|
Automaticallycreate
missing home
directories for LDAP accounts using OpenLDAP and
PAM
I thought
it is a great
idea using
OpenLDAP on Linux for centralized
authentication. However, after the LDAP system was set up user could
authenticate but as there
was no home directory the error message
'Could not chdir to home directory' appeared. As I didn't want to
create for every user the home directories manually and after
browsing the web and piecing together the missing information I
required, I thought it is useful to write this little doc.
First check
if the file
pam_ldap.so is
present. This file should be in the directory /lib/security
If you
don't have it, you
can download it from:
http://rpmfind.net/linux/rpm2html/search.php?query=pam_ldap.so
or go to
http://rpm.pbone.net
and search for pam_ldap.so for your
distribution.
You also require the file
pam_ldap.conf. This file should be located in the /etc directory.
If it is not present, just create it.
The file should look something like
this:
-
etc cat pam_ldap.conf
# The name of your ldap server.
host ldap.example.com
# The name of your search base.
base dc=example,dc=com
# The version of ldap protocol to use.
ldap_version 2
Now edit the file
sshd in /etc/pam.d
Add the lines in
bold to sshd
-
/etc/pam.d cat sshd
#%PAM-1.0
auth required /lib/security/pam_unix2.so # set_secrpc
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_env.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix2.so
account required /lib/security/pam_nologin.so
password required /lib/security/pam_pwcheck.so
password required /lib/security/pam_unix2.so use_first_pass use_authtok
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required /lib/security/pam_unix2.so none # trace or debug
session required /lib/security/pam_limits.so
If
you have ldap user
logging on
locally to your system add the lines in bold to the file
/etc/pam.d/login
-
/etc/pam.d cat login
#%PAM-1.0
auth requisite /lib/security/pam_unix2.so nullok #set_secrpc
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
#auth required /lib/security/pam_homecheck.so
auth required /lib/security/pam_env.so
auth required /lib/security/pam_mail.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix2.so
password required /lib/security/pam_pwcheck.so nullok
password required /lib/security/pam_unix2.so nullok use_first_pass use_authtok
session required /lib/security/pam_unix2.so none # debug or trace
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required /lib/security/pam_limits.so
The
next time a ldap
user
logs onto the
system, the system will create the home directory for the ldap user
if it doesn't exist.
sinkomai
at pcgossip dot com
Download
OpenLDAP
|
