[Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)

[steve]

On Tue, 2013-08-27 at 00:12 +0200, Marc Muehlfeld wrote:
> Am 25.08.2013 09:27, schrieb Bruno Vane:
> > I have some Ubuntu LTS servers running openssh server authenticating to
> > external openldap. I installed a new Ubuntu LTS server with Samba4 to
> > create a domain and is working very well. I managed to make a pfsense
> > firewall authenticate users in this Samba4 ldap. How to make openssh in
> > Ubuntu authenticate users in Samba4 ldap?
> 
> 
> As the "Winbind, sshd and nslcd"-HowTo I am currently working on is 
> getting longer and longer, I decited to split it into the three parts, 
> so it won't get to confusing. Also then I can publish the already 
> finished and validated nslcd part. And here it is:
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
> 
> 
> @Bruno: This HowTo should contain all the short information I already 
> gave you here on the list in a more detailed depth.
> 
> 
> @All: Feel free to give comments. Or let me know if something is 
> missing/wrong.
> 
> 
> Regards,
> Marc

Hi
1. Nested groups work fine with nslcd. Please use the latest version:
man nslcd.conf(5)

2. We really should encourage users away from plain text passwords
stored in files. nslcd works fine with sasl binds. The devs have worked
hard to give us Kerberos out of the box. I think we should use it:
http://linuxcostablanca.blogspot.com.es/p/s4bind.html

3. nslcd is already AD aware and this is not winbind so let's keep it
simple. The following lines are not required/produce errors/ slow down
lookups.
filter  passwd
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID
filter  group   (&(objectClass=group)(gidNumber=*))
map     group   uniqueMember       member
Again, it is important to use the latest version.

Just my €0.02
Thank you for taking the time to document this.