LDAP Guide
From Buici
While the LDAP protocol itself is simple, configuring systems to use LDAP for authentication can be difficult, confusing, and ultimately so frustrating that you are willing to use NIS again.
After spending some time with the current state of LDAP on Debian GNU/Linux, I've prepared these notes and links to help me remember how the pieces fit together. There are many excellent resource on the web for understanding and configuring LDAP. Links to some I found useful are here as well.
Resources
[1] Concise overview of LDAP.
[2] Torsten Landschoff's (nearly comprehensive) LDAP for Debian.
[3] Dated instructions for using OpenLDAP on Debian.
| Package | Version | Description | Debian Package |
|---|---|---|---|
| GQ | 1.0.0 | Very nice GTK LDAP editor | etch |
| Luma | 2.3 | QT LDAP editor with plugins. Sometimes flaky. Password entry dialog shows password strength. | etch |
NSS
/etc/nsswitch.conf is modified to add LDAP as a resource for records available in the LDAP database.
passwd: ldap compat group: ldap compat shadow: ldap compat
There are some subtleties to this. Putting LDAP before compat (or files if you prefer), means that the LDAP database is checked before users available in the local files. LDAP could appear afterward as well. The difference is that with LDAP first, user records that appear in the LDAP database override those in the files. Swapping the order as follows,
passwd: compat ldap group: compat ldap shadow: compat ldap
means that local users take precedence.
But that isn't the whole story. The /etc/nsswitch.conf file only controls the C library getent call. Authentication for most (all?) services goes through pam even if /etc/nsswitch.conf isn't configured as above.
