tofu.org a big wad of tofu

I have a Zimbra email server which contains a LDAP server housing all my users and their passwords. I would like to enable single signon for my linux machines. The only account details I'll be using from LDAP are the username and password.

The last time I did this, I did it the hard way and modified files in /etc/pam.d by hand. Using the authconfig command is much more convenient.
<!-- break -->
The following has been tested on Fedora 9.

Configure PAM

First This will configure pam.d/* and make some changes to /etc/ldap.conf and /etc/openldap/*.

Configure LDAP Connection

The Zimbra LDAP server requires a privileged bind to LDAP before comparing the passwords. I didn't see how to specifiy this with authconfig, but it is easy to do by hand.

In my case, the hostname (ldap.domain.com) does not match the CN in the certificate (mail.domain.com). It's not the most secure fix, but this can be worked around with the tls_checkpeer option.

And finally, add the LDAP password to /etc/ldap.secret

That password may be obtained like this:

Create users on the local system with the same username as found in Zimbra and logins just work.

As configured above the password from /etc/shadow will continue to work if one exists.

See Also

• https://fedorahosted.org/authconfig
• http://directory.fedoraproject.org/wiki/Howto:PAM