First, I added all public SSH keys to the altSecurityIdentities attribute in AD. Probably not what it's for but it's there and it works!
Second, I added a script to /etc/ssh which fetches the public keys for a particular user:
#!/bin/sh
ldapsearch '(&(objectClass=user)(sAMAccountName='"$1"'))' -H ldap://ad.urbanlogiq.com:3268 -D '***' -w '***' 'altSecurityIdentities' | sed -n '/^ /{H;d};/altSecurityIdentities:/x;$g;s/\n *//g;s/altSecurityIdentities: //gp'
... which was referenced by the /etc/ssh/sshd_config file:
[... snip ...] AuthorizedKeysCommand /etc/ssh/ldap_keys.sh AuthorizedKeysCommandUser nobody [... snip ...]
Then, I installed the libpam-ldapd package (note the trailing d!) The nslcd daemon was configured like so:
# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://ad.myhouse.inthemiddleofthestreet.com:3268 # The search base that will be used for all queries. base *** # The LDAP protocol version to use. ldap_version 3 # The DN to bind with for normal lookups. binddn *** bindpw *** # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options #ssl off #tls_reqcert never tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. scope sub # Mappings for Active Directory # This is the important bit; these fields match up with the fields added by Directory Services for UNIX pagesize 1000 #referrals no filter passwd (&(objectClass=person)) map passwd uid sAMAccountName map passwd homeDirectory "/home/$sAMAccountName" map passwd loginShell "/bin/bash" map passwd gecos displayName map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 # If you wish to override the shell given by LDAP, uncomment the next line #map passwd loginShell "/bin/bash" filter shadow (&(objectClass=person)) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (objectClass=group) #map group gid member
Note the attribute map above; the uidNumber and gidNumber maps are needed otherwise things will break when it tries to find your user in the default SimpleDirectory schema. Next, nsswitch.conf needs to be updated to use ldap:
[... snip ...] passwd: compat ldap group: compat ldap shadow: compat ldap [... snip ...]
And, lastly, /etc/pam.d/common-session needs to be augmented for PAM to create the home directory on first login. Just stuff this line at the end:
session required pam_mkhomedir.so skel=/etc/skel umask=0022
And that's what I did! I still need to sort out sudo functionality. Maybe that'll be a future update.
