Ubuntu LDAP auth-client module

In order to facilitate the changes, we install the Ubuntu scripts that handle it all automatically through the auth-client-config authentication profile management system. This package is a meta-package that brings in everything needed to create an LDAP profile for use with these scripts.

$ sudo apt-get install ldap-auth-client

One of the packages brought in will run a curses dialog that edits /etc/ldap.conf. The settings we are using for our setup are:

uri:        ldap://localhost/
base:       dc=000,dc=com
version:    3
localroot:  yes
login:      no
manager:    cn=rootdn,dc=corp,dc=com
password:   123456testing123456

These settings will be asked for upon installation of the ldap-auth-config meta-package, itself pulled in by ldap-auth-client.

Switching the profile

Now we switch to the managed profile that we created with the LDAP auth-client configuration dialog. That profile is among those listed by the auth-client-config program:

$ auth-client-config --list-profiles
Available profiles are:
  cracklib
  kerberos_example
  lac_ldap
  ldap_example

Not surprisingly, the ldap-auth-config LDAP profile is called lac_ldap. We can enable it for the following types of data sources:

$ s auth-client-config --list-types
Available types are:
  nss
  pam-account
  pam-auth
  pam-password
  pam-session

Really, though, we just want to do it for all of them:

$ sudo auth-client-config --profile lac_ldap --all-types

These are just fancy ways to edit the files from "/etc/{nsswitch,ldap}.conf" and "/etc/pam.d/common*" so you could easily edit these by hand as well without having to use the auth-client-config method with ldap-auth-config.

Testing

Finally, we can test that our setup works through LDAP:

$ getent passwd scott
scott:x:5001:5001:Scott Mcdermott:/home/scott:/bin/bash

$ getent group corpusers
corpusers:*:5001:

And the system is now configured.