Recently there was some request to see if a University can completely migrate to Ubuntu. One of their requirement was that their login for windows was getting managed by using Active Directory. I knew that LDAP is an alternative and hence I wanted to try this before I could commit anything to them.
I decided to make my home debian desktop system to be the server and my ubuntu laptop to be the client. following are the rough points that I needed to follow to get the LDAP authentication for Ubuntu working. There is already good enough documentation, but I still had to look for multiple sites and tits and bits of information from various sites helped me.
For Preparing the Server which was my debian system:
1) install slapd, migrationtools
2) run dpkg-reconfigure slapd and choose options
3) Then make changes in migrate_common.ph
4) Ou=People and ou=group is not added and hence have to be manually created and added.
5) Run migrate_passwd.pl and migrate_group.pl and add to ldap
Here mainly when I was referring Debian Wiki page, I was asked to use migrate_all_online.pl script which always used to fail for me for some or other reason. Having spent considerable time just to get past through that script, Thanks to this post, http://www.debuntu.org/how-to-set-up-a-ldap-server-and-its-clients/ , I realized that I actually didnt need to migrate all accounts to ldap and just had to use migrate_passwd.pl and migrate_group.pl.
One important thing to remember is that I had same username password for my users in my desktop and laptop, my server and client. If you dont have it, then you may have to create custom ldif files adding all data of users and then use ldapadd to add them to LDAP directory.
Use ldapsearch using:
ldapsearch -D “cn=admin,dc=viggy,dc=loc” -W -b “dc=viggy,dc=loc” “uid=root”
BaseDN is important to mention using -b switch
On the client side,
1) Install ldap-auth-client and nscd.
as per https://help.ubuntu.com/community/LDAPClientAuthentication
2) Add my_mkhomedir and my_groups in /usr/share/pam-configs and also make changes in /etc/security/group.conf
3) Finally also edit the /etc/nssswitch.conf to make it use ldap and then files/compat. If you want the system to rely only on LDAP, then remove the existing option and let only ldap be present.
It should look like this
passwd: ldap compat
group: ldap compat
shadow: ldap compat
Now restart the nscd service, /etc/init.d/nscd restart
4) To check if the ldap authentication is working, just try to do sudo to a user and check in the /var/log/auth.log file if it mentions connecting to the ldap server.
ToDo:
1) I have not been able to understand how to add logging capability to slapd in the new cn=config configuration
2) Need to verify how to get all data from Active Directory and migrate to ldap.
