Difference between revisions of "LDAP authentication"

From ArchWiki
Jump to: navigation, search
(sysvinit as well)
(34 intermediate revisions by 20 users not shown)
Line 1: Line 1:
[[Category:Security (English)]]
+
[[Category:Security]]
[[Category:HOWTOs (English)]]
+
{{Out_of_date|slapd.conf(5) is deprecated; initscripts/sysvinit is deprecated}}
== HOWTO - LDAP Authentication in ArchLinux ==
+
{{Merge|OpenLDAP Authentication}}
 +
{{Poor writing}}
 +
 
 +
== HOWTO - LDAP Authentication in Arch Linux ==
  
 
=== Overview ===
 
=== Overview ===
Line 19: Line 22:
 
http://aqua.subnet.at/~max/ldap/
 
http://aqua.subnet.at/~max/ldap/
  
=== Install OpenLDAP ===
+
==== For the newbies ====
  
This part is easy: 'pacman -S openldap'.  If you want to add SSL/TLS (I'll try to return to expand on this), you'll have to use abs to build the package with SSL/TLS support as I don't think it is the default configuration.
+
If you are totally new to those concepts, here is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.
 +
 
 +
http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html
 +
 
 +
=== Install OpenLDAP ===
 +
See the [[OpenLDAP]] article
  
 
=== Design LDAP Directory ===
 
=== Design LDAP Directory ===
Line 109: Line 117:
  
 
>> There's not. In Gentoo we use only one /etc/ldap.conf file, so I made hardlinks on these two, using only one file it works. Wonder why Arch has it separated. Anybody knows?
 
>> There's not. In Gentoo we use only one /etc/ldap.conf file, so I made hardlinks on these two, using only one file it works. Wonder why Arch has it separated. Anybody knows?
 +
 +
>>> Actually I have moved the /etc/nss_ldap.conf to /etc/ldap.conf. /etc/openldap/ldap.conf and /etc/nss_ldap.conf are only sym-links to /etc/ldap.conf. Works fine for me.
  
 
  host yourdomain.com
 
  host yourdomain.com
Line 154: Line 164:
 
=== Configure NSS ===
 
=== Configure NSS ===
  
'' /etc/nsswitch.file''
+
'' /etc/nsswitch.conf''
 
  passwd:        files
 
  passwd:        files
 
  group:          files
 
  group:          files
Line 190: Line 200:
 
''/etc/rc.sysinit''
 
''/etc/rc.sysinit''
  
'''Be sure to modify this file before you reboot or you will machine will hang on "Starting UDev Daemon"'''
+
'''Be sure to modify this file before you reboot or your machine will hang on "Starting UDev Daemon"'''
  
 
Add this before UDev starts
 
Add this before UDev starts
Line 200: Line 210:
 
Hopefully there will be a fix later.
 
Hopefully there will be a fix later.
  
=== Udev / Ldap Update ===
+
udev / ldap boot update ->
 
+
please see: https://wiki.archlinux.org/index.php/Udev-ldap_workaround
Here is a workaround for udev and ldap. This solves the issue of udev hanging on boot forever.
+
 
+
This allows your machine to boot if you are using udev and ldap. Your machine will not hang on udev busy. It will rewrite the nsswitch.conf file and replace it once the / filesystem is remounted rw. Make sure you copy nsswitch.ldap to nsswitch.conf as recommended per the documentation.
+
Hope this is useful for people.
+
 
