This page goes though the steps needed to use the local LDAP slave for authentication on the same server. This assumes that the server is registed and there's a working LDAP slave running.
First install the required packages. These use nslcd as their backend:
sudo apt-get install libnss-ldapd libpam-ldapd
libpam-ldapd modifies automatically /etc/pam.d/common-(auth|account|password) files when it is installed.
Next configure nslcd with the local LDAP information:
/etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://<hostname from /etc/puavo/hostname>.<puavo domain from /etc/puavo/domain>/
# The search base that will be used for all queries.
base group ou=Groups,<ldap base from /etc/puavo/ldap/base>
base passwd ou=People,<ldap base from /etc/puavo/ldap/base>
# Filter out all adm- users from LDAP as they all should be organisation owners that
# are synced to extrausers
filter passwd (!(uid=adm-*))
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
binddn <bind dn from /etc/puavo/ldap/dn>
bindpw <password dn from /etc/puavo/ldap/password>
# SSL options
ssl start_tls
tls_reqcert demand
tls_cacertfile /etc/puavo/certs/rootca.pem
map passwd homeDirectory "/home/$uid"
map passwd gecos displayName
nscd is by default a bit too eager to cache entries, which causes delays before changes done in Puavo are seen on the servers.
/etc/nscd.conf
enable-cache passwd yes
positive-time-to-live passwd 60
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
max-db-size passwd 33554432
auto-propagate passwd yes
enable-cache group yes
positive-time-to-live group 60
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
max-db-size group 33554432
auto-propagate group yes
Alternatively disable nscd by changing enable-cache to no.
Restart both nslcd and nscd after doing changes:
sudo /etc/init.d/nscd restart
sudo /etc/init.d/nslcd restart
To enable getent to use LDAP:
/etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
After this getent should return user and group information:
getent passwd
getent group
If this works, try login to the server as a user.