LDAP Authentication PAM/NSS Using Debian or Ubuntu Bash Script v2

02 09 2006
Okay, so the old script wasn't that great (well I don't think so), mainly because of how I dealt with nsswitch.conf. I had the old script download it from the internet. Sure, it worked for me when I made the script, but that method can lead to many problems, especially when servers go down (which did happen). With the help of God I discovered sed. It's like find/replace, but even better. It has features dripping out of places I'd rather not see. Well anyways, the script is below. I also added a function to see if you were root or not. When I ran the old script on DreamLinux as root, it made new files in the pam.d directory, but they were all empty! The new method hit the spot right. Let me know if it works for you or not ;-)

CODE:
#! /bin/bash

# This script will install an LDAP authentication client for 
# Debian-based systems.  It relies on apt-get for package
# installation.  If you are using Ubuntu or Mepis, make sure
# you have the 'universe" repository enabled.  The packages we
# need are in there.
#
# Suppose the script's filename is ldapconf.sh
# If you are running it as a sudo user, type:
# chmod +x filename && sudo ./ldapconf.sh
#
# If you are root, run it as:
# chmod +x filename && ./ldapconf.sh
#
# Feel free to modify and distribute this file freely, so long
# as you leave the author's name and URL intact.
#
# Â© Ameir Abdeldayem
# http://www.ameir.net
# Last modified: September 1, 2006
#---------------------------------------------------------------#


DATE=`date +'%m-%d-%Y-%T'`

# check if root, else run as sudo user
function root
{
if [ $(whoami) = "root" ]
then
  echo -n
else
  echo -n "sudo "
fi
}

$(root) apt-get install libpam-ldap libnss-ldap ldap-utils nscd

echo "Backing up and modifying files in pam.d/ ..."
$(root) mv /etc/pam.d/common-account /etc/pam.d/common-account.$DATE.bak
$(root) echo account sufficient      pam_ldap.so >> /etc/pam.d/common-account
$(root) echo account required        pam_unix.so try_first_pass >> /etc/pam.d/common-account

$(root) mv /etc/pam.d/common-auth /etc/pam.d/common-auth.$DATE.bak
$(root) echo auth    sufficient      pam_ldap.so >> /etc/pam.d/common-auth
$(root) echo auth    required        pam_unix.so try_first_pass >> /etc/pam.d/common-auth

$(root) mv /etc/pam.d/common-password /etc/pam.d/common-password.$DATE.bak
$(root) echo password        sufficient      pam_ldap.so >> /etc/pam.d/common-password
$(root) echo password      required   pam_unix.so nullok obscure min=4 max=8 md5 \
try_first_pass >> /etc/pam.d/common-password

# changes in common-session shouldn't be needed, but if so uncomment and (re)run
# $(root) mv /etc/pam.d/common-session /etc/pam.d/common-session.$DATE.bak
# $(root) echo session       sufficient      pam_ldap.so >> /etc/pam.d/common-session
# $(root) echo session       required        pam_unix.so >> /etc/pam.d/common-session

$(root) cp /etc/nsswitch.conf /etc/nsswitch.conf.$DATE.bak
$(root) cp /etc/nsswitch.conf /etc/nsswitch.conf.bak

echo "Editing your nsswitch.conf file..."
$(root) sed -e 's/compat/ldap files/g' /etc/nsswitch.conf.bak > /etc/nsswitch.conf

echo -e "Finished installing packages and modifying configuration files! \n"

echo -e "NOTES:\nYou may need to restart your computer before changes take effect."
echo "You can restart your computer by typing '$(root)reboot' in this very same window."
echo "If you are trying to login as a user that is local AND in LDAP and are getting\
 permission errors, type (write this down) '$(root)nscd --invalidate=passwd' in a terminal."


Download ldapconf.sh
Comments : 3 Comments »
Categories : Linux Luvin'
Trackbacks : 1 Trackback »

Trackbacks

Trackback specific URI for this entry

03 09 2006
LDAP Authentication PAM/NSS Using Debian or Ubuntu Bash Script
UPDATE: There is a new version of this script here I had server issues which caused me to lose my database, so this script and howto will be put back up as soon as I can. Stay updated. EDIT: Here's the script. I'll comment sometime soon. CODE
Weblog: The Geek Spot
Tracked: Sep 03, 02:53

Comments

Display comments as (Linear | Threaded)
05 08 2007
#1 Diwa (Reply)

I'm using feisty and all is configured using this script but there are error said that can not bind into ldap server.

Is there any conf I miss to configure?

Thanks
07 08 2007
#1.1 Ameir Abdeldayem (Reply)

I actually haven't tested this script against Feisty yet, but was actually planning on using it on some Feisty installs soon. Once I try this out, I'll definitely update you. In the meantime, you may want to try connecting to your LDAP server via commandline and making sure the script is given the same LDAP server info.
23 10 2007
#2 Pete (Reply)

Same problem as above in gutsy gibbon "failed to bind to LDAP server ldap://1.1.1.1", etc.. The IP is correct, so is the base DN. It appears that the binding is trying to occur before the network service has even started, as I can't ping my machine when this error message occurs. Any ideas? Thanks! I was wanting to use gutsy gibbon at work, but I need to get this authentication going.. any help greatly appreciated.

Add Comment


You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA