PAM authentication - automatically create user?

Question

I've finally got LDAP auth working on Ubuntu 18.04, however it only works if I first create the local user account (eg john.smith).

If I don't create the account first, it fails to bind to the LDAP server (AD).

Interestingly, it finds the user (auth.log shows the OU) however it then tries to bind with cn=john smith (missing the period in the middle).

Can I have PAM automatically create the local account and assign to a local Unix group?

Any help or pointers appreciated. Tim

score 0 · Answer 1 · answered Oct 08 '20 at 15:15

Usually implementing a central user management for Linux/Unix consists of two parts:

PAM (what you already did) for user password authentication
NSS (name service switch) config for integrating the remote user management (e.g. LDAP) to provide passwd and group maps

Normally you would use a local NSS/PAM service like sssd or nss-pam-ldapd (aka nslcd) but not add any local users.

PAM is configured in /etc/pam.d and NSS is configured in /etc/nsswitch.conf.

1 Answers1