Learn from my mistakes, or LDAP clients made slightly less difficult.
Originally published at ScummBlog. You can comment here or there.
I am here, people, to save you from LDAP. Unless you have to use it, in which case you are already lost. Like me. But here are some pro tips to make connecting clients a bit easier!
1) TLS in Ubuntu is seriously broken. Like, terribly broken. GnuTLS looks like it’s to blame, and from the bugs that I’ve looked at nobody wants to actually acknowledge that the problem belongs to them. So you’d think that would nix using LDAP over a secure connection, right? Wrong! You can use stunnel to create a SSL-encrypted listener on port 636 (LDAP’s secure port) and have it dump the incoming connection to 389 (the un-encrypted local listening port). This lets your clients use LDAPS:// properly. Don’t ask me why this works, but I’m damned glad it does.
2) Just apt-get installing libnss-ldap on a client doesn’t bring in everything you’ll need for proper LDAP logins. You’ll also want to make sure that libpam-modules is already installed (for pam_mkhomedir.so) and nscd (Name Service Cache Daemon) otherwise you’ll run into lovely “I have no name!” issues on login.
3) Some handy things you’ll want to check in /etc/ldap.conf: make sure the port is 636, ssl is on and tls_checkpeer is no.
4) Make a local recovery account with a *really* secure password, and *DON’T* disable local login in PAM, otherwise you are SOL if LDAP ever breaks.
So there you go, somewhat painless LDAP authentication! The TLS thing alone resulted in a tonne of swearing yesterday, before I found the myriad of bugs filed against it.