https://wiki.archlinux.org/api.php?action=feedcontributions&user=Alexk&feedformat=atomArchWiki - User contributions [en]2024-03-29T08:30:00ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=LDAP_authentication&diff=240624LDAP authentication2012-12-16T19:11:40Z<p>Alexk: removed pan conf and udev troobleshooting parts</p>
<hr />
<div>[[Category:Security]]<br />
{{Merge|OpenLDAP Authentication}}<br />
{{Poor writing}}<br />
<br />
== HOWTO - LDAP Authentication in Arch Linux ==<br />
<br />
=== Overview ===<br />
<br />
What you need to install, configure, and know, to get LDAP RFC 2251 Authentication working on Arch.<br />
<br />
Steps:<br />
<br />
# Install OpenLDAP<br />
# Design LDAP Directory<br />
# Configure and Fill OpenLDAP<br />
# Configure NSS<br />
# Configure PAM<br />
<br />
==== References ====<br />
<br />
http://aqua.subnet.at/~max/ldap/<br />
<br />
==== For the newbies ====<br />
<br />
If you are totally new to those concepts, here is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html<br />
<br />
=== Install OpenLDAP ===<br />
See the [[OpenLDAP]] article<br />
<br />
=== Design LDAP Directory ===<br />
<br />
This all depends on what organization your network/computer is modeling.<br />
<br />
Here is my initial layout in LDIF Format<pre><br />
dn: dc=tklogic,dc=net<br />
dc: tklogic <br />
description: The techknowlogic.net Network<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: techknowlogic.net <br />
<br />
dn: ou=People,dc=tklogic,dc=net<br />
ou: People<br />
objectClass: organizationalUnit<br />
<br />
dn: ou=Groups, dc=tklogic,dc=net<br />
ou: Groups<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
dn: cn=tklusers,ou=Groups,dc=tklogic,dc=net<br />
gidNumber: 2000<br />
objectClass: posixGroup<br />
objectClass: top<br />
cn: tklusers<br />
<br />
dn: ou=Roles,dc=tklogic,dc=net<br />
ou: Roles<br />
description: Org Unit for holding a basic set of ACL Roles.<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
dn: cn=ldap-reader,ou=Roles,dc=tklogic,dc=net<br />
userPassword: {CRYPT}xxxxxxxxxxxxx<br />
objectClass: organizationalRole<br />
objectClass: simpleSecurityObject<br />
cn: ldap-reader<br />
description: LDAP reader user for any unrestricted reads (i.e. for NSS)<br />
<br />
dn: cn=ldap-manager,ou=Roles,dc=tklogic,dc=net<br />
userPassword: {CRYPT}xxxxxxxxxxxxx<br />
objectClass: organizationalRole<br />
objectClass: simpleSecurityObject<br />
cn: ldap-manager<br />
description: LDAP manager user for any unrestricted read/writes (i.e. root-like)<br />
</pre><br />
<br />
Now for each user: <pre><br />
dn: uid=user,ou=People,dc=tklogic,dc=net<br />
objectClass: top<br />
objectClass: person<br />
objectClass: organizationalPerson<br />
objectClass: inetOrgPerson<br />
objectClass: posixAccount<br />
objectClass: shadowAccount<br />
uid: user<br />
cn: Test User<br />
sn: User<br />
givenName: Test<br />
title: Guinea Pig<br />
telephoneNumber: +0 000 000 0000<br />
mobile: +0 000 000 0000<br />
postalAddress: AddressLine1$AddressLine2$AddressLine3<br />
userPassword: {CRYPT}xxxxxxxxxx<br />
labeledURI: http://test.tklogic.net/<br />
loginShell: /bin/bash<br />
uidNumber: 10000<br />
gidNumber: 2000<br />
homeDirectory: /users/test/<br />
description: A Test User for the ArchWiki LDAP-Authentication HOWTO<br />
</pre><br />
<br />
=== Configure and Fill OpenLDAP ===<br />
<br />
'''Client Side'''<br />
<br />
''/etc/openldap/ldap.conf''<br />
BASE dc=yourdomain,dc=com<br />
URI ldap://yourdomain.com<br />
<br />
''/etc/pam_ldap.conf and /etc/nss_ldap.conf''<br />
<br />
If there is an actual difference between these files, please let me know. <br />
<br />
>> There's not. In Gentoo we use only one /etc/ldap.conf file, so I made hardlinks on these two, using only one file it works. Wonder why Arch has it separated. Anybody knows?<br />
<br />
>>> Actually I have moved the /etc/nss_ldap.conf to /etc/ldap.conf. /etc/openldap/ldap.conf and /etc/nss_ldap.conf are only sym-links to /etc/ldap.conf. Works fine for me.<br />
<br />
host yourdomain.com<br />
base dc=yourdomain,dc=com<br />
uri ldap://yourdomain.com/<br />
ldap_version 3<br />
rootbinddn cn=Manager,dc=yourdomain,dc=com<br />
scope sub<br />
timelimit 5<br />
bind_timelimit 5<br />
nss_reconnect_tries 2<br />
pam_login_attribute uid<br />
pam_member_attribute gid<br />
pam_password md5<br />
pam_password exop<br />
nss_base_passwd ou=People,dc=yourdomain,dc=com<br />
nss_base_shadow ou=People,dc=yourdomain,dc=com<br />
<br />
''/etc/ldap.secret''<br />
plaintextpassword<br />
<br />
Chmod to 600<br />
<br />
<br />
'''Server Side'''<br />
<br />
''/etc/openldap/slapd.conf''<br />
include /etc/openldap/schema/core.schema<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
include /etc/openldap/schema/courier.schema<br />
allow bind_v2<br />
password-hash {md5}<br />
pidfile /var/run/slapd.pid<br />
argsfile /var/run/slapd.args<br />
database bdb<br />
suffix "dc=yourdomain,dc=com"<br />
rootdn "cn=Manager,dc=yourdomain,dc=com"<br />
rootpw password (Use slappasswd -h {MD5} -s passwordstring)<br />
directory /var/lib/openldap/openldap-data<br />
index objectClass eq<br />
index uid eq<br />
<br />
=== Configure NSS ===<br />
<br />
'' /etc/nsswitch.conf''<br />
passwd: files<br />
group: files<br />
hosts: dns<br />
services: files <br />
networks: files <br />
protocols: files <br />
rpc: files <br />
ethers: files <br />
netmasks: files<br />
bootparams: files<br />
publickey: files<br />
automount: files<br />
aliases: files<br />
sendmailvars: files<br />
netgroup: file<br />
<br />
''/etc/nsswitch.ldap''<br />
passwd: files ldap<br />
group: files ldap<br />
hosts: dns ldap<br />
services: ldap [NOTFOUND=return] files<br />
networks: ldap [NOTFOUND=return] files<br />
protocols: ldap [NOTFOUND=return] files<br />
rpc: ldap [NOTFOUND=return] files<br />
ethers: ldap [NOTFOUND=return] files<br />
netmasks: files<br />
bootparams: files<br />
publickey: files<br />
automount: files<br />
sendmailvars: files<br />
netgroup: ldap [NOTFOUND=return] files<br />
<br />
<br />
''/etc/rc.sysinit''<br />
<br />
'''Be sure to modify this file before you reboot or your machine will hang on "Starting UDev Daemon"'''<br />
<br />
Add this before UDev starts<br />
cp /etc/nsswitch.file /etc/nsswitch.conf<br />
<br />
And this after UDev is started<br />
cp /etc/nsswitch.ldap /etc/nsswitch.conf<br />
<br />
Hopefully there will be a fix later.<br />
<br />
udev / ldap boot update -><br />
please see: https://wiki.archlinux.org/index.php/Udev-ldap_workaround<br />
</pre><br />
<br />
'''Alternative Fix'''<br />
<br />
If you do not require LDAP to discover your host is to have the nsswitch.conf read<br />
hosts: files dns<br />
this will bypass the need to modify ''/etc/rc.sysinit'' and not hang on boot</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=240619OpenLDAP Authentication2012-12-16T17:37:05Z<p>Alexk: /* Client Setup */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
[[pacman|Install]] {{Pkg|openldap}} from the [[official repositories]]. This is needed regardless of whether you run openldap on your machine or over the network.<br />
<br />
Next, [[pacman|install]] {{AUR|nss-pam-ldapd}} from the [[Arch User Repository]].<br />
<br />
There is the {{pkg|nss_ldap}} and {{pkg|pam_ldap}} from the [[Official Repositories|official repositories]] <br />
<br />
=== OpenLDAP ===<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS Configuration ===<br />
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.<br />
<br />
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
==== Name Service Cache Daemon ====<br />
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.<br />
<br />
{{Important| It is recommended to stop the daemon when troubleshooting because it may mask problems by serving cached queries}}<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
==== NSLCD ====<br />
<br />
=== PAM Configuration ===<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
== Resources ==<br />
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]<br />
<br />
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]<br />
<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]<br />
<br />
[http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=240617OpenLDAP Authentication2012-12-16T17:22:07Z<p>Alexk: /* Client Setup */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
[[pacman|Install]] {{Pkg|openldap}} from the [[official repositories]]. This is needed regardless of whether you run openldap on your machine or over the network.<br />
<br />
Next, [[pacman|install]] {{AUR|nas-pam-ldapd}} from the [[Arch User Repository]].<br />
<br />
There is the {{pkg|nss_ldap}} and {{pkg|pam_ldap}} from the [[Official Repositories|official repositories]] <br />
<br />
=== OpenLDAP ===<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS Configuration ===<br />
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.<br />
<br />
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
==== Name Service Cache Daemon ====<br />
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.<br />
<br />
{{Important| It is recommended to stop the daemon when troubleshooting because it may mask problems by serving cached queries}}<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
==== NSLCD ====<br />
<br />
=== PAM Configuration ===<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
== Resources ==<br />
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]<br />
<br />
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]<br />
<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]<br />
<br />
[http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=240616OpenLDAP Authentication2012-12-16T17:20:59Z<p>Alexk: /* PAM_LDAP */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
[[pacman|Install]] {{Pkg|openldap}} from the [[official repositories]]. This is needed regardless of whether you run openldap on your machine or over the network.<br />
<br />
Next, [[pacman|install]] {{AUR|nas-pam-ldapd}} from the [[Arch User Repository]].<br />
<br />
There is the {{pkg|nss_ldap}} and {{pkg|[pam_ldap}} from the [[Official Repositories|official repositories]] <br />
<br />
<br />
=== OpenLDAP ===<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS Configuration ===<br />
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.<br />
<br />
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
==== Name Service Cache Daemon ====<br />
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.<br />
<br />
{{Important| It is recommended to stop the daemon when troubleshooting because it may mask problems by serving cached queries}}<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
==== NSLCD ====<br />
<br />
=== PAM_LDAP ===<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
== Resources ==<br />
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]<br />
<br />
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]<br />
<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]<br />
<br />
[http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=239298OpenLDAP Authentication2012-12-07T07:42:53Z<p>Alexk: /* Resources */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
[[pacman|Install]] {{Pkg|openldap}} from the [[official repositories]]. This is needed regardless of whether you run openldap on your machine or over the network.<br />
<br />
Next, [[pacman|install]] {{AUR|nas-pam-ldapd}} from the [[Arch User Repository]].<br />
<br />
There is the {{pkg|nss_ldap}} and {{pkg|[pam_ldap}} from the [[Official Repositories|official repositories]] <br />
<br />
<br />
=== OpenLDAP ===<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS Configuration ===<br />
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.<br />
<br />
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
==== Name Service Cache Daemon ====<br />
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.<br />
<br />
{{Important| It is recommended to stop the daemon when troubleshooting because it may mask problems by serving cached queries}}<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
