PAM Authentication with LDAP

This are instructions for gentoo but they should work on any distro
Modify /etc/pam.d/system-auth

auth            required        pam_env.so 
auth            sufficient      pam_unix.so try_first_pass likeauth nullok 
auth            optional        pam_permit.so
auth            sufficient      pam_ldap.so use_first_pass
auth            required        pam_deny.so


account         required        pam_ldap.so
account         required        pam_unix.so 
account         optional        pam_permit.so
 
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password        sufficient      pam_unix.so try_first_pass use_authtok nullok md5 shadow
password        optional        pam_permit.so
password        sufficient      pam_ldap.so use_authtok use_first_pass
password        required        pam_deny.so


password      sufficient      pam_unix.so try_first_pass use_authtok nullok md5 shadow
password      required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
password      sufficient      pam_ldap.so use_authtok use_first_pass
password      required        pam_deny.so


session         required        pam_limits.so 
session         required        pam_env.so 
session         required        pam_unix.so 
session         optional        pam_ldap.so
session         optional        pam_permit.so
session         optional        pam_mkhomedir.so skel=/etc/skel umask=0022  


Now that PAM knows how to authenticate with LDAP we have to configure the global client file: /etc/ldap.conf

bind_policy soft
bind_timelimit 2
ldap_version 3
nss_base_group ou=myorg,dc=example, dc=com
nss_base_hosts ou=myorg,dc=example, dc=com
nss_base_passwd ou=myorg,dc=example, dc=com
nss_base_shadow ou=myorg,dc=example, dc=com
pam_filter objectclass=posixAccount
pam_login_attribute uid
#pam_member_attribute gid
pam_password md5
#pam_password exop
scope sub
timelimit 2
uri ldap://ldaphost.example.com/


Modify /etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
hosts:          files dns ldap

# LDAP is nominally authoritative for the following maps.
services:   ldap [NOTFOUND=return] files
networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files


And be happy!!

References