Using the LDAP plugin available for PAM, it’s possible to do LDAP authentication without joining the domain. Note however that this requires installing Identity Management for Unix on your domain controllers. See this tutorial for more information.
Before we proceed, it’s a good idea to take a snapshot. I’ll wait for you to do that.
Okay, let’s install the required packages:
apt-get install libnss-ldapd libpam-ldapd
Now edit /etc/nslcd.conf. This assumes the user you created for binding to AD is named “ldap”.
# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://teamN.isucdc.com # The search base that will be used for all queries. base dc=teamN,dc=isucdc,dc=com # The LDAP protocol version to use. ldap_version 3 # The DN to bind with for normal lookups. binddn ldap@teamN.isucdc.com bindpw <password> # The DN used for password modifications by root. # Leave this blank unless you want to allow password changes from your debian systems # If so, you will need to place the password in /etc/ldap.secret - be sure it is only readable by root #rootpwmoddn cn=admin,dc=example,dc=com # The search scope. scope sub # Mappings for Active Directory # This is the important bit; these fields match up with the fields added by Directory Services for UNIX pagesize 1000 #referrals no filter passwd (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName # If you wish to override the shell given by LDAP, uncomment the next line #map passwd loginShell "/bin/bash" filter shadow (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (&(objectClass=group)(gidNumber=*)) #map group gid member # SSL options tls_reqcert never #ssl start_tls #ssl on #tls_cacertfile /etc/ssl/ca.pem
After you edit this file, restart nslcd and nscd:
service nslcd restart service nscd restart
Now edit /etc/nsswitch.conf:
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files ldap group: files ldap shadow: files ldap hosts: files dns ldap networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Make sure LDAP authentication is enabled by running
pam-auth-update
In /etc/pam.d/common-session, add the following at the bottom of the file. This will make home directories for users that have never logged in before. Be careful – mis-editing PAM configuration could permanently lock you out of your system! Take a snapshot before proceeding.
# make home directories session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
This umask will prevent users from reading each others’ home directories. If you’d prefer to be more open, use umask=0022 instead.
You can test this out by restarting sshd (service ssh restart) or by rebooting. If you managed to accidentally completely lock yourself out, revert to that snapshot you took earlier.