Difference between revisions of "LDAP authentication"

From ArchWiki
Jump to: navigation, search
(Udev / Ldap Update)
Line 200: Line 200:
 
Hopefully there will be a fix later.
 
Hopefully there will be a fix later.
  
=== Udev / Ldap Update ===
+
udev / ldap boot update ->
 
+
please see: http://wiki.archlinux.org/index.php/Udev-ldap_workaround
Here is a workaround for udev and ldap. This solves the issue of udev hanging on boot forever.
+
 
+
This patch will rewrite the nsswitch.conf file on boot prior to udev loading. It will also replace it once the / filesystem is remounted rw.
+
Make sure you copy nsswitch.ldap to nsswitch.conf as recommended per the documentation.
+
 
+
Hope this is useful for people.
+
 
+
Here is the patch.
+
 
+
<pre>
+
How to Apply:
+
 
+
System Information:
+
ArchLinux 0.8 Don't Panic
+
udev 114-1
+
 
+
[cdowns@ArchVM08 rc.sysinit]$ sudo patch -p0 /etc/rc.sysinit < rc.sysinit.diff
+
Password:
+
patching file /etc/rc.sysinit
+
[cdowns@ArchVM08 rc.sysinit]$
+
</pre>
+
 
+
 
+
<pre>
+
--- rc.sysinit 2007-09-14 17:01:37.000000000 -0500
+
+++ rc.sysinit_mod 2007-09-14 17:00:37.000000000 -0500
+
@@ -16,6 +16,33 @@
+
# start up our mini logger until syslog takes over
+
/sbin/minilogd
+
+
+# check nsswitch.conf for group: files ldap on boot.
+
+# if found rewrite nsswitch.conf.
+
+# NOTE: this is using nsswitch.ldap copied to -> nsswitch.conf
+
+# cdowns\@openmethods.com
+
+function udev_ldap_hack() {
+
+ status "Starting LDAP Udev Check" mount -o remount,rw /
+
+ if [ -e /tmp/nsswitch.udev ] ; then
+
+ rm /tmp/nsswitch.udev
+
+ fi
+
+ if [ -f /etc/nsswitch.conf ] ; then
+
+ sed -e 's/group:\s*files ldap/group:\t\tfiles/' /etc/nsswitch.conf >> /tmp/nsswitch.udev
+
+ status "Ending LDAP Check" mount -o remount,ro /
+
+ sleep 2
+
+ fi
+
+}
+
+
+
+function udev_ldap_restore() {
+
+ status "Restoring LDAP config"
+
+ if [ -e /tmp/nsswitch.udev ] ; then
+
+ rm /tmp/nsswitch.udev
+
+ fi
+
+ if [ -f /etc/nsswitch.conf ] ; then
+
+ sed -e 's/group:\s*files/group:\t\tfiles ldap/' /etc/nsswitch.conf >> /tmp/nsswitch.udev
+
+ sleep 2
+
+ fi
+
+}
+
+
+
# mount /proc
+
mount -n -t proc none /proc
+
+
@@ -33,6 +60,9 @@
+
/sbin/modprobe usbcore >/dev/null 2>&1
+
grep -qw usbfs /proc/filesystems && mount -n -t usbfs none /proc/bus/usb
+
+
+## run the udev_ldap_hack
+
+udev_ldap_hack
+
+
+
if [ -x /etc/start_udev -a -d /sys/block ]; then
+
# We have a start_udev script and /sys appears to be mounted, use UDev
+
status "Starting UDev Daemon" /etc/start_udev init
+
@@ -268,6 +298,11 @@
+
mount -t usbfs none /proc/bus/usb
+
fi
+
fi
+
+
+
+
+
+# set ldap nsswitch.conf back to normal.
+
+udev_ldap_restore
+
+
+
# now mount all the local filesystems
+
/bin/mount -a -t $NETFS
+
stat_done
+
@@ -341,7 +376,7 @@
+
/usr/bin/kbd_mode -u
+
/usr/bin/dumpkeys | /bin/loadkeys --unicode
+
# the $CONSOLE check helps us avoid this when running scripts from cron
+
- echo 'if [ "$CONSOLE" = "" -a "$TERM" = "linux" -a isatty ]; then echo -ne "\e%G"; fi' >>/etc/profile.d/locale.sh
+
+ echo 'if [ "$CONSOLE" = "" -a "$TERM" = "linux" -a -t 1 ]; then echo -ne "\e%G"; fi' >>/etc/profile.d/locale.sh
+
stat_done
+
fi
+
+
@@ -355,7 +390,7 @@
+
fi
+
done
+
# the $CONSOLE check helps us avoid this when running scripts from cron
+
- echo 'if [ "$CONSOLE" = "" -a "$TERM" = "linux" -a isatty ]; then echo -ne "\e(K"; fi' >>/etc/profile.d/locale.sh
+
+ echo 'if [ "$CONSOLE" = "" -a "$TERM" = "linux" -a -t 1 ]; then echo -ne "\e(K"; fi' >>/etc/profile.d/locale.sh
+
stat_done
+
fi
+
# Adding persistent network/cdrom generated rules
+
 
