Wednesday, April 25, 2007

pam_ccreds howto

This document is largely inspired by this link. The configuration contains a few flaws however and is not working for Ubuntu Edgy.
  1. First we need to install nss-updatedb:

    sudo apt-get install nss-updatedb

  2. Make sure to update /etc/nsswitch.conf:

    passwd: compat ldap [NOTFOUND=return] db
    group: compat ldap [NOTFOUND=return] db
    shadow: compat ldap

  3. Populate the cache by issuing:

    sudo nss_updatedb ldap

  4. Make sure nss-ldap doesn't search for the LDAP forever. Update /etc/libnss-ldap.conf:

    bind_policy hard
    nss_reconnect_tries 1
    nss_reconnect_sleeptime 1
    nss_reconnect_maxsleeptime 8
    nss_reconnect_maxconntries 2

  5. Check if this worked by unplugging the network and typing the following command:

    getent passwd

    Be warned, this might take some time.
  6. Now, install libnss-db and libpam-ccreds:

    sudo apt-get install libnss-db libpam-ccreds

  7. Update /etc/pam.d/common-auth:

    auth sufficient pam_unix.so
    auth [authinfo_unavail=ignore success=1 default=die] pam_ldap.so use_first_pass
    auth [default=done] pam_ccreds.so action=validate use_first_pass
    auth [default=done] pam_ccreds.so action=store use_first_pass
    auth [default=done] pam_ccreds.so action=update use_first_pass

  8. Update /etc/pam.d/common-account:

    account sufficient pam_unix.so nullok_secure
    account sufficient pam_ldap.so
    account required pam_permit.so

  9. Finally you must login while connected to the LDAP server once to make libpam-ccreds store your password. After that you will be able to login while not connected to the ldap server as usual.


Done ;)

4 comments:

Marek Wojtaszek said...

Have you got working this with Debian Etch or Ubunto 8.04? Because can solve my problem ;/

kennywest said...

This will definitely work on Ubuntu 8.04. It will probably work on Debian Etch as well. Try it.

World of Warcraft Gold Guides said...

good post :)

Aydin Doyak said...

Really good post. I can get working LDAP caching on Debian 8.1 with your blog post.

Thank you!