Difference between revisions of "LDAP authentication"

From ArchWiki
Jump to: navigation, search
(Configure NSS)
(HOWTO - LDAP Authentication in ArchLinux)
Line 1: Line 1:
 
[[Category:Security (English)]]
 
[[Category:Security (English)]]
 
[[Category:HOWTOs (English)]]
 
[[Category:HOWTOs (English)]]
== HOWTO - LDAP Authentication in ArchLinux ==
+
== HOWTO - LDAP Authentication in Arch Linux ==
  
 
=== Overview ===
 
=== Overview ===

Revision as of 22:49, 30 October 2008

HOWTO - LDAP Authentication in Arch Linux

Overview

What you need to install, configure, and know, to get LDAP RFC 2251 Authentication working on Arch.

Steps:

  1. Install OpenLDAP
  2. Design LDAP Directory
  3. Configure and Fill OpenLDAP
  4. Configure NSS
  5. Configure PAM

References

http://aqua.subnet.at/~max/ldap/

Install OpenLDAP

This part is easy: 'pacman -S openldap'. If you want to add SSL/TLS (I'll try to return to expand on this), you'll have to use abs to build the package with SSL/TLS support as I don't think it is the default configuration.

Design LDAP Directory

This all depends on what organization your network/computer is modeling.

Here is my initial layout in LDIF Format
dn: dc=tklogic,dc=net
dc: tklogic 
description: The techknowlogic.net Network
objectClass: dcObject
objectClass: organization
o: techknowlogic.net 

dn: ou=People,dc=tklogic,dc=net
ou: People
objectClass: organizationalUnit

dn: ou=Groups, dc=tklogic,dc=net
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: cn=tklusers,ou=Groups,dc=tklogic,dc=net
gidNumber: 2000
objectClass: posixGroup
objectClass: top
cn: tklusers

dn: ou=Roles,dc=tklogic,dc=net
ou: Roles
description: Org Unit for holding a basic set of ACL Roles.
objectClass: top
objectClass: organizationalUnit

dn: cn=ldap-reader,ou=Roles,dc=tklogic,dc=net
userPassword: {CRYPT}xxxxxxxxxxxxx
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldap-reader
description: LDAP reader user for any unrestricted reads (i.e. for NSS)

dn: cn=ldap-manager,ou=Roles,dc=tklogic,dc=net
userPassword: {CRYPT}xxxxxxxxxxxxx
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldap-manager
description: LDAP manager user for any unrestricted read/writes (i.e. root-like)
Now for each user:
dn: uid=user,ou=People,dc=tklogic,dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user
cn: Test User
sn: User
givenName: Test
title: Guinea Pig
telephoneNumber: +0 000 000 0000
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {CRYPT}xxxxxxxxxx
labeledURI: http://test.tklogic.net/
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 2000
homeDirectory: /users/test/
description: A Test User for the ArchWiki LDAP-Authentication HOWTO

Configure and Fill OpenLDAP

Client Side

/etc/openldap/ldap.conf

BASE    dc=yourdomain,dc=com
URI     ldap://yourdomain.com

/etc/pam_ldap.conf and /etc/nss_ldap.conf

If there is an actual difference between these files, please let me know.

>> There's not. In Gentoo we use only one /etc/ldap.conf file, so I made hardlinks on these two, using only one file it works. Wonder why Arch has it separated. Anybody knows?

host yourdomain.com
base dc=yourdomain,dc=com
uri ldap://yourdomain.com/
ldap_version 3
rootbinddn cn=Manager,dc=yourdomain,dc=com
scope sub
timelimit 5
bind_timelimit 5
nss_reconnect_tries 2
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
pam_password exop
nss_base_passwd		ou=People,dc=yourdomain,dc=com
nss_base_shadow		ou=People,dc=yourdomain,dc=com

/etc/ldap.secret

plaintextpassword

Chmod to 600


Server Side

/etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/courier.schema
allow bind_v2
password-hash {md5}
pidfile   /var/run/slapd.pid
argsfile  /var/run/slapd.args
database        bdb
suffix          "dc=yourdomain,dc=com"
rootdn          "cn=Manager,dc=yourdomain,dc=com"
rootpw          password (Use slappasswd -h {MD5} -s passwordstring)
directory       /var/lib/openldap/openldap-data
index   objectClass     eq
index   uid     eq

Configure NSS

/etc/nsswitch.file

passwd:         files
group:          files
hosts:          dns
services:   files 
networks:   files 
protocols:  files 
rpc:        files 
ethers:     files 
netmasks:   files
bootparams: files
publickey:  files
automount:  files
aliases:    files
sendmailvars:   files
netgroup:   file

/etc/nsswitch.ldap

passwd:         files ldap
group:          files ldap
hosts:          dns ldap
services:   ldap [NOTFOUND=return] files
networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files
netmasks:   files
bootparams: files
publickey:  files
automount:  files
sendmailvars:   files
netgroup:   ldap [NOTFOUND=return] files


/etc/rc.sysinit

Be sure to modify this file before you reboot or you will machine will hang on "Starting UDev Daemon"

Add this before UDev starts

cp /etc/nsswitch.file /etc/nsswitch.conf

And this after UDev is started

cp /etc/nsswitch.ldap /etc/nsswitch.conf

Hopefully there will be a fix later.

udev / ldap boot update -> please see: http://wiki.archlinux.org/index.php/Udev-ldap_workaround </pre>

Alternative Fix

If you don't require LDAP to discover your host is to have the nsswitch.conf read

hosts:          files dns

this will bypass the need to modify /etc/rc.sysinit and not hang on boot

Configure PAM

This is what my files look like. It may not be exactly right, but it works on my systems.

/etc/pam.d/login

auth            requisite       pam_securetty.so
auth            requisite       pam_nologin.so
auth            sufficient      pam_ldap.so
auth            required        pam_unix.so use_first_pass
auth            required        pam_tally.so onerr=succeed file=/var/log/faillog
account         required        pam_access.so
account         required        pam_time.so
account         required        pam_unix.so
account         sufficient      pam_ldap.so 
password        sufficient      pam_ldap.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         required        pam_unix.so
session         required        pam_env.so
session         required        pam_motd.so
session         required        pam_limits.so
session         optional        pam_mail.so dir=/var/spool/mail standard
session         sufficient      pam_ldap.so 
session         optional        pam_lastlog.so

/etc/pam.d/shadow

auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
auth            sufficient      pam_ldap.so use_first_pass
account         required        pam_unix.so
account         sufficient      pam_ldap.so
session         required        pam_unix.so
session         sufficient      pam_ldap.so
password        sufficient      pam_ldap.so
password        required        pam_permit.so

/etc/pam.d/passwd

password        sufficient      pam_ldap.so 
password        required        pam_unix.so shadow nullok

/etc/pam.d/su

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so

/etc/pam.d/sudo

auth            sufficient      pam_ldap.so
auth            required        pam_unix.so use_first_pass
auth            required        pam_nologin.so

/etc/pam.d/sshd

auth            required        pam_nologin.so
auth            sufficient      pam_ldap.so 
auth            required        pam_env.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         required        pam_time.so
password        required        pam_ldap.so 
password        required        pam_unix.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         required        pam_unix_session.so
session         sufficient      pam_ldap.so 
session         required        pam_limits.so