Difference between revisions of "LDAP authentication"

From ArchWiki
Jump to: navigation, search
(category)
(Configure PAM)
Line 101: Line 101:
  
 
=== Configure PAM ===
 
=== Configure PAM ===
 +
 +
This is what my files look like. It may not be exactly right, but it works on my systems.
 +
 +
''/etc/pam.d/login''
 +
auth            requisite      pam_securetty.so
 +
auth            requisite      pam_nologin.so
 +
auth            sufficient      pam_ldap.so
 +
auth            required        pam_unix.so use_first_pass
 +
auth            required        pam_tally.so onerr=succeed file=/var/log/faillog
 +
account        required        pam_access.so
 +
account        required        pam_time.so
 +
account        required        pam_unix.so
 +
account        sufficient      pam_ldap.so
 +
password        sufficient      pam_ldap.so
 +
session        required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
 +
session        required        pam_unix.so
 +
session        required        pam_env.so
 +
session        required        pam_motd.so
 +
session        required        pam_limits.so
 +
session        optional        pam_mail.so dir=/var/spool/mail standard
 +
session        sufficient      pam_ldap.so
 +
session        optional        pam_lastlog.so
 +
 +
''/etc/pam.d/shadow''
 +
auth            sufficient      pam_rootok.so
 +
auth            required        pam_unix.so
 +
auth            sufficient      pam_ldap.so use_first_pass
 +
account        required        pam_unix.so
 +
account        sufficient      pam_ldap.so
 +
session        required        pam_unix.so
 +
session        sufficient      pam_ldap.so
 +
password        sufficient      pam_ldap.so
 +
password        required        pam_permit.so
 +
 +
''/etc/pam.d/passwd''
 +
password        sufficient      pam_ldap.so
 +
password        required        pam_unix.so shadow nullok
 +
 +
''/etc/pam.d/su''
 +
auth            sufficient      pam_ldap.so
 +
auth            sufficient      pam_rootok.so
 +
# Uncomment the following line to implicitly trust users in the "wheel" group.
 +
#auth          sufficient      pam_wheel.so trust use_uid
 +
# Uncomment the following line to require a user to be in the "wheel" group.
 +
#auth          required        pam_wheel.so use_uid
 +
auth            required        pam_unix.so use_first_pass
 +
account        sufficient      pam_ldap.so
 +
account        required        pam_unix.so
 +
session        sufficient      pam_ldap.su
 +
session        required        pam_unix.so
 +
 +
''/etc/pam.d/sudo''
 +
auth            sufficient      pam_ldap.so
 +
auth            required        pam_unix.so use_first_pass
 +
auth            required        pam_nologin.so
 +
 +
''/etc/pam.d/sshd''
 +
auth            required        pam_nologin.so
 +
auth            sufficient      pam_ldap.so
 +
auth            required        pam_env.so
 +
auth            required        pam_unix.so use_first_pass
 +
account        sufficient      pam_ldap.so
 +
account        required        pam_unix.so
 +
account        required        pam_time.so
 +
password        required        pam_ldap.so
 +
password        required        pam_unix.so
 +
session        required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
 +
session        required        pam_unix_session.so
 +
session        sufficient      pam_ldap.so
 +
session        required        pam_limits.so

Revision as of 23:32, 11 May 2007

HOWTO - LDAP Authentication in ArchLinux

Overview

What you need to install, configure, and know, to get LDAP RFC 2251 Authentication working on Arch.

Steps:

  1. Install OpenLDAP
  2. Design LDAP Directory
  3. Configure and Fill OpenLDAP
  4. Configure NSS
  5. Configure PAM

References

http://aqua.subnet.at/~max/ldap/

Install OpenLDAP

This part is easy: 'pacman -S openldap'. If you want to add SSL/TLS (I'll try to return to expand on this), you'll have to use abs to build the package with SSL/TLS support as I don't think it is the default configuration.

Design LDAP Directory

This all depends on what organization your network/computer is modelling.

Here is my initial layout in LDIF Format
dn: dc=tklogic,dc=net
dc: tklogic 
description: The techknowlogic.net Network
objectClass: dcObject
objectClass: organization
o: techknowlogic.net 

dn: ou=People,dc=tklogic,dc=net
ou: People
objectClass: organizationalUnit

dn: ou=Groups, dc=tklogic,dc=net
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: cn=tklusers,ou=Groups,dc=tklogic,dc=net
gidNumber: 2000
objectClass: posixGroup
objectClass: top
cn: tklusers

dn: ou=Roles,dc=tklogic,dc=net
ou: Roles
description: Org Unit for holding a basic set of ACL Roles.
objectClass: top
objectClass: organizationalUnit

dn: cn=ldap-reader,ou=Roles,dc=tklogic,dc=net
userPassword: {CRYPT}xxxxxxxxxxxxx
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldap-reader
description: LDAP reader user for any unrestricted reads (i.e. for NSS)

dn: cn=ldap-manager,ou=Roles,dc=tklogic,dc=net
userPassword: {CRYPT}xxxxxxxxxxxxx
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldap-manager
description: LDAP manager user for any unrestricted read/writes (i.e. root-like)
Now for each user:
dn: uid=user,ou=People,dc=tklogic,dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user
cn: Test User
sn: User
givenName: Test
title: Guinea Pig
telephoneNumber: +0 000 000 0000
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {CRYPT}xxxxxxxxxx
labeledURI: http://test.tklogic.net/
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 2000
homeDirectory: /users/test/
description: A Test User for the ArchWiki LDAP-Authentication HOWTO

Configure and Fill OpenLDAP

Configure NSS

Configure PAM

This is what my files look like. It may not be exactly right, but it works on my systems.

/etc/pam.d/login

auth            requisite       pam_securetty.so
auth            requisite       pam_nologin.so
auth            sufficient      pam_ldap.so
auth            required        pam_unix.so use_first_pass
auth            required        pam_tally.so onerr=succeed file=/var/log/faillog
account         required        pam_access.so
account         required        pam_time.so
account         required        pam_unix.so
account         sufficient      pam_ldap.so 
password        sufficient      pam_ldap.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         required        pam_unix.so
session         required        pam_env.so
session         required        pam_motd.so
session         required        pam_limits.so
session         optional        pam_mail.so dir=/var/spool/mail standard
session         sufficient      pam_ldap.so 
session         optional        pam_lastlog.so

/etc/pam.d/shadow

auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
auth            sufficient      pam_ldap.so use_first_pass
account         required        pam_unix.so
account         sufficient      pam_ldap.so
session         required        pam_unix.so
session         sufficient      pam_ldap.so
password        sufficient      pam_ldap.so
password        required        pam_permit.so

/etc/pam.d/passwd

password        sufficient      pam_ldap.so 
password        required        pam_unix.so shadow nullok

/etc/pam.d/su

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.su
session         required        pam_unix.so

/etc/pam.d/sudo

auth            sufficient      pam_ldap.so
auth            required        pam_unix.so use_first_pass
auth            required        pam_nologin.so

/etc/pam.d/sshd

auth            required        pam_nologin.so
auth            sufficient      pam_ldap.so 
auth            required        pam_env.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         required        pam_time.so
password        required        pam_ldap.so 
password        required        pam_unix.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         required        pam_unix_session.so
session         sufficient      pam_ldap.so 
session         required        pam_limits.so