Connecting UNIX/Linux Systems to the GWDG's User Account Management


To use our OpenLDAP service you have to install the so called PAM (pluggable authentication modules) modules and NSS (name service switch). NSS enables your operating system to use name resolution from different data sources. This is true for computer names, group names and user names. PAM and NSS are available for Linux and FreeBSD systems. In the following we describe the connection to our LDAP server. Because SuSE Linux and Ubuntu are widespread in Göttingen, we mainly refer to these Linux distributions. Mac OS X also works with OpenLDAP. Please contact for further information.

Requiered Software Packages

On SuSE Linux systems you can use the rpm command to check if the three necessary software packages are installed:

> rpm -qa | grep ldap    

On Ubuntu systems, the following software packages are necessary:


On FreeBSD systems, you can use the pkg info command:

> pkg info | grep ldap    

In the examples above a “>” at the beginning on a line symbolizes a shell command prompt. The mentioned version numbers are not so important.

OpenLDAP Configuration

On OpenLDAP Linux clients, all the necessary configuration files are stored in the directory /etc/openldap respectively /usr/local/etc/openldap on FreeBSD clients. The central configuration file is ldap.conf which ponits to the GWDG's OpenLDAP server. Here is an example:

BASE        xxxxxxx                # beginning of a search path in the LDAP directory
URI         ldaps://
binddn      xxxxxxx                # user with search privileges
bindpw      xxxxxxx                # corresponding password
TLS_CACERT  /etc/openldap/ldap-ca.pem 
ssl         on   

Please contact for BASE, binddn and bindpw entries.

To use ssl, you have to install a CA certificate from a trustcenter. You can find this file on our server Simply copy the file /etc/openldap/ldap-ca.pem to the same directory where your ldap.conf file is located. This file is also available on our server It is located in /var/openldap/cert/ldap-ca.pem.

Make sure that ldap.conf and ldap-ca.pem are both readable for every user.

PAM Configuration

PAM configuration is an important thing during the setup process of an OpenLDAP client. You have to configurate each service (e.g. ssh, sftp) that allows a user login seperately if necessary. On Linux and FreeBSD systems, you have to edit all configuration files in the directory /etc/pam.d/ for your relevant services. It is important to include the pam_ldap entries in the configuration files. Otherwise OpenLDAP authentifications would not work for these services.

On FreeBSD systems one of these configuration files are system (to make login and su work) and sshd (for ssh logins). Here is an example of the /etc/pam.d/sshd configuration file:

# PAM configuration for the "sshd" service
# auth
auth            required          no_warn
auth            sufficient             no_warn no_fake_prompts
auth            requisite       no_warn allow_local
auth            sufficient             no_warn try_first_pass
auth            required             no_warn try_first_pass
# account
account         sufficient
account         sufficient
account         required
# session
#session        sufficient              
session         required
# password
password        required             no_warn try_first_pass

E.g. for OpenLDAP console logins on Ubuntu systems, you have to enter the service specific entries in /etc/pam.d/common-password and /etc/pam.d/common-auth. Here is an example of a common-password configuration file:

# /etc/pam.d/common-password - password-related modules common to all services
password	[success=2 default=ignore] obscure sha512
password	[success=1 user_unknown=ignore default=die] use_authtok try_first_pass
password	requisite
password	required
password	optional 

and here an example of an common-auth configuration:

# /etc/pam.d/common-auth - authentication settings common to all services
auth	[success=2 default=ignore] nullok_secure
auth	[success=1 default=ignore] use_first_pass
auth	requisite
auth	required

On FreeBSD and Linux systems, the pam_ldap module uses its own configuration file ldap.conf. You can link them to your OpenLDAP configuration file.

On Linux systems enter:

> ln -fsv /etc/openldap/ldap.conf /etc/ldap.conf  

And on a FreeBSD machine:

> ln -fsv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf 

NSS Configuration

You have to change two lines in the file /etc/nsswitch.conf to get access to the OpenLDAP data:

group: files ldap 
passwd: files ldap 

On FreeBSD machines, you have to link the file /usr/local/etc/nss_ldap.conf to /usr/local/etc/openldap/ldap.conf.
You can check if your NSS configuration is working with the id command and your GWDG account (e.g. gast00).

> id gast00
uid=6722(gast00) gid=5070(GGST) groups=5070(GGST)

If it does not work, you get an error message like that:

id: gast00: no such user 

Other Measures

In the GWDG LDAP directory /usr/users/USERNAME/ is defined as your user home directory. In certain circumstances, you have to link your home directory (e.g. /home/otto) to /usr/users/onormal for a successful login. Enter:

> mkdir /usr/users
> ln -s /home/otto /usr/users/onormal

Afterwards the user otto can use /usr/users/onormal/ as his home directory.


If you have any problems or questions regarding OpenLDAP, please contact

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies