LDAP has been around for over a decade, and yet it is still considered a newer technology. Many modern vendors have added LDAP authentication. This document is a brief generic howto for configuring linux to use LDAP. This will be a fairly detailed recipe as most of my docs are.
Linux Name Services
Name Server Switch is the engine that really enables Linux to harness LDAP. In linux you have two different ldap.conf files that the modules and services use to configure their ldap communications ‘/etc/ldap.conf’ and ‘/etc/openldap/ldap.com’. The first gives the dn’s for passwd, group and sudoers. You can also specify the server and communication protocol. One really cool bonus is that you get to enable the host_acl based of users with this config file
nss_map_attribute uniqueMember member
pam_password_prohibit_message Please visit http://enterprise.company.com/password_policy.html.
#This options is VERY helpful for debugging sudo ldap extension
PAM is an authentication and accounting module that allows Linux services to use different methods for authenticating users (MySQL, LDAP, NIS, etc..). Their are two different pam config versions. You should look up the version your gnu/linux vedor uses for exact details on ldap setup, for SuSE you modify “/etc/security/pam_unix2.conf” to include the following. This system makes it so you don’t have to modify every pam service to use ldap, you just let them all use the standard unix2 module which then handles the ldap lookup.
Edit your ‘/etc/nsswitch.conf’ place the word ldap before files for the passwd and group name service. You can also add it to sudoers if you want to store your sudo configs in ldap also
sudoers: files ldap
passwd_compat: files ldap
shadow_compat: files ldap
group_compat: files ldap