erroneously) that NSCD would cache credentials and allow offline LDAP login.</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Related articles start}}<br />
{{Related|OpenLDAP}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).<br />
<br />
The guide is divided into two parts. The first part deals with how to setup an [[OpenLDAP]] server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the second part.<br />
<br />
=== NSS and PAM ===<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}}, {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== LDAP Server Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Set up access controls ===<br />
<br />
To make sure that no-one can read the (encrypted) passwords from the LDAP server, but a user can edit their own password, add the following to {{ic|/etc/openldap/slapd.conf}} and restart {{ic|slapd.service}} afterwards:<br />
<br />
{{hc|slapd.conf|2=<br />
access to attrs=userPassword<br />
by self write<br />
by anonymous auth<br />
by * none<br />
<br />
access to *<br />
by self write<br />
by * read<br />
}}<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a temporarily file called {{ic|base.ldif}} with the following text.<br />
{{note|If you have a different domain name then alter "example" and "org" to your needs}}<br />
<br />
{{hc|base.ldif|<nowiki><br />
# example.org<br />
dn: dc=example,dc=org<br />
dc: example<br />
o: Example Organization<br />
objectClass: dcObject<br />
objectClass: organization<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
objectClass: organizationalRole<br />
objectClass: top<br />
roleOccupant: dc=example,dc=org<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Groups, example.org<br />
dn: ou=Groups,dc=example,dc=org<br />
ou: Groups<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
</nowiki>}}<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
=== Adding users ===<br />
To manually add a user, create an {{ic|.ldif}} file like this:<br />
{{hc|user_joe.ldif|<nowiki><br />
dn: uid=johndoe,ou=People,dc=example,dc=org<br />
objectClass: top<br />
objectClass: person<br />
objectClass: organizationalPerson<br />
objectClass: inetOrgPerson<br />
objectClass: posixAccount<br />
objectClass: shadowAccount<br />
uid: johndoe<br />
cn: John Doe<br />
sn: Doe<br />
givenName: John<br />
title: Guinea Pig<br />
telephoneNumber: +0 000 000 0000<br />
mobile: +0 000 000 0000<br />
postalAddress: AddressLine1$AddressLine2$AddressLine3<br />
userPassword: {CRYPT}xxxxxxxxxx<br />
labeledURI: https://archlinux.org/<br />
loginShell: /bin/bash<br />
uidNumber: 9999<br />
gidNumber: 9999<br />
homeDirectory: /home/johndoe/<br />
description: This is an example user<br />
</nowiki>}}<br />
<br />
The {{ic|xxxxxxxxxx}} in the {{ic|userPassword}} entry should be replaced with the value in {{ic|/etc/shadow}} or use the {{ic|slappasswd}} command. Now add the user:<br />
<br />
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f user_joe.ldif<br />
<br />
{{Note|You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's [http://www.padl.com/OSS/MigrationTools.html Migration Tools].}}<br />
<br />
== Client Setup ==<br />
<br />
Install the OpenLDAP client as described in [[OpenLDAP]]. Make sure you can query the server with {{ic|ldapsearch}}.<br />
<br />
Next, [[pacman|install]] {{AUR|nss-pam-ldapd}} from the [[official repositories]].<br />
<br />
=== NSS Configuration ===<br />
NSS is a system facility which manages different sources as configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database, which stores the user accounts.<br />
<br />
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
Edit {{ic|/etc/nslcd.conf}} and change the {{ic|base}} and {{ic|uri}} lines to fit your ldap server setup.<br />
<br />
Start {{ic|nslcd.service}} using systemd.<br />
<br />
You now should see your LDAP users when running {{ic|getent passwd}} on the client.<br />
<br />
=== PAM Configuration ===<br />
The basic rule of thumb for PAM configuration is to include {{ic|pam_ldap.so}} wherever {{ic|pam_unix.so}} is included. Arch moving to {{pkg|pambase}} has helped decrease the amount of edits required. For more details about configuring pam, the [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/PAM_Configuration_Files.html RedHat Documentation] is quite good. You might also want the upstream documentation for [http://arthurdejong.org/nss-pam-ldapd nss-pam-ldapd].<br />
<br />
{{Tip|If you want to prevent UID clashes with local users on your system, you might want to include {{ic|minimum_uid&#61;10000}} or similar on the end of the {{ic|pam_ldap.so}} lines. You'll have to make sure the LDAP server returns uidNumber fields that match the restriction.}}<br />
<br />
