LDAP Client Setup
This HowTo provides the steps needed to get your user to authenticate against an existing LDAP database. It will allow any existing LDAP user to log in to the Raspberry Pi with any need to create the user. My primary use for this is to provide an easy mechanism for the user to access his / her network shares.
What is LDAP
LDAP  is one method by which a user can authenticate against a central record. Often this is done for the purposes of accessing user specfic data shares or services.
Recent changes to the LDAP client packages have greatly simplified the installation and set-up of LDAP. You can use a RaspberryPi to be the LDAP server and excellent example of how to do this can be found 
The following informaion is required to access you LDAP server.
- LDAP homes name or IP Address , example 192.168.0.123
- base DN, example dc=MYWORKGROUP,dc=local
sudo apt-get update sudo apt-get install libpam-ldapd libnss-ldapd
This will install the packages and dependencies needed.
Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: bind9-host geoip-database ldap-utils libbind9-80 libdns88 libgeoip1 libisc84 libisccc80 libisccfg82 liblwres80 nscd nslcd Suggested packages: geoip-bin kstart The following NEW packages will be installed: bind9-host geoip-database ldap-utils libbind9-80 libdns88 libgeoip1 libisc84 libisccc80 libisccfg82 liblwres80 libnss-ldapd libpam-ldapd nscd nslcd 0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded. Need to get 3,534 kB of archives. After this operation, 9,221 kB of additional disk space will be used. Do you want to continue [Y/n]?
Approve the installation and wait. Once the packages are installed they will spawn the LDAP client configuration wizard asking for the LDAP address and base DN.
Lastly the wizard will ask for the services which you wish to access. These depend on you LDAP configuration but its not unreasonable to select everything.
When logging in with a user not already installed on the RPi, it is necessary to create a folder in /home for the user.
session required pam_mkhomedir.so umask=0022 skel=/etc/skel to the file
/etc/pam.d/common-session, using the following.
sudo nano /etc/pam.d/common-session
session required pam_mkhomedir.so umask=0022 skel=/etc/skel to the end of the file
# prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session [success=ok default=ignore] pam_ldap.so minimum_uid=1000 session optional pam_ck_connector.so nox11 # end of pam-auth-update config session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Type the following command to show the last 5 users on the pi, your LDAP users should be at the end of the list.
sudo getent passwd | tail -n 5
lightdm:x:106:109:Light Display Manager:/var/lib/lightdm:/bin/false nslcd:x:107:110:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false raspberrypi:x:1000000:1000000:temporary pi user:/home/raspberrypi: jack:x:1000001:1000000:jack:/home/jack: jill:x:1000002:1000000:jill:/home/jill:
Here I have 3 LDAP users 'raspberrypi', 'jack' & 'jill'.
ldapsearch -H ldap://<LDAP Server>/ -b dc=WORKGROUP,dc=local -x '(objectclass=*)'
This should report the properties of the data base. starting with
# extended LDIF # # LDAPv3 # base <dc=WORKGROUP,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL #
To test log in with an LDAP user. Use "su - <LDAPUSER>".
pi@raspberrypi ~ $sudo su - jack Creating directory '/home/jack'. jack@raspberrypi ~ $
With LDAP configures it should now be possible to login to the Pi as any LDAP user and the Pi with authenticate that user against the LDAP server. This can be via the normal login prompt or via SSH is you have enabled it on the Pi.
Automatically mount and network shares for the LDAP user Accessing_Network_Shares#Autofs_for_LDAP