I’ll just start with that I think that Solus is a fantastic Linux based desktop operating system. My preference is Solus with Gnome but is also available with the homegrown Budgie desktop or Mate.
My user accounts are all entries in a directory server but Solus doesn’t at the moment have the ability to pull in accounts from one (although I have submitted a package request to facilitate this).
Enter nss-pam-ldapd from Arthur de Jong. There are other implementations but I had problems compiling them and I don’t have the nous to fix them.
This guide make the presumption that you already have a directory server with user accounts set up beforehand. Right, lets go!
Firstly, lets install some prerequisites.
# Install the development software # sudo eopkg it -c system.devel
# Install OpenLDAP and LDAP development files # sudo eopkg it openldap openldap-devel
Now get the latest tarball from https://arthurdejong.org/nss-pam-ldapd/downloads and extract it into a temporary location, I use ~/tmp
As of writing version 0.9.8 is current.
# Extract the software and enter the build directory # tar zxvf nss-pam-ldapd-0.9.8.tar.gz -C ~/tmp/ && cd ~/tmp/nss-pam-ldapd-0.9.8
BuildingĀ is fairly simple, just make sure that you pass the –prefix parameter to the configure script. Strangely the default prefix for configure is /
# Build the software and install with sudo # ./configure --prefix=/usr && make sudo make install
Modify the /etc/nslcd.conf to your specification. The salient parts are uid, gid, uri, base
If your directory requires a log-in modify binddn, bindpw
Create the service account for nslcd
sudo useradd --system nslcd
Modify your /etc/nsswitch.conf so that the passwd, group, and shadow lines look something like this:
passwd: files ldap group: files ldap shadow: files ldap
To test LDAP connectivity between nslcd and our LDAP server, fire up a couple of terminals and fire up nslcd in one of them.
# Start nslcd in debug mode # sudo /usr/sbin/nslcd -d
We can now see if we can pull user and group information from our directory.
# Use getent to test if we can access LDAP accounts # getent passwd # Use getent to test if we can access LDAP groups # getent group
If successful you should see your LDAP users and groups and you can now stop the nslcd daemon by issuing a ^C in your first terminal.
Now lets make things a little more permanent. Solus uses systemd so we now need to create a service unit file. Paste the following into /etc/systemd/system/nslcd.service.
[Unit] Description=nss-pam-ldapd After=network.target [Service] ExecStart=/usr/sbin/nslcd Type=forking PIDFile=/var/run/nslcd/nslcd.pid [Install] WantedBy=multi-user.target
Tell systemd that there is a new service file.
# Reload systemd # sudo systemctl daemon-reload
You should be able to enable, disable, start, stop, restart the nslcd service so lets enable and start it.
# Enable and start nslcd # sudo systemctl enable nslcd.service sudo systemctl start nslcd.service
Debug by issuing:
# Check journal for nslcd message # sudo journalctl -u nslcd.service
Now for the fucking ugly part where I usually lock myself out of my system. If you are running Solus in a virtual machine I suggest snap-shotting or creating a backup.
Open /etc/pam.d/system-auth in a text editor and make sure that it looks similar to the following. Note my LDAP accounts have uids of 10000 and above.
# Begin /etc/pam.d/system-auth auth sufficient pam_unix.so auth sufficient pam_ldap.so minimum_uid=10000 use_first_pass auth required pam_deny.so # End /etc/pam.d/system-auth
If you could pull user and group information with getent then we can test authentication by running the following.
# Test LDAP authentication by sudoing to root and # running login, then test authentication with a # user account from your directory # sudo su login
I successfully logged in with a network account but received a warning about not getting a home directory. We will fix this now with the help of the pam_mkhomedir.so PAM module.
Open /etc/pam.d/system-session and make sure that it looks similar to the following.
# Begin /etc/pam.d/system-session session required pam_unix.so session required pam_systemd.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_loginuid.so session optional pam_limits.so # End /etc/pam.d/system-session
Now when you repeat the LDAP authentication test a home directory will be automatically created for you.