Difference between revisions of "OpenLDAP Authentication"

From ArchWiki
Jump to: navigation, search
m
(28 intermediate revisions by 6 users not shown)
Line 1: Line 1:
[[Category:Networking]] [[Category:Security]]
+
#REDIRECT [[LDAP Authentication]]
{{Merge|LDAP Authentication}}
 
== Introduction and Concepts ==
 
 
 
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).
 
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.
 
 
 
=== OpenLDAP ===
 
 
 
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.
 
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.
 
 
 
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.
 
 
 
=== NSS and PAM ===
 
 
 
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.
 
 
 
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.
 
 
 
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.
 
 
 
== OpenLDAP Setup ==
 
 
 
=== Installation ===
 
 
 
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.
 
 
 
=== Populate LDAP Tree with Base Data ===
 
 
 
Create a file called base.ldif with the following text:
 
 
 
# example.org
 
dn: dc=example,dc=org
 
objectClass: dcObject
 
objectClass: organization
 
o: Example Organization
 
dc: example
 
 
# Manager, example.org
 
dn: cn=Manager,dc=example,dc=org
 
cn: Manager
 
description: LDAP administrator
 
roleOccupant: dc=example,dc=org
 
objectClass: organizationalRole
 
objectClass: top
 
 
# People, example.org
 
dn: ou=People,dc=example,dc=org
 
ou: People
 
objectClass: top
 
objectClass: organizationalUnit
 
 
# Group, example.org
 
dn: ou=Group,dc=example,dc=org
 
ou: Group
 
objectClass: top
 
objectClass: organizationalUnit
 
 
 
Add it to your OpenLDAP Tree:
 
 
 
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
 
 
 
Test to make sure the data was imported:
 
 
 
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'
 
 
 
 
 
== Client Setup ==
 
 
 
=== OpenLDAP ===
 
 
 
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.
 
 
 
You can search an LDAP server with the following command:
 
{{bc|ldapsearch -x -H <URL> -b <BASE>}}
 
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}
 
 
 
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.
 
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:
 
{{ic|TLS_REQCERT allow}} }}
 
 
 
=== NSS_LDAP ===
 
 
 
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].
 
 
 
Edit {{ic|/etc/nss_ldap.conf}}:
 
 
 
host <SERVER_IP>
 
base dc=example,dc=org
 
rootbinddn cn=admin,dc=example,dc=org
 
port 636
 
pam_login_attribute uid
 
pam_template_login_attribute uid
 
nss_base_passwd ou=People,dc=example,dc=org?one
 
nss_base_shadow ou=People,dc=example,dc=org?one
 
nss_base_group  ou=Group,dc=example,dc=org?one
 
ssl start_tls
 
ssl on
 
 
# This is only needed if you're using a self-signed certificate.
 
tls_checkpeer no
 
 
 
Edit {{ic|/etc/nsswitch.conf}}:
 
 
 
passwd: files ldap
 
group: files ldap
 
shadow: files ldap
 
 
 
=== PAM_LDAP ===
 
 
 
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].
 
 
 
Edit {{ic|/etc/pam_ldap.conf}}:
 
 
 
host <SERVER_IP>
 
base dc=example,dc=org
 
rootbinddn cn=admin,dc=example,dc=org
 
port 636
 
pam_login_attribute uid
 
pam_template_login_attribute uid
 
nss_base_passwd ou=People,dc=example,dc=org?one
 
nss_base_shadow ou=People,dc=example,dc=org?one
 
nss_base_group  ou=Group,dc=example,dc=org?one
 
ssl start_tls
 
ssl on
 
 
# This is only needed if your using a self-signed certificate.
 
tls_checkpeer no
 
 
 
Edit {{ic|/etc/pam.d/login}}:
 
 
 
auth            requisite      pam_securetty.so
 
auth            requisite      pam_nologin.so
 
auth            sufficient      pam_ldap.so             
 
auth            required        pam_env.so
 
auth            required        pam_unix.so nullok try_first_pass
 
account        sufficient      pam_ldap.so
 
account        required        pam_access.so
 
account        required        pam_unix.so
 
session        required        pam_motd.so
 
session        required        pam_limits.so
 
session        optional        pam_mail.so dir=/var/spool/mail standard
 
session        optional        pam_lastlog.so
 
session        required        pam_unix.so
 
 
 
Edit {{ic|/etc/pam.d/passwd}}:
 
 
 
password        sufficient      pam_ldap.so
 
password        required        pam_unix.so shadow md5 nullok
 
 
 
Edit {{ic|/etc/pam.d/shadow}}:
 
 
 
auth            sufficient      pam_ldap.so
 
auth            sufficient      pam_rootok.so
 
auth            required        pam_unix.so
 
account        sufficient      pam_ldap.so
 
account        required        pam_unix.so
 
session        sufficient      pam_ldap.so
 
session        required        pam_unix.so
 
password        sufficient      pam_ldap.so
 
password        required        pam_permit.so
 
 
 
edit {{ic|/etc/pam.d/su}}:
 
 
 
auth            sufficient      pam_ldap.so
 
auth            sufficient      pam_rootok.so
 
auth            required        pam_unix.so use_first_pass
 
account        sufficient      pam_ldap.so
 
account        required        pam_unix.so
 
session        sufficient      pam_ldap.so
 
session        required        pam_unix.so
 
 
 
edit {{ic|/etc/pam.d/sshd}}:
 
 
 
auth            sufficient      pam_ldap.so
 
auth            required        pam_securetty.so        #Disable remote root
 
auth            required        pam_unix.so try_first_pass
 
auth            required        pam_nologin.so
 
auth            required        pam_env.so
 
account        sufficient      pam_ldap.so
 
account        required        pam_unix.so
 
account        required        pam_time.so
 
password        sufficient      pam_ldap.so
 
password        required        pam_unix.so
 
session        required        pam_unix_session.so
 
session        required        pam_limits.so
 
 
 
edit {{ic|/etc/pam.d/other}}:
 
 
 
auth            sufficient      pam_ldap.so
 
auth            required        pam_unix.so
 
account        sufficient      pam_ldap.so
 
account        required        pam_unix.so
 
password        sufficient      pam_ldap.so
 
password        required        pam_unix.so
 
session        required        pam_unix.so
 
 
 
=== Name Service Cache Daemon ===
 
 
 
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]
 
 
 
Fix nscd:
 
 
 
mkdir -p /var/db/nscd/
 
mkdir -p /var/run/nscd/
 
 
 
Run nscd:
 
 
 
/etc/rc.d/nscd start
 
 
 
== Links and Resources ==
 
 
 
One of the best OpenLDAP clients: [[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]]
 
 
 
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]
 
 
 
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]
 

Revision as of 00:59, 6 November 2013