</pre>
 
</pre>
  

Revision as of 03:17, 15 September 2007

HOWTO - LDAP Authentication in ArchLinux

Overview

What you need to install, configure, and know, to get LDAP RFC 2251 Authentication working on Arch.

Steps:

  1. Install OpenLDAP
  2. Design LDAP Directory
  3. Configure and Fill OpenLDAP
  4. Configure NSS
  5. Configure PAM

References

http://aqua.subnet.at/~max/ldap/

Install OpenLDAP

This part is easy: 'pacman -S openldap'. If you want to add SSL/TLS (I'll try to return to expand on this), you'll have to use abs to build the package with SSL/TLS support as I don't think it is the default configuration.

Design LDAP Directory

This all depends on what organization your network/computer is modeling.

Here is my initial layout in LDIF Format
dn: dc=tklogic,dc=net
dc: tklogic 
description: The techknowlogic.net Network
objectClass: dcObject
objectClass: organization
o: techknowlogic.net 

dn: ou=People,dc=tklogic,dc=net
ou: People
objectClass: organizationalUnit

dn: ou=Groups, dc=tklogic,dc=net
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: cn=tklusers,ou=Groups,dc=tklogic,dc=net
gidNumber: 2000
objectClass: posixGroup
objectClass: top
cn: tklusers

dn: ou=Roles,dc=tklogic,dc=net
ou: Roles
description: Org Unit for holding a basic set of ACL Roles.
objectClass: top
objectClass: organizationalUnit

dn: cn=ldap-reader,ou=Roles,dc=tklogic,dc=net
userPassword: {CRYPT}xxxxxxxxxxxxx
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldap-reader
description: LDAP reader user for any unrestricted reads (i.e. for NSS)

dn: cn=ldap-manager,ou=Roles,dc=tklogic,dc=net
userPassword: {CRYPT}xxxxxxxxxxxxx
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldap-manager
description: LDAP manager user for any unrestricted read/writes (i.e. root-like)
Now for each user:
dn: uid=user,ou=People,dc=tklogic,dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user
cn: Test User
sn: User
givenName: Test
title: Guinea Pig
telephoneNumber: +0 000 000 0000
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {CRYPT}xxxxxxxxxx
labeledURI: http://test.tklogic.net/
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 2000
homeDirectory: /users/test/
description: A Test User for the ArchWiki LDAP-Authentication HOWTO

Configure and Fill OpenLDAP

Client Side

/etc/openldap/ldap.conf

BASE    dc=yourdomain,dc=com
URI     ldap://yourdomain.com

/etc/pam_ldap.conf and /etc/nss_ldap.conf

If there is an actual difference between these files, please let me know.

