-
7/27/2019 Ldap Authentication for Linux
1/5
LDAP Authentication for Linux
LDAP Authentication for Linux 2002 by metaconsultancy
LDAP is a directory server technology that allows information
such as usernames andpasswords for an entire site to be stored on a
central server. This whitepapers describeshow to set up a Linux
workstation to use an LDAP server for user information and
authentication.
Before proceeding, you will need a working LDAP server which can
provide you with userinformation. If you need to set one up,
consult our OpenLDAP whitepaperfor instructions.
User information consists of such data as mappings between user
id numbers and usernames (used, for example, by ls -l), or home
directory locations (used, for example, bycd ~). Lookups of such
information are handled by the name service subsystem,
configured in the file /etc/nsswitch.conf. Authentication
(password checking), on theother hand, is handled by the PAM
(plugable authentication module) subsystem,configured in the
/etc/pam.d/directory. While these two subsystems can (in fact
must)be configured seperately, you will likely want both to use
LDAP.
nss-ldap
Begin by installing the shared library code necessary for the
name service to use ldap.
# apt-get install libnss-ldap
Next, open the /etc/nsswitch.conffile, and tell the name service
subsystem to use
LDAP to obtain user information.
nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
Note that we do not eliminate the use of flat files, since some
users and groups (e.g. root)will remain local. If your machines do
not use flat files at all and your LDAP server goesdown, not even
root will be able to log in.
Finally, you need to tell then name service subsystem how to
talk to your LDAP server.
http://www.metaconsultancy.com/whitepapers/ldap-linux.htm (1 di
5)30/09/2004 17.56.17
http://www.metaconsultancy.com/http://www.metaconsultancy.com/whitepapers/ldap.htmhttp://www.metaconsultancy.com/whitepapers/ldap.htmhttp://www.metaconsultancy.com/
-
7/27/2019 Ldap Authentication for Linux
2/5
LDAP Authentication for Linux
This is done in the file /etc/libnss-ldap.conf.
libnss-ldap.conf
uri ldap://ldap.example.com/ ldap://ldap-backup.example.com/
base dc=example, dc=org
The uri directive specifies the domain name (or IP address) of
your LDAP server. As ourexample illustrates, you can specify
multiple LDAP servers, in which case they will beemployed in
failover fashion. The base directive specifies the root DN at which
searchesshould start. For additional information on these and other
configuration directives,manlibnss-ldap.conf.
nss-ldap expects accounts to be objects with the following
attributes: uid, uidNumber,
gidNumber, homeDirectory, and loginShell. These attributes are
allowed by theobjectClass posixAccount.
There is a simple way to verify that your name service subsystem
is using your LDAPserver as instructed. Assign a file to be owned
by a user that exists only in the LDAPdatabase, not in /etc/passwd.
If an ls -lcorrectly shows the username, then the
name service subsystem is consulting the LDAP database; if it
just shows the usernumber, something is wrong. For example, if the
user john, with user number 1001, existsonly in LDAP, we can
try
# touch /tmp/test
# chown 1001 /tmp/test
# ls -l /tmp/test
-rw-r----- 1 john users 0 Jan 1 12:00 test
to determine whether the the name service is using LDAP.
pam-ldap
Next we configure the PAM subsystem to use LDAP for passwords.
Begin by installingthe necessary PAM module.
# apt-get install libpam-ldap
The configuration file for the pam_ldap.somodule is
/etc/pam_ldap.conf.
http://www.metaconsultancy.com/whitepapers/ldap-linux.htm (2 di
5)30/09/2004 17.56.17
-
7/27/2019 Ldap Authentication for Linux
3/5
LDAP Authentication for Linux
pam_ldap.conf
uri ldaps://ldap.example.com/
base dc=example,dc=com
pam_password exop
The uri and base directives work the same way they do for
/etc/libnss_ldap.confand /etc/ldap/ldap.conf. Notice that we have
used ldaps to ensure that
connections over which passwords are exchanged are encrypted.
The directive"pam_password exop" tells pam-ldap to change passwords
in a way that allowsOpenLDAP to apply the hashing algorithm
specified in /etc/ldap/slapd.conf,instead of attempting to hash
locally and write the result directly into the database.
pam-ldap assumes accounts to be ojbects with the following
attributes: uid anduserPassword. The attributes are allowed by the
objectClass posixAccount.
We are now ready to configure individual services to use the
LDAP server for passwordchecking. Each service that uses PAM for
authentication has its own configuration file /
etc/pam.d/service. To configure a service to use LDAP for
password-checking, youmust modify its PAM configuration file.
To avoid an in-depth explanation of PAM, we will content
ourselves with a few examples.
Consider first the login program, which handles logins from the
text console. A typicalPAM stack which checks passwords both in
/etc/passwdand in the LDAP database
follows.
/etc/pam.d/login
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so shadow use_first_passauth required
pam_deny.so
After successful password authentication using the auth stack,
login checks for theexistance of an account using the account
stack, so it is necessary to reference pam-ldapthere, too.
/etc/pam.d/login
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
http://www.metaconsultancy.com/whitepapers/ldap-linux.htm (3 di
5)30/09/2004 17.56.17
-
7/27/2019 Ldap Authentication for Linux
4/5
LDAP Authentication for Linux
Other login-like programs include xdm and gdm (for graphical
logins), ssh (for remotelogins), su (for switching programs), and
xlock and xscreensaver (for locked screens).Each has its own file
in /etc/pam.d/.
Some applications not only authenticate passwords, but can also
be used to change
them. The prototypical example is of course passwd, the standard
password-changingutility. Such programs can be configured to use
LDAP by modifying their password stack.
/etc/pam.d/passwd
password required pam_cracklib.so
password sufficient pam_ldap.so
password sufficient pam_unix.so
password required pam_deny.so
One convienient application of pam-ldap is to set up "black box"
servers that canauthenticate users for a particular service without
having an account on the machine atall. Services such as netatalk,
(Cyrus) imap, and (Postfix) smtp use PAM. By configuringtheir PAM
stacks to use LDAP, while leaving LDAP out of the PAM stacks of
servicessuch as login and ssh, you can easily create a "black box"
server.
nscd
To keep your computers from pounding your LDAP server every time
a command suchas ls -l /homeis issued on a computer in your
organization, it is a good idea to
configure your workstations to cache some user data. As long as
the data in the cache issufficiently fresh, the workstations use in
instead of asking your LDAP server again. Thename server caching
daemon (nscd) accomplishes exactly this task.
To install nscd on Debian, just
# apt-get install nscd
The configuration file for nscd is /etc/nscd.conf.
nscd.conf
enable-cache passwd yes
http://www.metaconsultancy.com/whitepapers/ldap-linux.htm (4 di
5)30/09/2004 17.56.17
-
7/27/2019 Ldap Authentication for Linux
5/5
LDAP Authentication for Linux
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
http://www metaconsultancy com/whitepapers/ldap linux htm (5 di
5)30/09/2004 17 56 17