+
Here is the patch.
+
 
+
<pre>
+
--- rc.sysinit 2007-09-14 17:01:37.000000000 -0500
+
+++ rc.sysinit_mod 2007-09-14 17:00:37.000000000 -0500
+
@@ -16,6 +16,33 @@
+
# start up our mini logger until syslog takes over
+
/sbin/minilogd
+
+
+# check nsswitch.conf for group: files ldap on boot.
+
+# if found rewrite nsswitch.conf.
+
+# NOTE: this is using nsswitch.ldap copied to -> nsswitch.conf
+
+# cdowns\@openmethods.com
+
+function udev_ldap_hack() {
+
+ status "Starting LDAP Udev Check" mount -o remount,rw /
+
+ if [ -e /tmp/nsswitch.udev ] ; then
+
+ rm /tmp/nsswitch.udev
+
+ fi
+
+ if [ -f /etc/nsswitch.conf ] ; then
+
+ sed -e 's/group:\s*files ldap/group:\t\tfiles/' /etc/nsswitch.conf >> /tmp/nsswitch.udev
+
+ status "Ending LDAP Check" mount -o remount,ro /
+
+ sleep 2
+
+ fi
+
+}
+
+
+
+function udev_ldap_restore() {
+
+ status "Restoring LDAP config"
+
+ if [ -e /tmp/nsswitch.udev ] ; then
+
+ rm /tmp/nsswitch.udev
+
+ fi
+
+ if [ -f /etc/nsswitch.conf ] ; then
+
+ sed -e 's/group:\s*files/group:\t\tfiles ldap/' /etc/nsswitch.conf >> /tmp/nsswitch.udev
+
+ sleep 2
+
+ fi
+
+}
+
+
+
# mount /proc
+
mount -n -t proc none /proc
+
+
@@ -33,6 +60,9 @@
+
/sbin/modprobe usbcore >/dev/null 2>&1
+
grep -qw usbfs /proc/filesystems && mount -n -t usbfs none /proc/bus/usb
+
+
+## run the udev_ldap_hack
+
+udev_ldap_hack
+
+
+
if [ -x /etc/start_udev -a -d /sys/block ]; then
+
# We have a start_udev script and /sys appears to be mounted, use UDev
+
status "Starting UDev Daemon" /etc/start_udev init
+
@@ -268,6 +298,11 @@
+
mount -t usbfs none /proc/bus/usb
+
fi
+
fi
+
+
+
+
+
+# set ldap nsswitch.conf back to normal.
+
+udev_ldap_restore
+
+
+
# now mount all the local filesystems
+
/bin/mount -a -t $NETFS
+
stat_done
+
@@ -341,7 +376,7 @@
+
/usr/bin/kbd_mode -u
+
/usr/bin/dumpkeys | /bin/loadkeys --unicode
+
# the $CONSOLE check helps us avoid this when running scripts from cron
+
- echo 'if [ "$CONSOLE" = "" -a "$TERM" = "linux" -a isatty ]; then echo -ne "\e%G"; fi' >>/etc/profile.d/locale.sh
+
+ echo 'if [ "$CONSOLE" = "" -a "$TERM" = "linux" -a -t 1 ]; then echo -ne "\e%G"; fi' >>/etc/profile.d/locale.sh
+
stat_done
+
fi
+
+
@@ -355,7 +390,7 @@
+
fi
+
done
+
# the $CONSOLE check helps us avoid this when running scripts from cron
+
- echo 'if [ "$CONSOLE" = "" -a "$TERM" = "linux" -a isatty ]; then echo -ne "\e(K"; fi' >>/etc/profile.d/locale.sh
+
+ echo 'if [ "$CONSOLE" = "" -a "$TERM" = "linux" -a -t 1 ]; then echo -ne "\e(K"; fi' >>/etc/profile.d/locale.sh
+
stat_done
+
fi
+
# Adding persistent network/cdrom generated rules
+
 
</pre>
 
</pre>
  
=== Configure PAM ===
+
'''Alternative Fix'''
 
+
This is what my files look like. It may not be exactly right, but it works on my systems.
+
 
