Difference between revisions of "LDAP authentication"

From ArchWiki
Jump to: navigation, search
(sysvinit as well)
(replace content with that of OpenLDAP Authentication)
Line 1: Line 1:
[[Category:Security]]
+
[[Category:Networking]] [[Category:Security]]
{{Out_of_date|slapd.conf(5) is deprecated; initscripts/sysvinit is deprecated}}
+
== Introduction and Concepts ==
{{Merge|OpenLDAP Authentication}}
+
{{Poor writing}}
+
  
== HOWTO - LDAP Authentication in Arch Linux ==
+
This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).
  
=== Overview ===
+
The guide will be divided in two parts. The first part deals with how to setup an [[OpenLDAP]] server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticated against an already existing LDAP server then you can skip to the second part.
  
What you need to install, configure, and know, to get LDAP RFC 2251 Authentication working on Arch.
+
=== NSS and PAM ===
 +
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database.
  
Steps:
+
PAM (which stands for Pluggable Authentication Module) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.
  
# Install OpenLDAP
+
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}}, {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.
# Design LDAP Directory
+
# Configure and Fill OpenLDAP
+
# Configure NSS
+
# Configure PAM
+
  
==== References ====
+
== LDAP Server Setup ==
  
http://aqua.subnet.at/~max/ldap/
+
=== Installation ===
  
==== For the newbies ====
+
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.
  
If you are totally new to those concepts, here is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.
+
=== Populate LDAP Tree with Base Data ===
  
http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html
+
Create a file called {{ic|base.ldif}} with the following text:
  
=== Install OpenLDAP ===
+
{{hc|base.ldif|<nowiki>
See the [[OpenLDAP]] article
+
# example.org
 
+
dn: dc=example,dc=org
=== Design LDAP Directory ===
+
 
+
This all depends on what organization your network/computer is modeling.
+
 
+
Here is my initial layout in LDIF Format<pre>
+
dn: dc=tklogic,dc=net
+
dc: tklogic
+
description: The techknowlogic.net Network
+
 
objectClass: dcObject
 
objectClass: dcObject
 
objectClass: organization
 
objectClass: organization
o: techknowlogic.net
+
o: Example Organization
 +
dc: example
  
dn: ou=People,dc=tklogic,dc=net
+
# Manager, example.org
 +
dn: cn=Manager,dc=example,dc=org
 +
cn: Manager
 +
description: LDAP administrator
 +
roleOccupant: dc=example,dc=org
 +
objectClass: organizationalRole
 +
objectClass: top
 +
 
 +
# People, example.org
 +
dn: ou=People,dc=example,dc=org
 
ou: People
 
ou: People
 +
objectClass: top
 
objectClass: organizationalUnit
 
objectClass: organizationalUnit
  
dn: ou=Groups, dc=tklogic,dc=net
+
# Group, example.org
ou: Groups
+
dn: ou=Group,dc=example,dc=org
 +
ou: Group
 
objectClass: top
 
objectClass: top
 
objectClass: organizationalUnit
 
objectClass: organizationalUnit
 +
</nowiki>}}
  
dn: cn=tklusers,ou=Groups,dc=tklogic,dc=net
+
Add it to your OpenLDAP Tree:
gidNumber: 2000
+
objectClass: posixGroup
+
objectClass: top
+
cn: tklusers
+
  
dn: ou=Roles,dc=tklogic,dc=net
+
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
ou: Roles
+
description: Org Unit for holding a basic set of ACL Roles.
+
objectClass: top
+
objectClass: organizationalUnit
+
  
dn: cn=ldap-reader,ou=Roles,dc=tklogic,dc=net
+
Test to make sure the data was imported:
userPassword: {CRYPT}xxxxxxxxxxxxx
+
objectClass: organizationalRole
+
objectClass: simpleSecurityObject
+
cn: ldap-reader
+
description: LDAP reader user for any unrestricted reads (i.e. for NSS)
+
  
dn: cn=ldap-manager,ou=Roles,dc=tklogic,dc=net
+
$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'
userPassword: {CRYPT}xxxxxxxxxxxxx
+
objectClass: organizationalRole
+
objectClass: simpleSecurityObject
+
cn: ldap-manager
+
description: LDAP manager user for any unrestricted read/writes (i.e. root-like)
+
</pre>
+
  