==== NSLCD ====<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
== Resources ==<br />
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]<br />
<br />
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]<br />
<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]<br />
<br />
[http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=239296OpenLDAP Authentication2012-12-07T07:41:47Z<p>Alexk: /* NSS_LDAP */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
[[pacman|Install]] {{Pkg|openldap}} from the [[official repositories]]. This is needed regardless of whether you run openldap on your machine or over the network.<br />
<br />
Next, [[pacman|install]] {{AUR|nas-pam-ldapd}} from the [[Arch User Repository]].<br />
<br />
There is the {{pkg|nss_ldap}} and {{pkg|[pam_ldap}} from the [[Official Repositories|official repositories]] <br />
<br />
<br />
=== OpenLDAP ===<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS Configuration ===<br />
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.<br />
<br />
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
==== Name Service Cache Daemon ====<br />
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.<br />
<br />
{{Important| It is recommended to stop the daemon when troubleshooting because it may mask problems by serving cached queries}}<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
==== NSLCD ====<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
== Resources ==<br />
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]<br />
<br />
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]<br />
<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=239268OpenLDAP Authentication2012-12-07T00:30:49Z<p>Alexk: /* Client Setup */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
[[pacman|Install]] {{Pkg|openldap}} from the [[official repositories]]. This is needed regardless of whether you run openldap on your machine or over the network.<br />
<br />
Next, [[pacman|install]] {{AUR|nas-pam-ldapd}} from the [[Arch User Repository]].<br />
<br />
There is the {{pkg|nss_ldap}} and {{pkg|[pam_ldap}} from the [[Official Repositories|official repositories]] <br />
<br />
<br />
=== OpenLDAP ===<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.<br />
<br />
The {{ic|/etc/nss_ldap.conf}} file configures the ldap backend for NSS. Edit the file and change the values according to your setup:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on <br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Next, edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
==== Name Service Cache Daemon ====<br />
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.<br />
<br />
{{Important| It is recommended to stop the daemon when troubleshooting because it may mask problems by serving cached queries}}<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
==== NSLCD ====<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
== Resources ==<br />
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]<br />
<br />
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]<br />
<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=239181OpenLDAP Authentication2012-12-06T05:59:06Z<p>Alexk: /* Resources */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
[[pacman|Install]] {{Pkg|openldap}} from the [[official repositories]]. This is needed regardless of whether you run openldap on your machine or over the network.<br />
Next, [[pacman|install]] {{AUR|nas-pam-ldapd}} from the [[Arch User Repository]].<br />
There is the {{pkg|nss_ldap}} and {{pkg|[pam_ldap}} from the [[Official Repositories|official repositories]] <br />
<br />
<br />
=== OpenLDAP ===<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.<br />
<br />
The {{ic|/etc/nss_ldap.conf}} file configures the ldap backend for NSS. Edit the file and change the values according to your setup:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on <br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Next, edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
==== Name Service Cache Daemon ====<br />
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.<br />
<br />
{{Important| It is recommended to stop the daemon when troubleshooting because it may mask problems by serving cached queries}}<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
==== NSLCD ====<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
== Resources ==<br />
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]<br />
<br />
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]<br />
<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238637OpenLDAP Authentication2012-12-05T22:33:00Z<p>Alexk: /* Client Setup */ changed to nss-pam-ldapd</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
[[pacman|Install]] {{Pkg|openldap}} from the [[official repositories]]. This is needed regardless of whether you run openldap on your machine or over the network.<br />
Next, [[pacman|install]] {{AUR|nas-pam-ldapd}} from the [[Arch User Repository]].<br />
There is the {{pkg|nss_ldap}} and {{pkg|[pam_ldap}} from the [[Official Repositories|official repositories]] <br />
<br />
<br />
=== OpenLDAP ===<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.<br />
<br />
The {{ic|/etc/nss_ldap.conf}} file configures the ldap backend for NSS. Edit the file and change the values according to your setup:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on <br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Next, edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
==== Name Service Cache Daemon ====<br />
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.<br />
<br />
{{Important| It is recommended to stop the daemon when troubleshooting because it may mask problems by serving cached queries}}<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
==== NSLCD ====<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
== Resources ==<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=238602OpenLDAP2012-12-05T16:32:24Z<p>Alexk: added tools and resources heading</p>
<hr />
<div>[[Category:Networking]]<br />