{{Note|Each facility (auth, session, password, account) forms a separate chain and the order matters. Sufficient lines will sometimes "short circuit" and skip the rest of the section, so the rule of thumb for ''auth'', ''password'', and ''account'' is ''sufficient'' lines before ''required'', but after required lines for the ''session'' section; ''optional'' can almost always go at the end. When adding your {{ic|pam_ldap.so}} lines, don't change the relative order of the other lines without good reason! Simply insert LDAP within the chain.}}<br />
<br />
First edit {{ic|/etc/pam.d/system-auth}}. This file is included in most of the other files in {{ic|pam.d}}, so changes here propagate nicely. Updates to {{pkg|pambase}} may change this file.<br />
<br />
Make {{ic|pam_ldap.so}} sufficient at the top of each section, except in the ''session'' section, where we make it optional.<br />
{{hc|/etc/pam.d/system-auth|<br />
'''auth sufficient pam_ldap.so'''<br />
auth required pam_unix.so try_first_pass nullok<br />
auth optional pam_permit.so<br />
auth required pam_env.so<br />
<br />
'''account sufficient pam_ldap.so'''<br />
account required pam_unix.so<br />
account optional pam_permit.so<br />
account required pam_time.so<br />
<br />
'''password sufficient pam_ldap.so'''<br />
password required pam_unix.so try_first_pass nullok sha512 shadow<br />
password optional pam_permit.so<br />
<br />
session required pam_limits.so<br />
session required pam_unix.so<br />
'''session optional pam_ldap.so'''<br />
session optional pam_permit.so<br />
}}<br />
<br />
Then edit both {{ic|/etc/pam.d/su}} and {{ic|/etc/pam.d/su-l}} identically. The {{ic|su-l}} file is used when the user runs {{ic|su --login}}.<br />
<br />
Make {{ic|pam_ldap.so}} sufficient at the top of each section, and add {{ic|use_first_pass}} to {{ic|pam_unix}} in the ''auth'' section.<br />
{{hc|/etc/pam.d/su|<br />
#%PAM-1.0<br />
'''auth sufficient pam_ldap.so'''<br />
auth sufficient pam_rootok.so<br />
# Uncomment the following line to implicitly trust users in the "wheel" group.<br />
#auth sufficient pam_wheel.so trust use_uid<br />
# Uncomment the following line to require a user to be in the "wheel" group.<br />
#auth required pam_wheel.so use_uid<br />
auth required pam_unix.so '''use_first_pass'''<br />
'''account sufficient pam_ldap.so'''<br />
account required pam_unix.so<br />
'''session sufficient pam_ldap.so'''<br />
session required pam_unix.so<br />
}}<br />
<br />
To enable users to edit their password, edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
{{hc|/etc/pam.d/passwd|2=<br />
#%PAM-1.0<br />
'''password sufficient pam_ldap.so'''<br />
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br />
#password required pam_unix.so sha512 shadow use_authtok<br />
password required pam_unix.so sha512 shadow nullok<br />
}}<br />
<br />
==== Create home folders at login ====<br />
<br />
If you want home folders to be created at login (eg: if you aren't using NFS to store home folders), edit {{ic|/etc/pam.d/system-login}} and add {{ic|pam_mkhomedir.so}} to the ''session'' section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, kdm, gdm, etc. You might choose to edit additional files in the same way, such as {{ic|/etc/pam.d/su}} and {{ic|/etc/pam.d/su-l}} to enable it for {{ic|su}} and {{ic|su --login}}. If you don't want to do this for ssh logins, edit {{ic|system-local-login}} instead of {{ic|system-login}}, etc.<br />
<br />
{{hc|/etc/pam.d/system-login|<br />
...top of file not shown...<br />
session optional pam_loginuid.so<br />
session include system-auth<br />
session optional pam_motd.so motd&#61;/etc/motd<br />
session optional pam_mail.so dir&#61;/var/spool/mail standard quiet<br />
-session optional pam_systemd.so<br />
session required pam_env.so<br />
'''session required pam_mkhomedir.so skel&#61;/etc/skel umask&#61;0022'''<br />
}}<br />
<br />
{{hc|/etc/pam.d/su-l|<br />
...top of file not shown...<br />
'''session required pam_mkhomedir.so skel&#61;/etc/skel umask&#61;0022'''<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
}}<br />
<br />
==== Enable sudo ====<br />
<br />
To enable sudo from an LDAP user, edit {{ic|/etc/pam.d/sudo}}. You'll also need to modify sudoers accordingly.<br />
{{hc|/etc/pam.d/sudo|<br />
#%PAM-1.0<br />
'''auth sufficient pam_ldap.so'''<br />
auth required pam_unix.so '''try_first_pass'''<br />
auth required pam_nologin.so<br />
}}<br />
<br />
== Resources ==<br />
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]<br />
<br />
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]<br />
<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]<br />
<br />
[http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]</div>Bcrescimanno