Usage of PAM-LDAP

Usage of PAM-LDAP

Posted By: pmietlicki

Published to Work on Mar 26, 2017



pam-ldap will permit your linux users to authenticate with your LDAP server. It is generally a good idea to avoid using generic account for which it is difficult to control what happens and trace the things that users do. An other use / case scenario would be to host a git repository and let your users using their LDAP account to connect.

Solution for the dummies

Use an all inclusive package like YuNoHost or Univention


Please verify that your server is able to connect to your ldap server, for example if your ldap port is 389 (generally 636 instead if over SSL), try :

telnet 389

The source of information is from the debian wiki and the ubuntu wiki

 apt-get install libnss-ldapd libpam-ldap 

Inside /etc/nslcd.conf :

uri ldap://
base ou=domain,ou=sub,o=other,c=fr
filter passwd (&(title=TEC))
filter group (objectClass=groupOfUniqueNames)
ldap_version 3

Other filter based on a group with isMemberOf (sun-ldap for example) :

 filter passwd (isMemberOf=cn=DSI,ou=Groups,ou=domain,ou=sub,o=other,c=fr) 

Inside /etc/nsswitch.conf :

 passwd:         files ldap
 group:          files ldap
 shadow:         files ldap

 hosts:          files dns ldap
 networks:       files ldap

 protocols:      db files
 services:       db files
 ethers:         db files
 rpc:            db files

 netgroup:       nis

Note that the filters is to limit access. But this is not mandatory because with our configuration you will still need to add the local uid (useradd pmietlicki for example). Only the authentication process will be managed by the LDAP server.

The parameters below must overwrite the one that already exist :

Inside /etc/pam.d/common-account :

account sufficient 
account required

In /etc/pam.d/common-auth :

auth sufficient 
auth required nullok_secure use_first_pass

In /etc/pam.d/common-password :

password sufficient 
password required nullok obscure min=4 max=8 md5

Add the users that you want to have access to your server (must match the uid from the LDAP server) :

 useradd pmietlicki

Restart services :

/etc/ini.d/nscd restart
/etc/init.d/nslcd restart 

If you have problems, you can debug it with:

/etc/init.d/nscd stop 
/etc/init.d/nslcd stop 
nslcd -d 

Ensure your system is working by retrieving indicated users :

 getent passwd 

This command will display the nslcd logs and the LDAP requests :

 ldapsearch -h -b dc=ou=domain,ou=sub,o=other,c=fr -x uid=pmietlicki 

We can also permit the automated creation of the home repository by modifying common-session, you will find some information on the ubuntu wiki

Tags: Authentication, LDAP, PAM