OpenLDAP, LDAP & Directory services are an enormous topic. Configuration is therefore complex. This page is a starting point for a basic openldap install on Archlinux and a sanity check. <br />
<br />
<br />
==== References ====<br />
<br />
http://www.openldap.org/doc/admin24/<br />
<br />
==== For the newbies ====<br />
<br />
If you are totally new to those concepts, here is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html<br />
<br />
<br />
=== Install OpenLDAP ===<br />
<br />
This part is easy:<br />
pacman -S openldap <br />
<br />
The openldap package basically contains two things: The LDAP server (slapd) and the LDAP client. You will probably want to run the server on your computer. After you design the directory, the server will be able to provide authentication services for LDAP clients. It is quite likely that you will run services requiring the LDAP authentication on that very computer, in which case the LDAP client will query the LDAP server from the same package.<br />
<br />
==== Configure OpenLDAP ====<br />
<br />
===== The server (slapd) =====<br />
<br />
First prepare the database directory. You will need to copy the default config file and set the proper ownership.<br />
<br />
WARNING!!! - The following snippet wipes out any existing ldap database.<br />
<br />
rm -rf /var/lib/openldap/openldap-data/*<br />
cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
Next we prepare slapd.conf<br />
====== /etc/openldap/slapd.conf ======<br />
Add some typically used schemas...<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/nis.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
}}<br />
Edit the suffix. Typically this is your domain name but it does not have to be. It depends on how you use your directory. We will use 'example' for the domain name, and 'com' for the tld. Also set your ldap administrators name (we'll use 'root' here)<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
#find the line with rootpw and delete it<br />
sed -i "/rootpw/ d" slapd.conf<br />
#add a line which includes the hashed password output from slappasswd<br />
echo "rootpw $(slappasswd)" >> slapd.conf<br />
<br />
ldap won't find things unless you index them. Read the [http://www.zytrax.com/books/ldap/ch6/#index ldap documentation] for details, you can use the following to start with. (add them to your {{ic|slapd.conf}})<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
'''Note: '''<br />
<br />
Don't forget to run {{ic|slapindex}} after you populate your directory. (slapd needs to be stopped to do this). Then change the ownership for all the generated files:<br />
chown ldap.ldap /var/lib/openldap/openldap-data/*<br />
<br />
If you want to use SSL, you have to specify a path to your certificates here. See [[OpenLDAP Authentication]]<br />
<br />
Finally you can start the slapd daemon.<br />
#systemctl start slapd<br />
<br />
It might be possible that /run/openldap does not exist, starting the daemon won't work. Just create the directory:<br />
<br />
#mkdir /run/openldap<br />
<br />
====== /etc/conf.d/slapd ======<br />
Very important, you define here on which port the server should listen and if you want to use SSL, you will want to use the ldaps:// URI instead of the default ldap:// <br />
You can also specify additional slapd options here.<br />
<br />
<br />
===== The client =====<br />
The client is usually not such a big deal, just keep in mind that your apps that require LDAP auth use it, so if something goes wrong with LDAP, do not waste your time with the app, start debugging the client instead.<br />
<br />
The client config file is located at /etc/openldap/ldap.conf<br />
It is actually very simple. <br />
<br />
If you decide to use SSL:<br />
* The protocol (ldap or ldaps) in the URI entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, you have to add them to TLS_CACERT<br />
<br />
==== Test your new OpenLDAP installation ====<br />
<br />
This is easy, just run the command below:<br />
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts<br />
<br />
you should see some information on your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
<br />
If you access the Openldap server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing you date which are sent cleartext. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. <br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
{{bc|openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365}}<br />
<br />
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:<br />
<br />
cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
chown ldap slapdkey.pem<br />
chmod 400 slapdkey.pem<br />
chmod 444 slapdcert.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:+SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Info|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
==== Start slapd with SSL ====<br />
In order to tell OpenLDAP to start using encryption, edit /etc/conf.d/slapd, uncomment the SLAPD_SERVICES line and set it to the following:<br />
{{bc|SLAPD_SERVICES="ldaps:///"}}<br />
Localhost connections don't need to use SSL so you can use this instead:<br />
{{bc|SLAPD_SERVICES="ldap://127.0.0.1 ldaps:///:}}<br />
<br />
<br />
'''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:<br />
<br />
TLS_REQCERT allow<br />
<br />
Finally restart the server.<br />
<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic ldap installation. The step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to ldap, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, Postfix, etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
== Troubleshooting ==<br />
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap"<br />
<br />
== Resources ==<br />
=== Tools ===<br />
[http://phpldapadmin.sourceforge.net/ phpLDAPadmin] is a web interface tool in the style of phpmyadmin.<br />
<br />
{{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect for OpenLDAP installations.</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238601OpenLDAP Authentication2012-12-05T16:26:28Z<p>Alexk: /* Resources */ moved tools to OpenLDAP</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.<br />
