The p-Code Machine

As some of you may know configuring LDAP on Ubuntu Lucid can be a bit of a pain in the ass, especially getting it consistent throughout your infrastructure. So here’s way to relatively easily configure LDAP via Debconf preseeding.

First install debconf (it’s likely already installed, but doublecheck this):

# apt-get install debconf

Then put the following lines into debconf-ldap-preseed.txt so we can feed it to debconf later (obviously you need to adapt this configuration file to your own situation):

ldap-auth-config    ldap-auth-config/binddn    string    cn=proxyuser,dc=yourdomain,dc=com
ldap-auth-config    ldap-auth-config/bindpw    password    
ldap-auth-config    ldap-auth-config/dblogin    boolean    false
ldap-auth-config    ldap-auth-config/dbrootlogin    boolean    true
ldap-auth-config    ldap-auth-config/ldapns/base-dn    string    dc=yourdomain,dc=com
ldap-auth-config    ldap-auth-config/ldapns/ldap-server    string    ldap://10.10.10.10/
ldap-auth-config    ldap-auth-config/ldapns/ldap_version    select    3
ldap-auth-config    ldap-auth-config/move-to-debconf    boolean    true
ldap-auth-config    ldap-auth-config/override    boolean    true
ldap-auth-config    ldap-auth-config/pam_password    select    crypt
ldap-auth-config    ldap-auth-config/rootbinddn    string    cn=manager,dc=yourdomain,dc=com
ldap-auth-config    ldap-auth-config/rootbindpw    password    
libnss-ldap    libnss-ldap/binddn    string    cn=proxyuser,dc=yourdomain,dc=com
libnss-ldap    libnss-ldap/bindpw    password    
libnss-ldap    libnss-ldap/confperm    boolean    false
libnss-ldap    libnss-ldap/dblogin    boolean    false
libnss-ldap    libnss-ldap/dbrootlogin    boolean    true
libnss-ldap    libnss-ldap/nsswitch    note    
libnss-ldap    libnss-ldap/override    boolean    true
libnss-ldap    libnss-ldap/rootbinddn    string    cn=manager,dc=yourdomain,dc=com
libnss-ldap    libnss-ldap/rootbindpw    password    
libnss-ldap    shared/ldapns/base-dn    string    dc=yourdomain,dc=com
libnss-ldap    shared/ldapns/ldap-server    string    ldap://10.10.10.10/
libnss-ldap    shared/ldapns/ldap_version    select    3
libpam-ldap    libpam-ldap/binddn    string    cn=proxyuser,dc=yourdomain,dc=com
libpam-ldap    libpam-ldap/bindpw    password    
libpam-ldap    libpam-ldap/dblogin    boolean    false
libpam-ldap    libpam-ldap/dbrootlogin    boolean    false
libpam-ldap    libpam-ldap/override    boolean    true
libpam-ldap    libpam-ldap/pam_password    select    crypt
libpam-ldap    libpam-ldap/rootbinddn    string    cn=manager,dc=yourdomain,dc=com
libpam-ldap    libpam-ldap/rootbindpw    password    
libpam-ldap    shared/ldapns/base-dn    string    dc=yourdomain,dc=com
libpam-ldap    shared/ldapns/ldap-server    string    ldap://10.10.10.10/
libpam-ldap    shared/ldapns/ldap_version    select    3
libpam-runtime    libpam-runtime/profiles    multiselect    unix, ldap

Now we feed the above file to debconf:

# cat debconf-ldap-preseed.txt | debconf-set-selections

And finally we need to switch nss to include LDAP lookups:

# auth-client-config -p lac_ldap -t nss

Optionally make sure homedirs are created on login:

# echo -e 'session required\t\t\tpam_mkhomedir.so' >> /etc/pam.d/common-session

One of the other advantages is that this may also benefit future upgrades, since all the settings are preseeded through debconf it’s less likely a future update/upgrade will break your setup. This is purely speculative since I haven’t done any actual upgrades yet.