This works with Ubuntu 10.04 clients using an OSX Snow Leopard OpenLDAP server. It should work with other variants, but I had such a terrible time finding documentation for ubuntu and osx, that I decided to post this.
Step one: Make sure root has a password, if you screw this up and root doesn’t have a password, you won’t be able to su -.
Now install the packages you need for the Ubuntu client:
apt-get install nss-updatedb ldap-utils libpam-ldap libnss-ldap nscd nslcd sudo-ldap
Next, edit /etc/nsswitch.conf and change
passwd: compat group: compat
passwd: files ldap group: files ldap
Now restart the nscd service and nslcd
When you install the packages above, it will prompt you for your directory info. I skipped that config and edited manually. /etc/ldap.conf should look like this:
host 184.108.40.206 base dc=example,dc=com ldap_version 3 #pam_filter !(uid=root) pam_password crypt
Now make sure your nslcd.conf is correct:
# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://220.127.116.11/ # The search base that will be used for all queries. base dc=example,dc=com # The LDAP protocol version to use. ldap_version 3 # The DN to bind with for normal lookups. #binddn cn=annonymous,dc=example,dc=net #bindpw secret # SSL options ssl off #tls_reqcert never # The search scope. scope sub
That should do it. If your LDAP admin group is “admin”, users in that group should have sudo based on the default sudoers.