At home I have a SmartOS hypervisor running a few services on a few VMs. I want to use an LDAP server as a source of user account information, so on each VM I issue the following (obviously filling in the correct details in the angle brackets). You probably want to replace with the OU containing users that you wish to grant login access to your servers:
ldapclient -v manual \ -a defaultServerList= \ -a authenticationMethod=simple \ -a credentialLevel=proxy \ -a proxydn=<DN of bind user> \ -a "proxypassword=<password of bind user>" \ -a domainname= \ -a defaultSearchBase= \ -a defaultSearchScope=sub \ -a serviceSearchDescriptor=group: \ -a "serviceSearchDescriptor=shadow: \ -a "serviceSearchDescriptor=passwd:"
eg.
ldapclient -v manual \ -a defaultServerList=192.168.0.389 \ -a bindTimeLimit=5 \ -a authenticationMethod=simple \ -a credentialLevel=proxy \ -a proxydn=uid=admin,ou=system \ -a "proxypassword=G0d1m@Du11@rd" \ -a domainname=example.com \ -a defaultSearchBase=dc=example,dc=com \ -a defaultSearchScope=sub \ -a serviceSearchDescriptor=group:ou=groups,dc=example,dc=com \ -a serviceSearchDescriptor=shadow:ou=users,dc=example,dc=com \ -a serviceSearchDescriptor=passwd:ou=users,dc=example,dc=com
You’ll probably want to edit /etc/nsswitch.conf
after successfully configuring the system lcapclient as by default hosts are looked up first by /etc/hosts and then by ldap query. I don’t store host information in LDAP so I usually set the line:
hosts: files ldap
to
hosts: files dns
In /etc/pam.conf
, change any instance of:
login auth required pam_unix_auth.so.1
to
login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1
and
other auth required pam_unix_auth.so.1
to
other auth binding pam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1
That’s it! Finally, reboot your system.