Setting Up Open LDAP for Linux Authenication
NSS-LDAP
Begin by installing the shared library code necessary for the name service to use ldap.
apt-get install libnss-ldap
Next, open the /etc/nsswitch.conf file, and tell the name service subsystem to use LDAP to obtain user information.
passwd: files ldap group: files ldap shadow: files ldap
Note that we do not eliminate the use of flat files, since some users and groups (e.g. root) will remain local. If your machines do not use flat files at all and your LDAP server goes down, not even root will be able to log in.
Finally, you need to tell then name service subsystem how to talk to your LDAP server. This is done in the file /etc/libnss-ldap.conf.
uri ldap://localhost base dc=example, dc=org
The uri directive specifies the domain name (or IP address) of your LDAP server. As our example illustrates, you can specify multiple LDAP servers, in which case they will be employed in failover fashion. The base directive specifies the root DN at which searches should start. For additional information on these and other configuration directives, man libnss-ldap.conf.
nss-ldap expects accounts to be objects with the following attributes: uid, uidNumber, gidNumber, homeDirectory, and loginShell. These attributes are allowed by the objectClass posixAccount.
There is a simple way to verify that your name service subsystem is using your LDAP server as instructed. Assign a file to be owned by a user that exists only in the LDAP database, not in /etc/passwd. If an ls -l correctly shows the username, then the name service subsystem is consulting the LDAP database; if it just shows the user number, something is wrong. For example, if the user john, with user number 1001, exists only in LDAP, we can try
# touch /tmp/test # chown 1001 /tmp/test # ls -l /tmp/test -rw-r----- 1 john users 0 Jan 1 12:00 test
to determine whether the the name service is using LDAP
PAM-LDAP
Next we'll do the authentication piece. First get the right libraries.
# apt-get also works sudo aptitude install libpam-ldap
Now check the configuration file for pam-ldap by looking at /etc/pam_ldap.conf
uri ldap://localhost/ base dc=example,dc=org pam_password exop
uri and base work just like they do in ldap.conf. pam_password expo tells pam to let ldap hash the password. Otherwise pam would hash the password and ldap wouldn't be able to authenticate.
pam assumes accounts have uid and userPassword. So long as you are using posixAccount these fields will be there
Every service which uses pam has its very own configuration file. These files live under /etc/pam.d/. With Debian I didn't have to change a thing.
We'll need to add entries for password matching (aka auth), account verification (account), and password updating (password). With Debian I only changed four files
/etc/pam.d/common-account
account sufficient pam_unix.so account required pam_ldap.so
/etc/pam.d/common-auth
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure
/etc/pam.d/common-password
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5
/etc/pam.d/common-session
session sufficient pam_unix.so session required pam_ldap.so
I did not need to modify /etc/pam.d/login but for reference mine looks like this. After grepping out the comments and whitespace
auth requisite pam_securetty.so auth requisite pam_nologin.so session required pam_env.so readenv=1 @include common-auth auth optional pam_group.so @include common-account @include common-session session required pam_limits.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard @include common-password