>> There's not. In Gentoo we use only one /etc/ldap.conf file, so I made hardlinks on these two, using only one file it works. Wonder why Arch has it separated. Anybody knows?

host yourdomain.com
base dc=yourdomain,dc=com
uri ldap://yourdomain.com/
ldap_version 3
rootbinddn cn=Manager,dc=yourdomain,dc=com
scope sub
timelimit 5
bind_timelimit 5
nss_reconnect_tries 2
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
pam_password exop
nss_base_passwd		ou=People,dc=yourdomain,dc=com
nss_base_shadow		ou=People,dc=yourdomain,dc=com

/etc/ldap.secret

plaintextpassword

Chmod to 600


Server Side

/etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/courier.schema
allow bind_v2
password-hash {md5}
pidfile   /var/run/slapd.pid
argsfile  /var/run/slapd.args
database        bdb
suffix          "dc=yourdomain,dc=com"
rootdn          "cn=Manager,dc=yourdomain,dc=com"
rootpw          password (Use slappasswd -h {MD5} -s passwordstring)
directory       /var/lib/openldap/openldap-data
index   objectClass     eq
index   uid     eq

Configure NSS

/etc/nsswitch.file

passwd:         files
group:          files
hosts:          dns
services:   files 
networks:   files 
protocols:  files 
rpc:        files 
ethers:     files 
netmasks:   files
bootparams: files
publickey:  files
automount:  files
aliases:    files
sendmailvars:   files
netgroup:   file

/etc/nsswitch.ldap

passwd:         files ldap
group:          files ldap
hosts:          dns ldap
services:   ldap [NOTFOUND=return] files
networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files
netmasks:   files
bootparams: files
publickey:  files
automount:  files
sendmailvars:   files
netgroup:   ldap [NOTFOUND=return] files


/etc/rc.sysinit

Be sure to modify this file before you reboot or you will machine will hang on "Starting UDev Daemon"

Add this before UDev starts

cp /etc/nsswitch.file /etc/nsswitch.conf

And this after UDev is started

cp /etc/nsswitch.ldap /etc/nsswitch.conf

Hopefully there will be a fix later.

udev / ldap boot update -> please see: http://wiki.archlinux.org/index.php/Udev-ldap_workaround </pre>

Configure PAM

This is what my files look like. It may not be exactly right, but it works on my systems.

/etc/pam.d/login

auth            requisite       pam_securetty.so
auth            requisite       pam_nologin.so
auth            sufficient      pam_ldap.so
auth            required        pam_unix.so use_first_pass
auth            required        pam_tally.so onerr=succeed file=/var/log/faillog
account         required        pam_access.so
account         required        pam_time.so
account         required        pam_unix.so
account         sufficient      pam_ldap.so 
password        sufficient      pam_ldap.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         required        pam_unix.so
session         required        pam_env.so
session         required        pam_motd.so
session         required        pam_limits.so
session         optional        pam_mail.so dir=/var/spool/mail standard
session         sufficient      pam_ldap.so 
session         optional        pam_lastlog.so

/etc/pam.d/shadow

auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
auth            sufficient      pam_ldap.so use_first_pass
account         required        pam_unix.so
account         sufficient      pam_ldap.so
session         required        pam_unix.so
session         sufficient      pam_ldap.so
password        sufficient      pam_ldap.so
password        required        pam_permit.so

/etc/pam.d/passwd

password        sufficient      pam_ldap.so 
password        required        pam_unix.so shadow nullok

/etc/pam.d/su

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so

/etc/pam.d/sudo

auth            sufficient      pam_ldap.so
auth            required        pam_unix.so use_first_pass
auth            required        pam_nologin.so

/etc/pam.d/sshd

auth            required        pam_nologin.so
auth            sufficient      pam_ldap.so 
auth            required        pam_env.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         required        pam_time.so
password        required        pam_ldap.so 
password        required        pam_unix.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         required        pam_unix_session.so
session         sufficient      pam_ldap.so 
session         required        pam_limits.so