LDAP based user login


In this exercise you'll modify your system's Pluggable Authentication Modules (PAM). You may easily get locked out due to an unintended misconfiguration. Stick to the following procedures avoiding this type of mishap:

  1. Create a backup /root/pam.tgz of your working PAM configuration being represented by /etc/pam.conf and files below /etc/pam.d beforehand:

    cd /etc
    tar zcf /root/pam.tgz pam.conf pam.d

    Check the resulting archive to contain something like:

    root@sdi12b:~# tar ztf /root/pam.tgz 
  2. Always keep an independent (emergency) shell open when tinkering with PAM. In case you are no longer able to log in i.e. using ssh this one allows for restoring your working configuration:

    cd /etc
    mv pam.d pam.d.orig        # Save your current (not working) PAM
    mv pam.conf pam.conf.orig  # configuration for later inspection.
    tar zxf /root/pam.tgz      # Restore your working PAM configuration

    After this try to log in again.

  3. Prior to rebooting (and thus loosing your emergency login shell) always try logging in thereby testing your system's accessibility.

Configure your second VM (the one without LDAP Server) to allow for user login purely based on LDAP.

  • Activation of OS level LDAP user and group support is being outlined in Configuring LDAP Authentication.

  • Follow the «newer» PAM Setup with libpam-ldapd approach rather than using the older libpam-ldap package.

  • If your LDAP server features a user having e.g. uid=ldaptest this should allow for viewing its meta data on the client side:

    $ id ldaptest
    uid=1001(ldaptest) gid=1001(ldaptest) groups=1001(ldaptest)

    A id: ‘ldaptest’: no such user message indicates your LDAP setup does not yet work.


    • /etc/nsswitch.conf should contain:

      passwd:         files ldap
      group:          files ldap
      shadow:         files ldap

      What does this mean?

    • Shut down you nscd daemon. Why?

    • Your Secure Shell Daemon configuration /etc/ssh/sshd_config should contain the line (anyway):

      PasswordAuthentication no
    • After changing your configuration a reboot might be required.

    • On your LDAP server side: Enable an appropriate logging level for debugging connection attempts. You may want to select conns, config and stats.

  • Create the required user home directory manually and change owner and group accordingly.


LDAP user information (uid, common name, numerical id, group information ...) will reside on your LDAP Server rather than locally in /etc/passwd, /etc/group and /etc/shadow.