The configuration for PAM E-Directory is similar to PAM LDAP configuration. The only change is that it contains O=Edir_tree_name in base and binddn's.
Below is the sample configuration.
[root@localhost ~]# vi /etc/nslcd.conf
uid nslcd
gid ldap
uri ldap://192.168.1.10:390
base CN=PAM-DC-NDS,O=sagar-edir
binddn cn=pam-euser1,O=sagar-edir
bindpw Dlp123@1
scope group sub
scope hosts sub
pagesize 1000
referrals off
filter passwd (&(objectClass=*))
#filter shadow (&(objectClass=*))
#filter group (objectClass=*)
#map group uniqueMember member
#tls_cacertdir /etc/openldap/cacerts
#tls_reqcert never
bind_timelimit 3
timelimit 3
scope sub
[root@localhost ~]#vi /etc/pam_ldap.conf
uri ldap://192.168.1.10:390
base CN=PAM-DC-NDS,O=sagar-edir
binddn cn=pam-euser1,o=sagar-edir
bindpw *****
pam_password nds
nss_map_attribute userPassword authPassword
pam_filter objectclass=user
scope sub
pam_password nds
nss_map_attribute userPassword authPassword
## additional options to try
pam_login_attribute uid
pam_member_attribute gid
nss_map_attribute uniqueMember member
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
[root@localhost ~]#vi /etc/openldap/ldap.conf
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
uri ldap://192.168.1.10:390
base O=sagar-edir
TLS_CACERTDIR /etc/openldap/cacerts
uidNumber for user and gidNumber for Groups need to be defined in order for Security Analytics to work.
By default, users and groups in eDirectory do not have uid and gid numbers. It is necessary to extend the AD schema to add these attributes.
More information on PAM/LDAP/start_tls Authentication via Novell eDirectory for Linux can be
found here.
