LDAP Client

From Maze's wiki
Jump to: navigation, search


apt-get install libnss-ldap
  • LDAP server Uniform Resource Identifier: <ldap://ipaddress>
  • Distinguished name of the search base: <dc=example,dc=com>
  • LDAP version to use: <3>
  • LDAP account for root: <cn=admin,dc=example,dc=com>
  • Make local root Database admin. <Yes>
  • Does the LDAP database require login? <No>
  • LDAP account for root: <cn=admin,dc=example,dc=com>

Change these lines in /etc/nsswitch.conf

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

PAM >= 1.0.1-6


  • enable LDAP

PAM <= 1.0.1-6

Replace /etc/pam.d/common-account with:

account         sufficient      pam_unix.so 
account         sufficient      pam_ldap.so 
account         required        pam_deny.so

Replace /etc/pam.d/common-auth with:

auth    required        pam_env.so 
auth    sufficient      pam_unix.so likeauth nullok 
auth    sufficient      pam_ldap.so use_first_pass 
auth    required        pam_deny.so

Replace /etc/pam.d/common-password with:

password        sufficient      pam_unix.so nullok md5 shadow use_authtok 
password        sufficient      pam_ldap.so use_first_pass 
password        required        pam_deny.so

Replace /etc/pam.d/common-session with:

session         required        pam_limits.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session         required        pam_unix.so
session         optional        pam_ldap.so


Reboot the system in order to activate the new PAM configuration.


Windows XP/2000 clients are ready to be joined to the domain. Only for Windows 7 and Vista clients a couple of changes are mandatory:

  • start secpol.msc
  • Change Local Policies -> Security Options -> Network Security: LAN Manager authentication level to "Send LM & NTLM - use NTLMv2 session security if negotiated"

Also the registry needs some edits:

  • Start regedit
  • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\LanmanWorkstation\Parameters
  • Add DWORD: DomainCompatibilityMode and set it to 1
  • Add DWORD: DNSNameResolutionRequired and set it to 0