Steps for getting LDAP authentication working on Debian

This entry was posted by on Wednesday, 3 June, 2009 at


Sources: – a very helpful and knowledgeable guy



To get all linux users authenticating from our Active Directory implementation which is running on Windows 2003R2.


On the Active Directory Server:

From Add/remove programs->Add/Remove Windows Componenets->Active Directory Services. Install Identity Management for UNIX and reboot


Create an user which we’re going to use to bind. I have called mine adlookup which sits in our Service Accounts OU.

CN=AD Lookup,OU=Service Accounts,DC=DOMAIN,DC=com


It is very important that the password doesn’t have any special characters in, I had to change the domain policy to set it as apparently there can only be one password policy per domain.

In Active Directory Users/Computers either create a new group or choose an existing group for your users, right click and choose properties.

Add your users

Choose Unix Attributes and select the correct NIS domain.


Now select a user, right click on them and select properties

Choose Unix Attributes

Select the NIS domain, Home Directory, shell and primary group name


Linux Client:

apt-get install ldap-utils openssl libpam-ldap libnss-ldap nscd

edit the /etc/ldap/ldap.conf to look like this:


BASE    OU=OU,dc=DOMAIN,dc=com


URI     ldap://IPOFADBOX:389 



ldapsearch -x -W -D “cn=AD Lookup,OU=Service Accounts,dc=DOMAIN,dc=com” -LLL “(sAMAccountName=adlookup)”

then enter your password and it should return the correct details, if it does then you’re brilliant 🙂

Now backup the existing file

mv /etc/libnss-ldap.conf /etc/libnss-ldap.old

nano -w /etc/libnss-ldap.conf

make it look like this:

host IPOFADSERVER #Important – it must be the IP and not the dns entry

ldap_version 3

binddn CN=AD Lookup,OU=Service Accounts,DC=DOMAIN,DC=com

bindpw PASSWD #nospecialcharacters

scope sub

timelimit 30

nss_map_objectclass posixAccount User

nss_map_objectclass shadowAccount User

nss_map_attribute uid msSFU30Name

nss_map_attribute uniqueMember msSFU30PosixMember

nss_map_attribute userPassword msSFU30Password

nss_map_attribute homeDirectory unixHomeDirectory

nss_map_objectclass posixGroup Group

pam_login_attribute msSFU30Name

pam_filter objectclass=User

pam_password ad

base OU=YOUROU,dc=DOMAIN,dc=com # make sure you limit this to only what is required as I had strange errors

rootbinddn CN=ADMINUSER,CN=Users,DC=DOMAIN,DC=com #What user should root join as to enable passwd change etc

pam_groupdn CN=WHATGROUPAREUSERSIN,CN=Users,DC=DOMAIN,DC=com #what group must users be in to enable login

The contents of libnss-ldap.conf and pam_ldap.conf are identical in my setup so just link them together to save any additional work:

mv /etc/pam_ldap.conf /etc/pam_ldap.old && ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf

nano -w /etc/libnss-ldap.secret # enter in your admin password

ln -s /etc/libnss-ldap.secret /etc/pam_ldap.secret #same passwords

chmod 600 /etc/libnss-ldap.secret # make sure this is readable by only that user

Edit your /etc/nscd.conf file and change the following parameters:

I have chosen an arbitrary size of 500MB but I found that there were some crazy assertion errors coming in if I left the defaults such as this openldap-2.4.11/libraries/liblber/sockbuf.c. I think it must be to do with the size of the cache in nscd but am not sure. I also got an error about “invalid persistent database” when this was set too large.

max-db-size             passwd          524288000

        max-db-size             group           524288000

        max-db-size             services        524288000

Now you have to tell pam how to get it’s users so make your /etc/nssswitch.conf look like the below, it is very important to get the order right, compat must come first and then ldap. I found that my machine wouldn’t boot if it was trying to do the ldap first.

#passwd:         compat

#group:          compat

#shadow:         compat

passwd:         compat ldap

group:          compat ldap

shadow:         compat


You must now make nsswitch readable by all so:

chmod 644 /etc/nsswitch.conf

Now you can test this is working by doing:

getent passwd USER.NAME # this must be a username you have enabled up there ^

/etc/pam.d Common Files


Debian has a series of files in /etc/pam.d appended by common- at the beginning of their names, which are included by the other files in that directory for specific services. We can tell PAM to use LDAP for all of these services by modifying these common files.


Edit /etc/pam.d/common-password, comment out and replace:

password required nullok obscure min=4 max=8 md5


password required retry=3 minlen=6 difok=3

password required use_authtok nullok md5


# try password files first, then ldap. enforce use of very strong passwords.

password required min=disabled,16,12,8,6 max=256

password sufficient use_authtok md5

password sufficient use_first_pass use_authtok md5

password required

Read the pam_passwdqc man page for more about parameters you can give to it.


Edit /etc/pam.d/common-auth comment:

auth required nullok_secure

replace with:

# try password file first, then ldap

auth sufficient

auth sufficient use_first_pass

auth required

In /etc/pam.d/common-account comment:

account required

replace with:

# try password file first, then ldap

account sufficient

account sufficient

account required

And this line to /etc/pam.d/common-session:

session required skel=/etc/skel/ umask=0022

This should now be it, I haven’t quite got automatic sudo working yet or auto mount of the home dir from an nfs source but that is the next step 🙂



Password you bind with must not have special characters

In nscd.conf you must have a decent sized cache file

Your unix attributes must be correct

check that your getent passwd is working and that your ldapsearch is working