Solus OS

Configure LDAP Authentication on Solus 3

I’ll just start with that I think that Solus is a fantastic Linux based desktop operating system. My preference is Solus with Gnome but is also available with the homegrown Budgie desktop or Mate.

My user accounts are all entries in a directory server but Solus doesn’t at the moment have the ability to pull in accounts from one (although I have submitted a package request to facilitate this).

Enter nss-pam-ldapd from Arthur de Jong. There are other implementations but I had problems compiling them and I don’t have the nous to fix them.

This guide make the presumption that you already have a directory server with user accounts set up beforehand. Right, lets go!

Firstly, lets install some prerequisites.

# Install the development software
sudo eopkg it -c system.devel
# Install OpenLDAP and LDAP development files
sudo eopkg it openldap openldap-devel

Now get the latest tarball from and extract it into a temporary location, I use ~/tmp
As of writing version 0.9.8 is current.

# Extract the software and enter the build directory
tar zxvf nss-pam-ldapd-0.9.8.tar.gz -C ~/tmp/ && cd ~/tmp/nss-pam-ldapd-0.9.8

Building  is fairly simple, just make sure that you pass the –prefix parameter to the configure script. Strangely the default prefix for configure is /

# Build the software and install with sudo
./configure --prefix=/usr && make
sudo make install

Modify the /etc/nslcd.conf to your specification. The salient parts are uid, gid, uri, base

If your directory requires a log-in modify binddn, bindpw

Create the service account for nslcd

sudo useradd --system nslcd

Modify your /etc/nsswitch.conf so that the passwd, group, and shadow lines look something like this:

passwd:  files ldap
group:   files ldap
shadow:  files ldap

To test LDAP connectivity between nslcd and our LDAP server, fire up a couple of terminals and fire up nslcd in one of them.

# Start nslcd in debug mode
sudo /usr/sbin/nslcd -d

We can now see if we can pull user and group information from our directory.

# Use getent to test if we can access LDAP accounts
getent passwd

# Use getent to test if we can access LDAP groups
getent group

If successful you should see your LDAP users and groups and you can now stop the nslcd daemon by issuing a ^C in your first terminal.

Now lets make things a little more permanent. Solus uses systemd so we now need to create a service unit file. Paste the following into /etc/systemd/system/nslcd.service.




Tell systemd that there is a new service file.

# Reload systemd
sudo systemctl daemon-reload

You should be able to enable, disable, start, stop, restart the nslcd service so lets enable and start it.

# Enable and start nslcd
sudo systemctl enable nslcd.service
sudo systemctl start nslcd.service

Debug by issuing:

# Check journal for nslcd message
sudo journalctl -u nslcd.service

Now for the fucking ugly part where I usually lock myself out of my system. If you are running Solus in a virtual machine I suggest snap-shotting or creating a backup.

Open /etc/pam.d/system-auth in a text editor and make sure that it looks similar to the following. Note my LDAP accounts have uids of 10000 and above.

# Begin /etc/pam.d/system-auth

auth    sufficient
auth    sufficient minimum_uid=10000 use_first_pass
auth    required

# End /etc/pam.d/system-auth

If you could pull user and group information with getent then we can test authentication by running the following.

# Test LDAP authentication by sudoing to root and
# running login, then test authentication with a
# user account from your directory
sudo su

I successfully logged in with a network account but received a warning about not getting a home directory. We will fix this now with the help of the PAM module.

Open /etc/pam.d/system-session and make sure that it looks similar to the following.

# Begin /etc/pam.d/system-session

session   required
session   required
session   required skel=/etc/skel/ umask=0022
session   optional
session   optional

# End /etc/pam.d/system-session

Now when you repeat the LDAP authentication test a home directory will be automatically created for you.