Re: LDAP authentication against Active Directory in Sarge

[Carlos Rodrigues <carlos.efr@mail.telepac.pt>]

Rene Tapia wrote:
> Besides ldap.conf, you also need to configure pam:

I haven't got to configuring pam yet, but just ldap.conf+nsswitch.conf 
should work just to get uset information, either using something like 
"finger user" or "getent passwd".

LDAP user information without pam_ldap is useful, for instance, if I'm 
going to do authentication through Kerberos or just need the user 
information to be able to use Samba in an Active Directory domain 
without using winbind (to maintain uid/gid consistency through Samba and 
NFS).

But thanks anyway, I also wasn't sure how to configure pam_ldap, 
although I'm not there yet.

Carlos Rodrigues



> apt-get install libpam-ldap -y
> apt-get install libnss-ldap -y
> apt-get install libpam-cracklib -y
>
> Note: libpam-cracklib is not required for LDAP (it
> just enforces strong passwords)
>
> The following config files work, but you can change
> them to suit your needs:
>
> /etc/pam.d/common-auth:
> auth	sufficient	pam_ldap.so
> auth	required	pam_unix.so use_first_pass
>
> /etc/pam.d/common-account:
> account	sufficient	pam_ldap.so
> account	required	pam_unix.so
>
> /etc/pam.d/common-password:
> password   required   pam_cracklib.so retry=3 minlen=6
> difok=3
> password   sufficient pam_ldap.so use_authtok
> try_first_pass
> password   required   pam_unix.so use_authtok
> try_first_pass md5
>
> Also, if you intend to change user passwords with
> passwd via libpam-ldap, you will need to patch
> pam_ldap.so:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=284104
>
> Good luck!