Now for each user: <pre>
+
=== Adding users ===
dn: uid=user,ou=People,dc=tklogic,dc=net
+
To manually add a user, create an {{ic|.ldif}} file like this:
 +
{{hc|example.ldif|<nowiki>
 +
dn: uid=johndoe,ou=People,dc=example,dc=org
 
objectClass: top
 
objectClass: top
 
objectClass: person
 
objectClass: person
Line 87: Line 70:
 
objectClass: posixAccount
 
objectClass: posixAccount
 
objectClass: shadowAccount
 
objectClass: shadowAccount
uid: user
+
uid: johndoe
cn: Test User
+
cn: John Doe
sn: User
+
sn: John
givenName: Test
+
givenName: Doe
 
title: Guinea Pig
 
title: Guinea Pig
 
telephoneNumber: +0 000 000 0000
 
telephoneNumber: +0 000 000 0000
Line 96: Line 79:
 
postalAddress: AddressLine1$AddressLine2$AddressLine3
 
postalAddress: AddressLine1$AddressLine2$AddressLine3
 
userPassword: {CRYPT}xxxxxxxxxx
 
userPassword: {CRYPT}xxxxxxxxxx
labeledURI: http://test.tklogic.net/
+
labeledURI: https://archlinux.org/
 
loginShell: /bin/bash
 
loginShell: /bin/bash
uidNumber: 10000
+
uidNumber: 9999
gidNumber: 2000
+
gidNumber: 9999
homeDirectory: /users/test/
+
homeDirectory: /home/johndoe/
description: A Test User for the ArchWiki LDAP-Authentication HOWTO
+
description: This is an example user
</pre>
+
</nowiki>}}
 +
 
 +
the {{ic|xxxxxxxxxx}} in the {{ic|userPassword}} entry should be replaced with the value in {{ic|/etc/shadow}}.
 +
 
 +
You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's [http://www.padl.com/OSS/MigrationTools.html Migration Tools].
 +
 
 +
== Client Setup ==
 +
 
 +
Install the OpenLDAP client as described in [[OpenLDAP]]. Make sure you can query the server with {{ic|ldapsearch}}.
 +
 
 +
Next, [[pacman|install]] {{AUR|nss-pam-ldapd}} from the [[official repositories]].
  
=== Configure and Fill OpenLDAP ===
+
=== NSS Configuration ===
 +
NSS is a system facility which manages different sources as configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database, which stores the user accounts.
  
'''Client Side'''
+
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:
  
''/etc/openldap/ldap.conf''
+
passwd: files ldap
  BASE    dc=yourdomain,dc=com
+
  group: files ldap
  URI    ldap://yourdomain.com
+
  shadow: files ldap
  
''/etc/pam_ldap.conf and /etc/nss_ldap.conf''
+
Restart {{ic|nslcd.service}}.
  
If there is an actual difference between these files, please let me know.  
+
You now should see your LDAP users when running {{ic|getent passwd}} on the client.
  
>> There's not. In Gentoo we use only one /etc/ldap.conf file, so I made hardlinks on these two, using only one file it works. Wonder why Arch has it separated. Anybody knows?
+
==== Name Service Cache Daemon ====
 +
You can optionally run NSCD. This is a daemon that NSS uses to cache lookups and queries for network backends. This way you can login when the LDAP server is down, it will also reduce load on the LDAP server.
  
>>> Actually I have moved the /etc/nss_ldap.conf to /etc/ldap.conf. /etc/openldap/ldap.conf and /etc/nss_ldap.conf are only sym-links to /etc/ldap.conf. Works fine for me.
+
Start {{ic|nscd.service}} using systemd.
  
host yourdomain.com
+
{{Note|It is recommended to stop the NSCD when troubleshooting because it may mask problems by serving cached queries.}}
base dc=yourdomain,dc=com
+
uri ldap://yourdomain.com/
+
ldap_version 3
+
rootbinddn cn=Manager,dc=yourdomain,dc=com
+
scope sub
+
timelimit 5
+
bind_timelimit 5
+
nss_reconnect_tries 2
+
pam_login_attribute uid
+
pam_member_attribute gid
+
pam_password md5
+
pam_password exop
+
nss_base_passwd ou=People,dc=yourdomain,dc=com
+
nss_base_shadow ou=People,dc=yourdomain,dc=com
+
  
''/etc/ldap.secret''
+
=== PAM Configuration ===
plaintextpassword
+
{{Out of date|{{pkg|pambase}} obsoletes most of the pam section}}
 +
Edit {{ic|/etc/pam.d/login}}:
  
Chmod to 600
+
auth            requisite      pam_securetty.so
 +
auth            requisite      pam_nologin.so
 +
auth            sufficient      pam_ldap.so             
 +
auth            required        pam_env.so
 +
auth            required        pam_unix.so nullok try_first_pass
 +
account        sufficient      pam_ldap.so
 +
account        required        pam_access.so
 +
account        required        pam_unix.so
 +
session        required        pam_motd.so
 +
session        required        pam_limits.so
 +
session        optional        pam_mail.so dir=/var/spool/mail standard
 +
session        optional        pam_lastlog.so
 +
session        required        pam_unix.so
  
