The ldap.conf File--Configure LDAP Daemon (slapd)
For the LDAP module to know how LDAP authentication is to be performed, client LDAP processes must refer to an ldap.conf file. In this case, the ingvalidpam program is the only client process that references the ldap.conf file, therefore, the ldap.conf file needs to be configured on the server side only. Client machines do not need to configure ldap.conf.
By default, ldap.conf resides in the /etc directory, but you can override the path and file name of ldap.conf with the LDAPCONF environment variable.
By default, the PAM LDAP module searches the slapd database for object classes of posixAccount. A Distinguished Name for a posixAccount user might look like this:
uid=johnDoe,ou=people,dc=myDomain,dc=com
In ldap.conf, you define a BASE attribute of:
ou=people,dc=myHost,dc=com
This shorthand allows you to define only "johnDoe" as the user name in netutil instead of the entire Distinguished Name.
The only other attribute required is the HOST, which is defined as the FQDN (fully qualified domain name) of the server as defined by TCP/IP. Therefore, your ldap.conf file would look like this:
HOST myHost.myDomain.com
BASE ou=people,dc=myDomain,dc=com
Note: PAM expects ldap.conf to reside in /etc, and ignores the LDAPCONF variable. So if your ldap.conf directory resides elsewhere, set up a symbolic link:
ln -s /etc/openldap/ldap.conf /etc/ldap.conf