(Updated to remove the changes to the default password storage scheme in OpenDJ.)
The following guide describes how to quickly set up a test environment for authenticating Ubuntu client LDAP logins to a directory server. This is an insecure setup, intended only for learning more about LDAP authentication.
I am using VirtualBox to virtualise my test Ubuntu 10.04 client, although you may of course use a physical machine. The LDAP server is Forgerock’s OpenDJ v2.4.1, running on OpenIndiana oi_147 x86. OpenDJ is chosen for its brilliantly easy-to-use Java-based installation and management utilities, coupled with the fact it’s developed by ex-Sun Microsystems talent, and, perhaps best of all, Oracle has nothing to do with it.
This guide assumes prior basic familiarity with installing OpenDJ, and installing VirtualBox guest VMs. Let’s get started.
Install and configure OpenDJ 2.4.1 on the host system
Download OpenDJ 2.4.1 from http://forgerock.com/downloads-opendj.html, and install it via the Java quick start utility. Simply use the default settings as follows:
Next, let’s run the OpenDJ control-panel GUI utility and create a test People OU under our base DN:
Add a test user account to the People OU: fill out the First Name, Last Name, Common Name, User ID, and User Password fields, then save changes:
Now, edit the test account’s Object Class, and add the posixAccount auxiliary object class to it. Fill out the gidNumber, homeDirectory and uidNumber fields as follows:
OpenDJ is now configured. Let’s set up our Ubuntu client.
Install and configure a fresh Ubuntu 10.04 x86 virtual machine
Create a new Ubuntu 10.04 x86 VM. The default NAT networking mode for the VM works fine. For the administrative account created during OS installation, pick a username that won’t exist in OpenDJ (e.g. “pcadmin” or something).
Once Ubuntu has been installed, run a full software update. Following this, install the VirtualBox guest additions, then restart the VM.
Install libnss-ldap and dependencies
Log in with the administrative account created during installation, then use Synaptic Package Manager to install the libnss-ldap package. The packages dependent on libnss-ldap will be also downloaded and installed automatically:
During installation of the packages, you will be prompted for the location of your LDAP server: point at IP address of the host system using the ldap:// format. Other settings may be left at defaults as illustrated in the following, but be sure to change the search base to dc=example,dc=com, and the LDAP root account to cn=Directory Manager:
Manually edit the PAM LDAP configuration file
After installation of libnss-ldap and its dependencies, manually edit /etc/ldap.conf and comment out this line:
If you are using a non-default port for LDAP connectivity (e.g. port 1389), then append this as part of the LDAP server address entry in /etc/ldap.conf. Look for the uncommented uri entry with the address of your LDAP server, then append the port number to it. In my case, this looks like:
# Another way to specify your LDAP server is to provide an uri ldap://192.168.51.2:1389
I encountered authentication problems when attempting to set an alternate port number at the following section in /etc/ldap.conf, so leave this as-is (i.e. commented out):
# The port. # Optional: default is 389. #port 389
Edit PAM service configuration files
Change directory to /etc/pam.d, and edit the files common-account, common-auth, common-password and common-session, commenting out or removing the existing entries and replacing them with the following entries respectively:
account sufficient pam_ldap.so account required pam_unix.so
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass
password sufficient pam_ldap.so nullok password required pam_unix.so nullok obscure min=4 max=8 md5
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_unix.so session optional pam_ldap.so
Manually edit the name service switch file
Next, change the passwd, group, and shadow entries in /etc/nsswitch.conf from this:
passwd: compat group: compat shadow: compat
passwd: files ldap group: files ldap shadow: files ldap
Finally, reboot the VM. Ubuntu is now configured.
Test LDAP logins to the Ubuntu VM
After rebooting Ubuntu, you should now be able to log in using the test LDAP account you created. A home directory and GNOME environment will be created automatically on login.