 +
Edit {{ic|/etc/pam.d/passwd}}:
  
'''Server Side'''
+
password        sufficient      pam_ldap.so
 +
password        required        pam_unix.so shadow md5 nullok
  
''/etc/openldap/slapd.conf''
+
Edit {{ic|/etc/pam.d/shadow}}:
include        /etc/openldap/schema/core.schema
+
include        /etc/openldap/schema/cosine.schema
+
include        /etc/openldap/schema/inetorgperson.schema
+
include        /etc/openldap/schema/nis.schema
+
include        /etc/openldap/schema/courier.schema
+
allow bind_v2
+
password-hash {md5}
+
pidfile  /var/run/slapd.pid
+
argsfile  /var/run/slapd.args
+
database        bdb
+
suffix          "dc=yourdomain,dc=com"
+
rootdn          "cn=Manager,dc=yourdomain,dc=com"
+
rootpw          password (Use slappasswd -h {MD5} -s passwordstring)
+
directory      /var/lib/openldap/openldap-data
+
index  objectClass    eq
+
index  uid    eq
+
  
=== Configure NSS ===
+
auth            sufficient      pam_ldap.so
 +
auth            sufficient      pam_rootok.so
 +
auth            required        pam_unix.so
 +
account        sufficient      pam_ldap.so
 +
account        required        pam_unix.so
 +
session        sufficient      pam_ldap.so
 +
session        required        pam_unix.so
 +
password        sufficient      pam_ldap.so
 +
password        required        pam_permit.so
  
'' /etc/nsswitch.conf''
+
Edit {{ic|/etc/pam.d/su}}:
passwd:        files
+
group:          files
+
hosts:          dns
+
services:  files
+
networks:  files
+
protocols:  files
+
rpc:        files
+
ethers:    files
+
netmasks:  files
+
bootparams: files
+
publickey:  files
+
automount:  files
+
aliases:    files
+
sendmailvars:  files
+
netgroup:   file
+
  
''/etc/nsswitch.ldap''
+
auth            sufficient      pam_ldap.so
  passwd:        files ldap
+
  auth            sufficient      pam_rootok.so
  group:          files ldap
+
  auth            required        pam_unix.so use_first_pass
  hosts:          dns ldap
+
  account        sufficient      pam_ldap.so
  services:  ldap [NOTFOUND=return] files
+
  account        required        pam_unix.so
  networks:  ldap [NOTFOUND=return] files
+
  session        sufficient      pam_ldap.so
  protocols:  ldap [NOTFOUND=return] files
+
  session        required       pam_unix.so
rpc:       ldap [NOTFOUND=return] files
+
ethers:    ldap [NOTFOUND=return] files
+
netmasks:  files
+
bootparams: files
+
publickey:  files
+
automount:  files
+
sendmailvars:  files
+
netgroup:  ldap [NOTFOUND=return] files
+
  
 +
Edit {{ic|/etc/pam.d/sshd}}:
  
''/etc/rc.sysinit''
+
auth            sufficient      pam_ldap.so
 +
auth            required        pam_securetty.so        #Disable remote root
 +
auth            required        pam_unix.so try_first_pass
 +
auth            required        pam_nologin.so
 +
auth            required        pam_env.so
 +
account        sufficient      pam_ldap.so
 +
account        required        pam_unix.so
 +
account        required        pam_time.so
 +
password        sufficient      pam_ldap.so
 +
password        required        pam_unix.so
 +
session        required        pam_unix_session.so
 +
session        required        pam_limits.so
  
'''Be sure to modify this file before you reboot or your machine will hang on "Starting UDev Daemon"'''
+
Edit {{ic|/etc/pam.d/other}}:
  
Add this before UDev starts
+
auth            sufficient      pam_ldap.so
  cp /etc/nsswitch.file /etc/nsswitch.conf
+
  auth            required        pam_unix.so
 +
account        sufficient      pam_ldap.so
 +
account        required        pam_unix.so
 +
password        sufficient      pam_ldap.so
 +
password        required        pam_unix.so
 +
session        required        pam_unix.so
  
And this after UDev is started
+
== Resources ==
cp /etc/nsswitch.ldap /etc/nsswitch.conf
+
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]
  
Hopefully there will be a fix later.
+
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]
  
udev / ldap boot update ->
+
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]
please see: https://wiki.archlinux.org/index.php/Udev-ldap_workaround
+
</pre>
+
  
'''Alternative Fix'''
+
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]
  
If you do not require LDAP to discover your host is to have the nsswitch.conf read
+
[http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]
hosts:         files dns
+
this will bypass the need to modify ''/etc/rc.sysinit'' and not hang on boot
+

Revision as of 00:58, 6 November 2013

Introduction and Concepts

This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).

