LDAP Notes

LDAP has been on my list of "things to play with" for a long time, and now that I've finally gotten around to it, I've documented it here for others to follow. Enjoy!


  • base dn: dc=nerdcircus,dc=org
  • minimal anonymous access, no information leaks. (see LDAPServerACLs)
  • All traffic SSL encrypted
  • All communication done over ldaps://, or with StartTLS (so it's all encrypted)
  • LDAP Replica established for redundancy (replication also SSL encrypted)
  • Clients configured to use both master and replica ldap servers (for redundancy)
  • LDAP user ids begin at 1000
  • LDAP group ids begin at 1000
    • pam/nss binds anonymous
    • Configuring PAM to allow LDAP users to log in
    • Configuring PAM to restrict to a group of LDAP users
    • Configuring PAM-enabled services, like ssh

The Process

Unless otherwise noted, all content is copyright Marc Dougherty and is subject to a Creative Commons license.