22 comments on “Set up LDAP authentication between Ubuntu 10.04 and OpenDJ 2.4.1

  1. Pingback: Notes on LDAP auth on Ubuntu by Dave Koelmeyer | Margin Notes 2.0

  2. Pingback: Ubuntu 10.04 LDAP naming service with OpenDJ « Ludo's Sketches

  3. Pingback: Ubuntu 10.04 LDAP naming service with OpenDJ » OpenDJ

  4. Hi Dave,

    How did you estimate the additional directory load using pam_ldap ? Curious if you have any figures from running this is a production environment.
    I did a little profiling on the same configuration. A sequence of ssh, edit file, chown file, exit results in 12 binds and 32 exact searches. Extrapolation is obviously tricky.


  5. Joachim,

    Is nscd running?

    The connections should stay bound. However there are always a number of searches as nscd caching isn’t perfect. We run (Old) boxes with ~900 SSL connections each and they run <10% CPU. Just have a look and make sure to index where needed (uidNumber/gidNumber/unixUser).

  6. Pingback: Sudo with OpenDJ | Margin Notes 2.0

  7. Pingback: Thunderbird 3.1 on Ubuntu 10.04 segfaults on launch with LDAP users « Dave Koelmeyer

  8. 2 questions for you, if you get a chance.

    #1 – Why use the directory admin user? Does this process need uber permissions or can you create some proxy for it?

    #2 – Why change the permission scheme to MD5? Does something require that specifically?

    Otherwise thanks! Super informative. I’m gonna try this with 11.04 here shortly (I hope).

    • On question number #1, this is simply a quick and dirty how-to, and I wouldn’t recommend any of this in a production environment, especially using the default root account to bind.

  9. Pingback: Secure LDAP authentication between OpenDJ and Ubuntu « Dave Koelmeyer

  10. hi dave,

    I have an issue that even when ldap password expires my user is able to login in his ubuntu machine because his password is picked from the cache , so the user does not change his password even after the password has expired, so is there a way i can force my user to change his password after expiration…thanks

  11. hi dave ,

    thanks for your reply, I am using opendj version 2.4.3 on centos 5.6(64 bit) and my client is ubuntu 11.04(32 bit) . On my client side I have done the same steps as you have defined in this document and on the server side I have implemedted the following password policies.
    allow-expired-password-changes -true
    allow-user-password-changes -true
    max-password-age – 12w 6d
    grace- login-count – 4
    password-expiration-warning-interval – 5d

    My main concern is that when the user password expires he should be prompted to change his password as in the case of active directory, and he should not be able to login once his password has expired without changing his password .

    In the current scenario even when the ldap rejects the authentication due to password expiration , the configuration of pam.d files and nssswitch.conf allows the password to be picked from the ubuntu cache. so can we make any changes in these files so user is forced to change his password once the password has expired.

    I am using the following packages on client side nss-updatedb for caching name service directories locally (passwd and group) , libnss-db to enable NSS to read cached name services (passwd and group) . I am using these services so my user can login even when he is offline but I dont want him to login once his password has expired.

    thanks once again.

  12. Pingback: PAM, LDAPS, and Policykit weirdness in Ubuntu 10.04 x86 « Dave Koelmeyer

  13. Pingback: LDAP secondary group memberships with OpenDJ and Ubuntu 12.04 « Dave Koelmeyer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s