pam_ccreds howto

This document is largely inspired by this link. The configuration contains a few flaws however and is not working for Ubuntu Edgy.
  1. First we need to install nss-updatedb:

    sudo apt-get install nss-updatedb

  2. Make sure to update /etc/nsswitch.conf:

    passwd:         compat ldap [NOTFOUND=return] db
    group:          compat ldap [NOTFOUND=return] db
    shadow:         compat ldap

  3. Populate the cache by issuing:

    sudo nss_updatedb ldap

  4. Make sure nss-ldap doesn't search for the LDAP forever. Update /etc/libnss-ldap.conf:

    bind_policy hard
    nss_reconnect_tries 1
    nss_reconnect_sleeptime 1
    nss_reconnect_maxsleeptime 8
    nss_reconnect_maxconntries 2

  5. Check if this worked by unplugging the network and typing the following command:

    getent passwd

    Be warned, this might take some time.
  6. Now, install libnss-db and libpam-ccreds:

    sudo apt-get install libnss-db libpam-ccreds

  7. Update /etc/pam.d/common-auth:

    auth sufficient pam_unix.so
    auth [authinfo_unavail=ignore success=1 default=die] pam_ldap.so use_first_pass
    auth [default=done] pam_ccreds.so action=validate use_first_pass
    auth [default=done] pam_ccreds.so action=store use_first_pass
    auth [default=done] pam_ccreds.so action=update use_first_pass

  8. Update /etc/pam.d/common-account:

    account sufficient pam_unix.so nullok_secure
    account sufficient pam_ldap.so
    account required pam_permit.so

  9. Finally you must login while connected to the LDAP server once to make libpam-ccreds store your password. After that you will be able to login while not connected to the ldap server as usual.


Done ;)

Comments

Anonymous said…
Have you got working this with Debian Etch or Ubunto 8.04? Because can solve my problem ;/
1:50 PM
Kenneth Westelinck said…
This will definitely work on Ubuntu 8.04. It will probably work on Debian Etch as well. Try it.
7:49 PM
Unknown said…
Really good post. I can get working LDAP caching on Debian 8.1 with your blog post.

Thank you!
4:53 PM
Anonymous said…
You saved me on Debian Stretch -- thank you!
11:54 PM
Post a Comment

Popular posts from this blog

Remove copy protection from PDF documents

This is probably illegal, so use it at your own risk. Some PDFs on the internet have a copy protection to make sure you cannot copy-paste any content from the PDF into a document you're writing. To circumvent this protection there are several tools available on the internet. I haven't tried any of them, because they're not free ;) There is however a procedure that will enable you to circumvent the copy protection using free tools. The trick is to convert the PDF to a PS (PostScript) document first and then convert it back into a PDF. So, download Ghostview en Ghostscript from: http://www.cs.wisc.edu/~ghost/ . Next, open your PDF in Ghostview. Next, from the "File" menu, select "Convert" (a dialog will pop up) Press "Ok" Fill in the name of the "converted" file. Press "Save" Tada, you can now copy content from your newly created PDF ;)
Read more

The story of the Cobalt Qube

Image
The other week, a friendly colleague of mine brought me a small present. He gave me one of his Cobalt Qube s (for free!) which was collecting dust at his home. He was certain that I could give it a better use. I think I can still remember the days these things hit the market (somewhere in the late 90's). This was a home / office server appliance way before the people of Microsoft thought up their Windows Home Server . It was running some modified version of Linux RedHat, featuring a web interface for all administrative tasks. It also had 2 network cards, so you could easily turn it into a gateway / firewall. The RedHat version running on the Qube was known to be notoriously insecure. It was also running an older 2.0.x kernel which was outdated, even at that time. The Qube 2700 and Qube 2 were both equipped with a MIPS processor. Later models had an i386 architecture. Mine was a Qube 2. Getting the serial connection to work The Qube does not have any VGA adapter, so if you want to s...
Read more

The end of vinyl records

Vinyl records have been there for ages. My dad still has a couple of old records but he has no turntable anymore to play them. This is because _I_ claimed his turntable a long time ago, which he thought had become old fashioned. I started buying vinyl records about 12 years ago. I remember saving all my pocket money and buying the latest records with it, instead of visiting pubs with friends. I remember everyone thinking vinyl records belonged to the past and MP3's and CD's were taking over. In fact, this was not true. DJ's playing at parties and clubs never stopped buying records and from my experience, about 80% of their music came from plain old vinyl and a tiny 20% from other media like CD's or MP3's. The reasoning behind this is simple, if you wanted something new, something not popular (yet), you bought it on vinyl. If it became popular, some record company would probably be so kind to put it on some CD and sell it. But then again, ages, if not decades ( :) ) ...
Read more