<br />
The {{ic|/etc/nss_ldap.conf}} file configures the ldap backend for NSS. Edit the file and change the values according to your setup:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on <br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Next, edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon (Optional) ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
== Resources ==<br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]</div>Alexkhttps://wiki.archlinux.org/index.php?title=Talk:OpenLDAP_Authentication&diff=238596Talk:OpenLDAP Authentication2012-12-05T16:01:22Z<p>Alexk: /* Overhaul */ new section</p>
<hr />
<div>==Error==<br />
Following this guide and the other one out of the box I get the following error when trying to import (ldapadd) or search (ldapsearch)<br />
<br />
slapd[20458]: fd=12 DENIED from unknown (127.0.0.1)<br />
<br />
And yes I do have slapd in the hosts.allow<br />
<br />
:Add to /etc/hosts.allow:<br />
::''slapd: 127.0.0.1''<br />
:[[User:Peleki|Peleki]] 11:14, 21 August 2010 (EDT)<br />
<br />
==Suggestions==<br />
If you want hdb as backend, you have to adjust the PKGBUILD to --enable-hdb and rebuild the package<br />
<br />
To disable the IPV6 error, add -4 to the slapd init script at line 14 (/usr/sbin/slapd '''-4''' $SLAPD_OPTIONS)<br />
<br />
To disable the " openldap configure monitor database to enable" add "database monitor" in /etc/openldap/slapd.conf '''BEFORE''' any database backend type (hdb or bdb)<br />
<br />
--[[User:Mvinnicius|mvinnicius]] 19:55, 14 February 2011 (EST)<br />
<br />
: For the record, it's probably better to add -4 to the SLAPD_OPTIONS variable in /etc/conf.d/slapd than to modify the rc-script. --[[User:DJPohly|DJPohly]] 21:09, 14 February 2011 (EST)<br />
<br />
==Merge request==<br />
See [[Talk:LDAP_Authentication#Merge?]]. -- [[User:Kynikos|Kynikos]] 09:31, 7 January 2012 (EST)<br />
<br />
== Overhaul ==<br />
<br />
I started editing the page with the goal of merging it with the [[LDAP Authentication]] one and also with the main OpenLDAP article. I rewrote the introduction and added some explanations for the client side like NSS and PAM. I'm gooing to remove the pam_ldap and nss_ldap bit and use nss_pam_ldapd from AUR which is the most uptodate (and robust) version. If anyone has any objections feel free to say so.</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238480OpenLDAP Authentication2012-12-05T02:03:43Z<p>Alexk: /* NSS_LDAP */ - added some explanations</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.<br />
<br />
The {{ic|/etc/nss_ldap.conf}} file configures the ldap backend for NSS. Edit the file and change the values according to your setup:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on <br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Next, edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon (Optional) ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
== Resources ==<br />
=== Tools ===<br />
[http://phpldapadmin.sourceforge.net/ phpLDAPadmin] is a web interface tool in the style of phpmyadmin.<br />
<br />
{{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect for OpenLDAP installations.<br />
<br />
=== Links === <br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238479OpenLDAP Authentication2012-12-05T01:37:11Z<p>Alexk: /* Name Service Cache Daemon */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/nss_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/nsswitch.conf}}:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon (Optional) ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
{{bc|systemctl start nscd}}<br />
<br />
== Resources ==<br />
=== Tools ===<br />
[http://phpldapadmin.sourceforge.net/ phpLDAPadmin] is a web interface tool in the style of phpmyadmin.<br />
<br />
{{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect for OpenLDAP installations.<br />
<br />
=== Links === <br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238477OpenLDAP Authentication2012-12-05T01:36:18Z<p>Alexk: /* Resources */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/nss_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/nsswitch.conf}}:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
<br />
/etc/rc.d/nscd start<br />
<br />
== Resources ==<br />
=== Tools ===<br />
[http://phpldapadmin.sourceforge.net/ phpLDAPadmin] is a web interface tool in the style of phpmyadmin.<br />
<br />
{{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect for OpenLDAP installations.<br />
<br />
=== Links === <br />
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]<br />
<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238476OpenLDAP Authentication2012-12-05T01:34:49Z<p>Alexk: /* Resources */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/nss_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/nsswitch.conf}}:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
<br />
/etc/rc.d/nscd start<br />
<br />
== Resources ==<br />
=== Tools ===<br />
[[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]] is a web interface tool in the style of phpmyadmin.<br />
<br />
{{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect for OpenLDAP installations.<br />
<br />
=== Links === <br />
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238475OpenLDAP Authentication2012-12-05T01:34:37Z<p>Alexk: /* Links and Resources */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/nss_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/nsswitch.conf}}:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
<br />
/etc/rc.d/nscd start<br />
<br />
== Resources ==<br />
=== Tools ===<br />
[[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]] is a web interface tool in the style of phpmyadmin.<br />
{{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect for OpenLDAP installations.<br />
<br />
=== Links === <br />
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238470OpenLDAP Authentication2012-12-05T01:15:18Z<p>Alexk: </p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/nss_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/nsswitch.conf}}:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