+
''/etc/pam.d/login''
+
auth            requisite      pam_securetty.so
+
auth            requisite      pam_nologin.so
+
auth            sufficient      pam_ldap.so
+
auth            required        pam_unix.so use_first_pass
+
auth            required        pam_tally.so onerr=succeed file=/var/log/faillog
+
account        required        pam_access.so
+
account        required        pam_time.so
+
account        required        pam_unix.so
+
account        sufficient      pam_ldap.so
+
password        sufficient      pam_ldap.so
+
session        required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
+
session        required        pam_unix.so
+
session        required        pam_env.so
+
session        required        pam_motd.so
+
session        required        pam_limits.so
+
session        optional        pam_mail.so dir=/var/spool/mail standard
+
session        sufficient      pam_ldap.so
+
session        optional        pam_lastlog.so
+
 
+
''/etc/pam.d/shadow''
+
auth            sufficient      pam_rootok.so
+
auth            required        pam_unix.so
+
auth            sufficient      pam_ldap.so use_first_pass
+
account        required        pam_unix.so
+
account        sufficient      pam_ldap.so
+
session        required        pam_unix.so
+
session        sufficient      pam_ldap.so
+
password        sufficient      pam_ldap.so
+
password        required        pam_permit.so
+
 
+
''/etc/pam.d/passwd''
+
password        sufficient      pam_ldap.so
+
password        required        pam_unix.so shadow nullok
+
 
+
''/etc/pam.d/su''
+
auth            sufficient      pam_ldap.so
+
auth            sufficient      pam_rootok.so
+
auth            required        pam_unix.so use_first_pass
+
account        sufficient      pam_ldap.so
+
account        required        pam_unix.so
+
session        sufficient      pam_ldap.so
+
session        required        pam_unix.so
+
 
+
''/etc/pam.d/sudo''
+
auth            sufficient      pam_ldap.so
+
auth            required        pam_unix.so use_first_pass
+
auth            required        pam_nologin.so
+
  
''/etc/pam.d/sshd''
+
If you do not require LDAP to discover your host is to have the nsswitch.conf read
auth            required        pam_nologin.so
+
hosts:          files dns
auth            sufficient      pam_ldap.so
+
this will bypass the need to modify ''/etc/rc.sysinit'' and not hang on boot
auth            required        pam_env.so
+
auth            required        pam_unix.so use_first_pass
+
account        sufficient      pam_ldap.so
+
account        required        pam_unix.so
+
account        required        pam_time.so
+
password        required        pam_ldap.so
+
password        required        pam_unix.so
+
session        required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
+
session        required        pam_unix_session.so
+
session        sufficient      pam_ldap.so
+
session        required        pam_limits.so
+

Revision as of 04:30, 9 February 2013

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: slapd.conf(5) is deprecated; initscripts/sysvinit is deprecated (Discuss in Talk:LDAP authentication#)

Merge-arrows-2.pngThis article or section is a candidate for merging with OpenLDAP Authentication.Merge-arrows-2.png

Notes: please use the second argument of the template to provide more detailed indications. (Discuss in Talk:LDAP authentication#)

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:LDAP authentication#)

HOWTO - LDAP Authentication in Arch Linux

Overview

What you need to install, configure, and know, to get LDAP RFC 2251 Authentication working on Arch.

Steps:

  1. Install OpenLDAP
  2. Design LDAP Directory
  3. Configure and Fill OpenLDAP
  4. Configure NSS
  5. Configure PAM

References

http://aqua.subnet.at/~max/ldap/

For the newbies

If you are totally new to those concepts, here is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.

http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html

Install OpenLDAP

See the OpenLDAP article

Design LDAP Directory

This all depends on what organization your network/computer is modeling.

Here is my initial layout in LDIF Format
dn: dc=tklogic,dc=net
dc: tklogic 
description: The techknowlogic.net Network
objectClass: dcObject
objectClass: organization
o: techknowlogic.net 

dn: ou=People,dc=tklogic,dc=net
ou: People
objectClass: organizationalUnit

dn: ou=Groups, dc=tklogic,dc=net
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: cn=tklusers,ou=Groups,dc=tklogic,dc=net
gidNumber: 2000
objectClass: posixGroup
objectClass: top
cn: tklusers

