I was recently asked by a colleague, and now also a client, to look over the [LDAP]{tag/ldap} configuration on his Ubuntu boxen. He was having issues with the root account. The problem turned out being that the Ubuntu box was trying to get the root authentication from LDAP. It successfully found an LDAP account on the OSX LDAP server, but was unable to login since that account is disabled. The solution was to filter out the root account from the LDAP reply using the pam_filter directive in /etc/ldap.conf. Jay was also kind enough to document his setup for others that are trying to accomplish a similar task.

Ok, so in [last eppisode]{ldap-upgrade-to-2.3.23-brakage} we looked at how my Debian/testing upgrade of slapd killed my slapd install because I was using two incompatible schemas.

Now, I will show you how to limit what accounts are accessible to pam_ldap module on each host.

For some very stupid reason I decided to upgrade my fileserver, which happens to run my ldap database as well.

Setting up slapd (2.3.23-1) ...
  Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.2.26-5... done.
  Moving old database directories to /var/backups:

  Backup path /var/backups/dc=jukie-2.2.26-5.ldapdb exists. Giving up...
dpkg: error processing slapd (--configure):
 subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
 slapd
E: Sub-process /usr/bin/dpkg returned an error code (1)

Frig!

I've started writing a debian authentication from ldap tutorial. Here is the unfinished text:

.

Wasted some time this week converting my server to LDAP directories and renumbering UIDs/GIDs to the “Debian numbering ranges” from the RedHat ranges that I have lived with for 7 years – I have a lot of data to migrate over to the new IDs… data is intact.

LDAP is so ugly after you used SQL, and is a bitch to setup, but after a few hours I managed to get it working with PAM and NSS. I will have to document my steps because I had to read ~10 documents on the web to finally get things working – the Debian packages do not do all the work for you in this case.