The guide will be divided in two parts. The first part deals with how to setup an OpenLDAP server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticated against an already existing LDAP server then you can skip to the second part.

NSS and PAM

NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, /etc/passwd is a file type source for the passwd database.

PAM (which stands for Pluggable Authentication Module) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.

So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd, shadow and other configuration databases and then configure PAM to use these sources to authenticate it's users.

LDAP Server Setup

Installation

You can read about installation and basic configuration in the OpenLDAP article. After you have completed that, return here.

Populate LDAP Tree with Base Data

Create a file called base.ldif with the following text:

base.ldif
# example.org
dn: dc=example,dc=org
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example

# Manager, example.org
dn: cn=Manager,dc=example,dc=org
cn: Manager
description: LDAP administrator
roleOccupant: dc=example,dc=org
objectClass: organizationalRole
objectClass: top

# People, example.org
dn: ou=People,dc=example,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, example.org
dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit

Add it to your OpenLDAP Tree:

$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif

Test to make sure the data was imported:

$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'

Adding users

To manually add a user, create an .ldif file like this:

example.ldif
dn: uid=johndoe,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: johndoe
cn: John Doe
sn: John
givenName: Doe
title: Guinea Pig
telephoneNumber: +0 000 000 0000
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {CRYPT}xxxxxxxxxx
labeledURI: https://archlinux.org/
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 9999
homeDirectory: /home/johndoe/
description: This is an example user

the xxxxxxxxxx in the userPassword entry should be replaced with the value in /etc/shadow.

You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's Migration Tools.

Client Setup

Install the OpenLDAP client as described in OpenLDAP. Make sure you can query the server with ldapsearch.

Next, install nss-pam-ldapdAUR from the official repositories.

NSS Configuration

NSS is a system facility which manages different sources as configuration databases. For example, /etc/passwd is a file type source for the passwd database, which stores the user accounts.

Edit /etc/nsswitch.conf which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the ldap directive to the passwd, group and shadow databases, so be sure your file looks like this:

passwd: files ldap
group: files ldap
shadow: files ldap

Restart nslcd.service.

You now should see your LDAP users when running getent passwd on the client.

Name Service Cache Daemon

You can optionally run NSCD. This is a daemon that NSS uses to cache lookups and queries for network backends. This way you can login when the LDAP server is down, it will also reduce load on the LDAP server.

Start nscd.service using systemd.

Note: It is recommended to stop the NSCD when troubleshooting because it may mask problems by serving cached queries.

PAM Configuration

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: pambase obsoletes most of the pam section (Discuss in Talk:LDAP authentication#)

Edit /etc/pam.d/login:

auth            requisite       pam_securetty.so
auth            requisite       pam_nologin.so
auth            sufficient      pam_ldap.so              
auth            required        pam_env.so
auth            required        pam_unix.so nullok try_first_pass
account         sufficient      pam_ldap.so
account         required        pam_access.so
account         required        pam_unix.so
session         required        pam_motd.so
session         required        pam_limits.so
session         optional        pam_mail.so dir=/var/spool/mail standard
session         optional        pam_lastlog.so
session         required        pam_unix.so

Edit /etc/pam.d/passwd:

password        sufficient      pam_ldap.so
password        required        pam_unix.so shadow md5 nullok

Edit /etc/pam.d/shadow:

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so
password        sufficient      pam_ldap.so
password        required        pam_permit.so

Edit /etc/pam.d/su:

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so

Edit /etc/pam.d/sshd:

auth            sufficient      pam_ldap.so
auth            required        pam_securetty.so        #Disable remote root
auth            required        pam_unix.so try_first_pass
auth            required        pam_nologin.so
auth            required        pam_env.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         required        pam_time.so
password        sufficient      pam_ldap.so
password        required        pam_unix.so
session         required        pam_unix_session.so
session         required        pam_limits.so

Edit /etc/pam.d/other:

auth            sufficient      pam_ldap.so
auth            required        pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
password        sufficient      pam_ldap.so
password        required        pam_unix.so
session         required        pam_unix.so

Resources

The official page of the nss-pam-ldapd packet

The PAM and NSS page at the Debian Wiki 1 2

Using LDAP for single authentication

Heterogeneous Network Authentication Introduction

Discussion on suse's mailing lists about nss-pam-ldapd