dn: ou=Roles,dc=tklogic,dc=net
ou: Roles
description: Org Unit for holding a basic set of ACL Roles.
objectClass: top
objectClass: organizationalUnit

dn: cn=ldap-reader,ou=Roles,dc=tklogic,dc=net
userPassword: {CRYPT}xxxxxxxxxxxxx
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldap-reader
description: LDAP reader user for any unrestricted reads (i.e. for NSS)

dn: cn=ldap-manager,ou=Roles,dc=tklogic,dc=net
userPassword: {CRYPT}xxxxxxxxxxxxx
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldap-manager
description: LDAP manager user for any unrestricted read/writes (i.e. root-like)
Now for each user:
dn: uid=user,ou=People,dc=tklogic,dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user
cn: Test User
sn: User
givenName: Test
title: Guinea Pig
telephoneNumber: +0 000 000 0000
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {CRYPT}xxxxxxxxxx
labeledURI: http://test.tklogic.net/
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 2000
homeDirectory: /users/test/
description: A Test User for the ArchWiki LDAP-Authentication HOWTO

Configure and Fill OpenLDAP

Client Side

/etc/openldap/ldap.conf

BASE    dc=yourdomain,dc=com
URI     ldap://yourdomain.com

/etc/pam_ldap.conf and /etc/nss_ldap.conf

If there is an actual difference between these files, please let me know.

>> There's not. In Gentoo we use only one /etc/ldap.conf file, so I made hardlinks on these two, using only one file it works. Wonder why Arch has it separated. Anybody knows?

>>> Actually I have moved the /etc/nss_ldap.conf to /etc/ldap.conf. /etc/openldap/ldap.conf and /etc/nss_ldap.conf are only sym-links to /etc/ldap.conf. Works fine for me.

host yourdomain.com
base dc=yourdomain,dc=com
uri ldap://yourdomain.com/
ldap_version 3
rootbinddn cn=Manager,dc=yourdomain,dc=com
scope sub
timelimit 5
bind_timelimit 5
nss_reconnect_tries 2
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
pam_password exop
nss_base_passwd		ou=People,dc=yourdomain,dc=com
nss_base_shadow		ou=People,dc=yourdomain,dc=com

/etc/ldap.secret

plaintextpassword

Chmod to 600


Server Side

/etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/courier.schema
allow bind_v2
password-hash {md5}
pidfile   /var/run/slapd.pid
argsfile  /var/run/slapd.args
database        bdb
suffix          "dc=yourdomain,dc=com"
rootdn          "cn=Manager,dc=yourdomain,dc=com"
rootpw          password (Use slappasswd -h {MD5} -s passwordstring)
directory       /var/lib/openldap/openldap-data
index   objectClass     eq
index   uid     eq

Configure NSS

/etc/nsswitch.conf

passwd:         files
group:          files
hosts:          dns
services:   files 
networks:   files 
protocols:  files 
rpc:        files 
ethers:     files 
netmasks:   files
bootparams: files
publickey:  files
automount:  files
aliases:    files
sendmailvars:   files
netgroup:   file

/etc/nsswitch.ldap

passwd:         files ldap
group:          files ldap
hosts:          dns ldap
services:   ldap [NOTFOUND=return] files
networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files
netmasks:   files
bootparams: files
publickey:  files
automount:  files
sendmailvars:   files
netgroup:   ldap [NOTFOUND=return] files


/etc/rc.sysinit

Be sure to modify this file before you reboot or your machine will hang on "Starting UDev Daemon"

Add this before UDev starts

cp /etc/nsswitch.file /etc/nsswitch.conf

And this after UDev is started

cp /etc/nsswitch.ldap /etc/nsswitch.conf

Hopefully there will be a fix later.

udev / ldap boot update -> please see: https://wiki.archlinux.org/index.php/Udev-ldap_workaround </pre>

Alternative Fix

If you do not require LDAP to discover your host is to have the nsswitch.conf read

hosts:          files dns

this will bypass the need to modify /etc/rc.sysinit and not hang on boot