Difference between revisions of "OpenLDAP Authentication"

From ArchWiki
Jump to: navigation, search
m (OpenLDAP Setup)
(Client Setup)
Line 64: Line 64:
 
Install the OpenLDAP client as described in [[OpenLDAP]]. Make sure you can query the server with {{ic|ldapsearch}}.
 
Install the OpenLDAP client as described in [[OpenLDAP]]. Make sure you can query the server with {{ic|ldapsearch}}.
  
Next, [[pacman|install]] {{AUR|nss-pam-ldapd}} from the [[Arch User Repository]].
+
Next, [[pacman|install]] {{AUR|nss-pam-ldapd}} from the [[official repositories]].
 
+
There is the {{pkg|nss_ldap}} and {{pkg|pam_ldap}} from the [[Official Repositories|official repositories]]  
+
  
 
=== NSS Configuration ===
 
=== NSS Configuration ===
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.
+
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is a {{ic|file}}-type source for {{ic|passwd}} which by default stores the user accounts.
  
 
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:
 
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:
Line 77: Line 75:
 
  shadow: files ldap
 
  shadow: files ldap
  
==== Name Service Cache Daemon ====
+
Restart {{ic|nslcd.service}}.
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.
+
  
{{Note|It is recommended to stop the daemon when troubleshooting because it may mask problems by serving cached queries}}
+
You now should see your LDAP users when running {{ic|getent passwd}} on the client.
  
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]
+
==== Name Service Cache Daemon ====
Fix nscd:
+
You can optionally install NSCD. This is a daemon that NSS uses to cache lookups and queries for network backends. This way you can login when the LDAP server is down, it will also reduce load on the LDAP server.
  
mkdir -p /var/db/nscd/
+
Start {{ic|nscd.service}} using systemd.
mkdir -p /var/run/nscd/
+
  
Run nscd:
+
{{Note|It is recommended to stop the NSCD when troubleshooting because it may mask problems by serving cached queries.}}
# systemctl start nscd
+
  
 
==== NSLCD ====
 
==== NSLCD ====

Revision as of 00:14, 6 November 2013

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: pam_ldap/nss_ldap are deprecated in favor of nss-pam-ldapd; pambase obsoletes most of the pam section (Discuss in Talk:OpenLDAP Authentication#)

Merge-arrows-2.pngThis article or section is a candidate for merging with LDAP Authentication.Merge-arrows-2.png

Notes: please use the second argument of the template to provide more detailed indications. (Discuss in Talk:OpenLDAP Authentication#)

Introduction and Concepts

This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).

The guide will be divided in two parts. The first part deals with how to setup an OpenLDAP server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticated against an already existing LDAP server then you can skip to the second part.

NSS and PAM

NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, /etc/passwd is a file type source for the passwd database.

PAM (which stands for Pluggable Authentication Module) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.

So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd, shadow and other configuration databases and then configure PAM to use these sources to authenticate it's users.

LDAP Server Setup

Installation

You can read about installation and basic configuration in the OpenLDAP article. After you have completed that, return here.

Populate LDAP Tree with Base Data

Create a file called base.ldif with the following text:

# example.org
dn: dc=example,dc=org
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example

# Manager, example.org
dn: cn=Manager,dc=example,dc=org
cn: Manager
description: LDAP administrator
roleOccupant: dc=example,dc=org
objectClass: organizationalRole
objectClass: top

# People, example.org
dn: ou=People,dc=example,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, example.org
dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit

Add it to your OpenLDAP Tree:

$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif

Test to make sure the data was imported:

$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'

Client Setup

Install the OpenLDAP client as described in OpenLDAP. Make sure you can query the server with ldapsearch.

Next, install nss-pam-ldapdAUR from the official repositories.

NSS Configuration

NSS is a system facility which manages different sources as configuration databases. For example /etc/passwd is a file-type source for passwd which by default stores the user accounts.

Edit /etc/nsswitch.conf which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the ldap directive to the passwd, group and shadow databases, so be sure your file looks like this:

passwd: files ldap
group: files ldap
shadow: files ldap

Restart nslcd.service.

You now should see your LDAP users when running getent passwd on the client.

Name Service Cache Daemon

You can optionally install NSCD. This is a daemon that NSS uses to cache lookups and queries for network backends. This way you can login when the LDAP server is down, it will also reduce load on the LDAP server.

Start nscd.service using systemd.

Note: It is recommended to stop the NSCD when troubleshooting because it may mask problems by serving cached queries.

NSLCD

PAM Configuration

Edit /etc/pam.d/login:

auth            requisite       pam_securetty.so
auth            requisite       pam_nologin.so
auth            sufficient      pam_ldap.so              
auth            required        pam_env.so
auth            required        pam_unix.so nullok try_first_pass
account         sufficient      pam_ldap.so
account         required        pam_access.so
account         required        pam_unix.so
session         required        pam_motd.so
session         required        pam_limits.so
session         optional        pam_mail.so dir=/var/spool/mail standard
session         optional        pam_lastlog.so
session         required        pam_unix.so

Edit /etc/pam.d/passwd:

password        sufficient      pam_ldap.so
password        required        pam_unix.so shadow md5 nullok

Edit /etc/pam.d/shadow:

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so
password        sufficient      pam_ldap.so
password        required        pam_permit.so

edit /etc/pam.d/su:

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so

edit /etc/pam.d/sshd:

auth            sufficient      pam_ldap.so
auth            required        pam_securetty.so        #Disable remote root
auth            required        pam_unix.so try_first_pass
auth            required        pam_nologin.so
auth            required        pam_env.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         required        pam_time.so
password        sufficient      pam_ldap.so
password        required        pam_unix.so
session         required        pam_unix_session.so
session         required        pam_limits.so

edit /etc/pam.d/other:

auth            sufficient      pam_ldap.so
auth            required        pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
password        sufficient      pam_ldap.so
password        required        pam_unix.so
session         required        pam_unix.so

Resources

The official page of the nss-pam-ldapd packet

The PAM and NSS page at the Debian Wiki 1 2

Using LDAP for single authentication

Heterogeneous Network Authentication Introduction

Discussion on suse's mailing lists about nss-pam-ldapd