on 18.04

TODO: add note about how kerberos is prefered.

sudo apt update;

sudo apt-get install -y ldap-utils libpam-ldap libnss-ldap nslcd

Or, if buggy, use:

sudo apt-get install -y ldap-utils libpam-ldap libnss-ldapd nslcd

https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/1024475

==========

during package install:

on install, specify the server like this:

ldap://192.168.2.3/ ldap://192.168.3.4:389/

Search base / base DN

OU=Accounts,DC=example,DC=com

Used LDAP3 (offered 2 and 3). - MAY NEED TO REVISIT

Make local root DB admin? NO - needs root credentials on the box

DB require login? - NO for now

NSLCD config

ldap servers:

ldap://192.168.2.3/ ldap://192.168.3.4:389/

Search base / base DN

OU=Accounts,DC=example,DC=com

============

Config files;

sudo nano:

/etc/nsswitch.conf

Add "ldap" to end of lines passwd, group, and shadow.

They'll now look something like:

```

passwd: compat systemd ldap

group: compat systemd ldap

shadow: compat ldap

```

# THIS PART NOT WORKING WITH HOMEDIR CREATION

open /etc/pam.d/login

(trying common-auth instead of login)

Go to bottom, paste:

```

# LDAP configs

session required pam_mkhomedir.so skel=/etc/skel umask=0022

```

# skipping lightdm on servers

# Need bind DN:

sudo nano /etc/nslcd.conf

Add bind DN like this:

binddn cn=annonymous,dc=example,dc=net

bindpw secret

Do exactly the same in /etc/ldap.conf

Then open /etc/nslcd.conf. Add the following line:

```

pam_login_attribute sAMAccountName

displayName

```

# Restart services

```

sudo update-rc.d nslcd enable

sudo /etc/init.d/nscd restart

```

Should work now, but reboot for safe keeping

THIS WORKED for local auth, assuming the user is creatred. You can run 'su [username]'

and become a user, after querying LDAP with PW.

A few notes:

* Look into local password handling - should just disable this? or cache them?

* Need to write a script to create users, or do that on request

* SSH key handling

* Look into the default mappings below

* In particular, pamfilter to query who can log in

* Look into setting `timelimit 30 and bind_timelimit 30` lower so system is responsive with no dc connectivity

* Test network breakage

* UID assign

* Test local pw changes

* LDAPS

* Group delegation

* host restrictions

* https://www.digitalocean.com/community/tutorials/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps

* change config `sudo dpkg-reconfigure ldap-auth-config`

* Research SSH login vs SU login

```

# RFC 2307 (AD) mappings

#nss_map_objectclass posixAccount user

#nss_map_objectclass shadowAccount user

nss_map_attribute uid sAMAccountName

#nss_map_attribute homeDirectory unixHomeDirectory

nss_map_attribute shadowLastChange pwdLastSet

#nss_map_objectclass posixGroup group

#nss_map_attribute uniqueMember member

# pam_login_attribute sAMAccountName

#pam_filter objectclass=User

#pam_password ad

```

Debugging steps (from stack overflow post https://askubuntu.com/questions/127389/how-to-configure-ubuntu-as-an-ldap-client)

Likely problems and solutions:

Logging in as an LDAP user takes a very long time (minutes): It's very likely that nss-lap is having problems finding the user's group. Make sure that the user is in a group recognized locally, or that the user is in a group defined in LDAP. Make sure that, if the group is defined in LDAP, that it's a real POSIX group.

Always check the /var/log/auth.log log file. If you see "unable to contact ldap server", check whether the LDAP server is reachable and the port is open.

Try to ping the LDAP server by name

Try to check whether the LDAP port is open:

LDAP can listen on different ports, but can usually be found on 389 and 636

You can check that a port is open by using telnet:

telnet 389 or telnet 636

If you see any characters on the console then the port is open and the LDAP server should be running.

If you see nothing or get an error message, either the LDAP server is not running or something (such as a firewall) is preventing the connection.