Home
Blog
Tech How To
Jobs

Setting Up Open LDAP for Linux Authenication

NSS-LDAP

Begin by installing the shared library code necessary for the name service to use ldap. 

  apt-get install libnss-ldap

Next, open the /etc/nsswitch.conf file, and tell the name service subsystem to use LDAP to obtain user information. 

  passwd:    files ldap
  group:     files ldap
  shadow:    files ldap

Note that we do not eliminate the use of flat files, since some users and groups (e.g. root) will remain local. If your machines do not use flat files at all and your LDAP server goes down, not even root will be able to log in.

Finally, you need to tell then name service subsystem how to talk to your LDAP server. This is done in the file /etc/libnss-ldap.conf. 

  uri ldap://localhost
  base dc=example, dc=org


The uri directive specifies the domain name (or IP address) of your LDAP server. As our example illustrates, you can specify multiple LDAP servers, in which case they will be employed in failover fashion. The base directive specifies the root DN at which searches should start. For additional information on these and other configuration directives, man libnss-ldap.conf.

nss-ldap expects accounts to be objects with the following attributes: uid, uidNumber, gidNumber, homeDirectory, and loginShell. These attributes are allowed by the objectClass posixAccount.

There is a simple way to verify that your name service subsystem is using your LDAP server as instructed. Assign a file to be owned by a user that exists only in the LDAP database, not in /etc/passwd. If an ls -l correctly shows the username, then the name service subsystem is consulting the LDAP database; if it just shows the user number, something is wrong. For example, if the user john, with user number 1001, exists only in LDAP, we can try 

  # touch /tmp/test
  # chown 1001 /tmp/test 
  # ls -l /tmp/test
  -rw-r-----     1 john     users         0 Jan  1 12:00 test

to determine whether the the name service is using LDAP

PAM-LDAP

Next we'll do the authentication piece. First get the right libraries. 

  # apt-get also works 
  sudo aptitude install libpam-ldap

Now check the configuration file for pam-ldap by looking at /etc/pam_ldap.conf 

  uri ldap://localhost/
  base dc=example,dc=org
  pam_password exop

uri and base work just like they do in ldap.conf. pam_password expo tells pam to let ldap hash the password. Otherwise pam would hash the password and ldap wouldn't be able to authenticate.

pam assumes accounts have uid and userPassword. So long as you are using posixAccount these fields will be there

Every service which uses pam has its very own configuration file. These files live under /etc/pam.d/. With Debian I didn't have to change a thing.

We'll need to add entries for password matching (aka auth), account verification (account), and password updating (password). With Debian I only changed four files

/etc/pam.d/common-account

  account sufficient      pam_unix.so
  account required        pam_ldap.so

/etc/pam.d/common-auth

  auth    sufficient      pam_ldap.so
  auth    required        pam_unix.so nullok_secure

/etc/pam.d/common-password

  password   sufficient   pam_ldap.so
  password   required   pam_unix.so nullok obscure min=4 max=8 md5

/etc/pam.d/common-session

  session sufficient      pam_unix.so
  session required        pam_ldap.so

I did not need to modify /etc/pam.d/login but for reference mine looks like this. After grepping out the comments and whitespace

  auth       requisite  pam_securetty.so
  auth       requisite  pam_nologin.so
  session       required   pam_env.so readenv=1
  @include common-auth
  auth       optional   pam_group.so
  @include common-account
  @include common-session
  session    required   pam_limits.so
  session    optional   pam_lastlog.so
  session    optional   pam_motd.so
  session    optional   pam_mail.so standard
  @include common-password