<br />
/etc/rc.d/nscd start<br />
<br />
== Links and Resources ==<br />
<br />
One of the best OpenLDAP clients: [[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]]<br />
<br />
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]<br />
<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=238467OpenLDAP2012-12-04T23:41:10Z<p>Alexk: added the ssl chapter from OpenLDAP authentication here</p>
<hr />
<div>[[Category:Networking]]<br />
OpenLDAP, LDAP & Directory services are an enormous topic. Configuration is therefore complex. This page is a starting point for a basic openldap install on Archlinux and a sanity check. <br />
<br />
<br />
==== References ====<br />
<br />
http://www.openldap.org/doc/admin24/<br />
<br />
==== For the newbies ====<br />
<br />
If you are totally new to those concepts, here is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html<br />
<br />
<br />
=== Install OpenLDAP ===<br />
<br />
This part is easy:<br />
pacman -S openldap <br />
<br />
The openldap package basically contains two things: The LDAP server (slapd) and the LDAP client. You will probably want to run the server on your computer. After you design the directory, the server will be able to provide authentication services for LDAP clients. It is quite likely that you will run services requiring the LDAP authentication on that very computer, in which case the LDAP client will query the LDAP server from the same package.<br />
<br />
==== Configure OpenLDAP ====<br />
<br />
===== The server (slapd) =====<br />
<br />
First prepare the database directory. You will need to copy the default config file and set the proper ownership.<br />
<br />
WARNING!!! - The following snippet wipes out any existing ldap database.<br />
<br />
rm -rf /var/lib/openldap/openldap-data/*<br />
cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
Next we prepare slapd.conf<br />
====== /etc/openldap/slapd.conf ======<br />
Add some typically used schemas...<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/nis.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
}}<br />
Edit the suffix. Typically this is your domain name but it does not have to be. It depends on how you use your directory. We will use 'example' for the domain name, and 'com' for the tld. Also set your ldap administrators name (we'll use 'root' here)<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
#find the line with rootpw and delete it<br />
sed -i "/rootpw/ d" slapd.conf<br />
#add a line which includes the hashed password output from slappasswd<br />
echo "rootpw $(slappasswd)" >> slapd.conf<br />
<br />
ldap won't find things unless you index them. Read the [http://www.zytrax.com/books/ldap/ch6/#index ldap documentation] for details, you can use the following to start with. (add them to your {{ic|slapd.conf}})<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
'''Note: '''<br />
<br />
Don't forget to run {{ic|slapindex}} after you populate your directory. (slapd needs to be stopped to do this). Then change the ownership for all the generated files:<br />
chown ldap.ldap /var/lib/openldap/openldap-data/*<br />
<br />
If you want to use SSL, you have to specify a path to your certificates here. See [[OpenLDAP Authentication]]<br />
<br />
Finally you can start the slapd daemon.<br />
#systemctl start slapd<br />
<br />
It might be possible that /run/openldap does not exist, starting the daemon won't work. Just create the directory:<br />
<br />
#mkdir /run/openldap<br />
<br />
====== /etc/conf.d/slapd ======<br />
Very important, you define here on which port the server should listen and if you want to use SSL, you will want to use the ldaps:// URI instead of the default ldap:// <br />
You can also specify additional slapd options here.<br />
<br />
<br />
===== The client =====<br />
The client is usually not such a big deal, just keep in mind that your apps that require LDAP auth use it, so if something goes wrong with LDAP, do not waste your time with the app, start debugging the client instead.<br />
<br />
The client config file is located at /etc/openldap/ldap.conf<br />
It is actually very simple. <br />
<br />
If you decide to use SSL:<br />
* The protocol (ldap or ldaps) in the URI entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, you have to add them to TLS_CACERT<br />
<br />
==== Test your new OpenLDAP installation ====<br />
<br />
This is easy, just run the command below:<br />
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts<br />
<br />
you should see some information on your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
<br />
If you access the Openldap server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing you date which are sent cleartext. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. <br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
{{bc|openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365}}<br />
<br />
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:<br />
<br />
cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
chown ldap slapdkey.pem<br />
chmod 400 slapdkey.pem<br />
chmod 444 slapdcert.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:+SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Info|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
==== Start slapd with SSL ====<br />
In order to tell OpenLDAP to start using encryption, edit /etc/conf.d/slapd, uncomment the SLAPD_SERVICES line and set it to the following:<br />
{{bc|SLAPD_SERVICES="ldaps:///"}}<br />
Localhost connections don't need to use SSL so you can use this instead:<br />
{{bc|SLAPD_SERVICES="ldap://127.0.0.1 ldaps:///:}}<br />
<br />
<br />
'''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:<br />
<br />
TLS_REQCERT allow<br />
<br />
Finally restart the server.<br />
<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic ldap installation. The step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to ldap, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, Postfix, etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
