Note: This has been tested on Ubuntu 10-12, but RSA lookup fails, and SSH BREAKS with AuthUser. I usually just install and comment out AuthUser so if we upgrade, we can just uncomment those lines and be off the the races. As it stands, I am not going to attempt to get RSA SSH on Ubuntu >14, we should just upgrade.
Setup on Client :
sudo su
apt-get update apt-get install -y libpam-ldap nscd ldap-utils python-pip python-ldap libsasl2-dev python-dev libldap2-dev libssl-dev libnss-ldapd
##INSTALL STEPS###
#NOT LDAPI://, LDAP:// ldap://192.168.1.255 dc=freesoftwareservers,dc=com {group,pass,shadow} (These options may not all show, manually edit /etc/nsswitch.conf if so) ldap://192.168.1.255 dc=freesoftwareservers,dc=com 3 YES NO cn=admin,dc=freesoftwareservers,dc=com PASSWORD
sed -i -r 's/(.*)(use_authtok)(.*)/\1\3/g' /etc/pam.d/common-password
grep 'pam_mkhomedir.so' /etc/pam.d/common-session > /dev/null || { cat >> /etc/pam.d/common-session <<EOF session required pam_mkhomedir.so skel=/etc/skel umask=0022 EOF }
sh -c 'echo "tls_reqcert never\nnss_initgroups_ignoreusers ALLLOCAL\nbind_timelimit 3\ntimelimit 3" >> /etc/nslcd.conf'
sudo nano /etc/nsswitch.conf
passwd: compat ldap group: compat ldap shadow: compat ldap
Enable SSH RSA Key Lookup :
pip install ssh-ldap-pubkey
sh -c 'echo "AuthorizedKeysCommand /usr/local/bin/ssh-ldap-pubkey-wrapper\nAuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config' && service ssh restart
Restrict to group ServerAdmins : EDIT OR ADD LOCAL USER eg: localadmin
sudo sh -c 'echo "auth required pam_access.so" >> /etc/pam.d/common-auth' sudo sh -c 'echo "- : ALL EXCEPT root localadmin (admin) (wheel) (ServerAdmins): ALL EXCEPT LOCAL" >> /etc/security/access.conf'
Grant Group ServerAdmins Sudo Access :
sudo visudo
# Members of the LDAP group ServerAdmins may run sudo %ServerAdmins ALL=(root) ALL
/etc/init.d/nscd restart