== Troubleshooting ==<br />
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap"</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238466OpenLDAP Authentication2012-12-04T23:40:16Z<p>Alexk: moved the ssl instructions for slapd to the general OpenLDAP article</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
{{Expansion|}}<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/nss_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/nsswitch.conf}}:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
<br />
/etc/rc.d/nscd start<br />
<br />
== Links and Resources ==<br />
<br />
One of the best OpenLDAP clients: [[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]]<br />
<br />
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]<br />
<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238119OpenLDAP Authentication2012-12-04T07:29:58Z<p>Alexk: /* OpenLDAP */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
{{Expansion|}}<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
=== Configure TLS Encryption ===<br />
<br />
It's a good idea to configure TLS to encrypt the exchange of information between client and server. This way passwords, which are normally sent plain-text, cannot be easily sniffed from the wire. In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. '''IMPORTANT:''' OpenLDAP cannot use a certificate that has a password associated to it.<br />
<br />
To create a ''self-signed'' certificate, type the following:<br />
<br />
openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:<br />
<br />
cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
chown ldap slapdkey.pem<br />
chmod 400 slapdkey.pem<br />
chmod 444 slapdcert.pem<br />
<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:+SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
To see which ciphers are supported by your local OpenSSL installation, type the following:<br />
<br />
openssl ciphers -v ALL<br />
<br />
In order to tell OpenLDAP to start using encryption, edit /etc/conf.d/slapd, uncomment the SLAPD_SERVICES line and set it to the following:<br />
<br />
SLAPD_SERVICES="ldaps:///"<br />
<br />
This will cause OpenLDAP to accept encrypted. '''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:<br />
<br />
TLS_REQCERT allow<br />
<br />
Restart the server:<br />
<br />
/etc/rc.d/slapd restart<br />
<br />
Test that the server is encrypting traffic run the following command:<br />
<br />
ldapsearch -x -H ldaps://example.org -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
You can search an LDAP server with the following command:<br />
{{bc|ldapsearch -x -H <URL> -b <BASE>}}<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/nss_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/nsswitch.conf}}:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
<br />
/etc/rc.d/nscd start<br />
<br />
== Links and Resources ==<br />
<br />
One of the best OpenLDAP clients: [[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]]<br />
<br />
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]<br />
<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238118OpenLDAP Authentication2012-12-04T07:25:13Z<p>Alexk: /* OpenLDAP */</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
{{Expansion|}}<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
=== Configure TLS Encryption ===<br />
<br />
It's a good idea to configure TLS to encrypt the exchange of information between client and server. This way passwords, which are normally sent plain-text, cannot be easily sniffed from the wire. In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. '''IMPORTANT:''' OpenLDAP cannot use a certificate that has a password associated to it.<br />
<br />
To create a ''self-signed'' certificate, type the following:<br />
<br />
openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:<br />
<br />
cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
chown ldap slapdkey.pem<br />
chmod 400 slapdkey.pem<br />
chmod 444 slapdcert.pem<br />
<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:+SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
To see which ciphers are supported by your local OpenSSL installation, type the following:<br />
<br />
openssl ciphers -v ALL<br />
<br />
In order to tell OpenLDAP to start using encryption, edit /etc/conf.d/slapd, uncomment the SLAPD_SERVICES line and set it to the following:<br />
<br />
SLAPD_SERVICES="ldaps:///"<br />
<br />
This will cause OpenLDAP to accept encrypted. '''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:<br />
<br />
TLS_REQCERT allow<br />
<br />
Restart the server:<br />
<br />
/etc/rc.d/slapd restart<br />
<br />
Test that the server is encrypting traffic run the following command:<br />
<br />
ldapsearch -x -H ldaps://example.org -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
First you must open {{ic|/etc/openldap/ldap.conf}} and edit the URI and BASE settings to the correct ones.<br />
Then you can search with this command:<br />
<br />
ldapsearch -x<br />
<br />
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}<br />
<br />
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:<br />
{{ic|TLS_REQCERT allow}} }}<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/nss_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/nsswitch.conf}}:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
<br />
/etc/rc.d/nscd start<br />
<br />
== Links and Resources ==<br />
<br />
One of the best OpenLDAP clients: [[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]]<br />
<br />
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]<br />
<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]</div>Alexkhttps://wiki.archlinux.org/index.php?title=OpenLDAP_Authentication&diff=238117OpenLDAP Authentication2012-12-04T07:17:35Z<p>Alexk: Rewrote the introduction and added a snippet in OpenLdap section of Client Setup</p>
<hr />
<div>[[Category:Networking]] [[Category:Security]]<br />
{{Merge|LDAP Authentication}}<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).<br />
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.<br />
<br />
=== OpenLDAP ===<br />
<br />
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.<br />
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.<br />
<br />
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.<br />
<br />
=== NSS and PAM ===<br />
<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.<br />
<br />
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.<br />
<br />
{{Expansion|}}<br />
<br />
== OpenLDAP Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a file called base.ldif with the following text:<br />
<br />
# example.org<br />
dn: dc=example,dc=org<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: Example Organization<br />
dc: example<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
roleOccupant: dc=example,dc=org<br />
objectClass: organizationalRole<br />
objectClass: top<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Group, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
Add it to your OpenLDAP Tree:<br />
<br />
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
=== Configure TLS Encryption ===<br />
<br />
It's a good idea to configure TLS to encrypt the exchange of information between client and server. This way passwords, which are normally sent plain-text, cannot be easily sniffed from the wire. In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. '''IMPORTANT:''' OpenLDAP cannot use a certificate that has a password associated to it.<br />
<br />
To create a ''self-signed'' certificate, type the following:<br />
<br />
openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:<br />
<br />
cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
chown ldap slapdkey.pem<br />
chmod 400 slapdkey.pem<br />
chmod 444 slapdcert.pem<br />
<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:+SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
To see which ciphers are supported by your local OpenSSL installation, type the following:<br />
<br />
openssl ciphers -v ALL<br />
<br />
In order to tell OpenLDAP to start using encryption, edit /etc/conf.d/slapd, uncomment the SLAPD_SERVICES line and set it to the following:<br />
<br />
SLAPD_SERVICES="ldaps:///"<br />
<br />
This will cause OpenLDAP to accept encrypted. '''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:<br />
<br />
TLS_REQCERT allow<br />
<br />
Restart the server:<br />
<br />
/etc/rc.d/slapd restart<br />
<br />
Test that the server is encrypting traffic run the following command:<br />
<br />
ldapsearch -x -H ldaps://example.org -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
<br />
== Client Setup ==<br />
<br />
=== OpenLDAP ===<br />
<br />
'''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to {{ic|/etc/openldap/ldap.conf}} or you will not be able connect to the server:<br />
<br />
TLS_REQCERT allow<br />
<br />
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.<br />
<br />
First you must open {{ic|/etc/openldap/ldap.conf}} and edit the URI and BASE settings to the correct ones.<br />
Then you can search with this command:<br />
<br />
ldapsearch -x<br />
<br />
{{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.<br />
<br />
<br />
=== NSS_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/nss_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if you're using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/nsswitch.conf}}:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
=== PAM_LDAP ===<br />
<br />
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].<br />
<br />
Edit {{ic|/etc/pam_ldap.conf}}:<br />
<br />
host <SERVER_IP><br />
base dc=example,dc=org<br />
rootbinddn cn=admin,dc=example,dc=org<br />
port 636<br />
pam_login_attribute uid<br />
pam_template_login_attribute uid<br />
nss_base_passwd ou=People,dc=example,dc=org?one<br />
nss_base_shadow ou=People,dc=example,dc=org?one<br />
nss_base_group ou=Group,dc=example,dc=org?one<br />
ssl start_tls<br />
ssl on<br />
<br />
# This is only needed if your using a self-signed certificate.<br />
tls_checkpeer no<br />
<br />
Edit {{ic|/etc/pam.d/login}}:<br />
<br />
auth requisite pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_ldap.so <br />
auth required pam_env.so<br />
auth required pam_unix.so nullok try_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_access.so<br />
account required pam_unix.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session required pam_unix.so<br />
<br />
Edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so shadow md5 nullok<br />
<br />
Edit {{ic|/etc/pam.d/shadow}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_permit.so<br />
<br />
edit {{ic|/etc/pam.d/su}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth sufficient pam_rootok.so<br />
auth required pam_unix.so use_first_pass<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
<br />
edit {{ic|/etc/pam.d/sshd}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_securetty.so #Disable remote root<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
auth required pam_env.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
account required pam_time.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix_session.so<br />
session required pam_limits.so<br />
<br />
edit {{ic|/etc/pam.d/other}}:<br />
<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
password sufficient pam_ldap.so<br />
password required pam_unix.so<br />
session required pam_unix.so<br />
<br />
=== Name Service Cache Daemon ===<br />
<br />
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]<br />
<br />
Fix nscd:<br />
<br />
mkdir -p /var/db/nscd/<br />
mkdir -p /var/run/nscd/<br />
<br />
Run nscd:<br />
<br />
/etc/rc.d/nscd start<br />
<br />
== Links and Resources ==<br />
<br />
One of the best OpenLDAP clients: [[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]]<br />
<br />
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]<br />
<br />
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]</div>Alexk