Difference between revisions of "OpenLDAP Authentication"

From ArchWiki
Jump to: navigation, search
(merge complete, most info except for PAM updated)
Line 1: Line 1:
[[Category:Networking]] [[Category:Security]]
+
#REDIRECT [[LDAP Authentication]]
== Introduction and Concepts ==
+
 
+
This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).
+
 
+
The guide will be divided in two parts. The first part deals with how to setup an [[OpenLDAP]] server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticated against an already existing LDAP server then you can skip to the second part.
+
 
+
=== NSS and PAM ===
+
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database.
+
 
+
PAM (which stands for Pluggable Authentication Module) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.
+
 
+
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}}, {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.
+
 
+
== LDAP Server Setup ==
+
 
+
=== Installation ===
+
 
+
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.
+
 
+
=== Populate LDAP Tree with Base Data ===
+
 
+
Create a file called {{ic|base.ldif}} with the following text:
+
 
+
{{hc|base.ldif|<nowiki>
+
# example.org
+
dn: dc=example,dc=org
+
objectClass: dcObject
+
objectClass: organization
+
o: Example Organization
+
dc: example
+
 
+
# Manager, example.org
+
dn: cn=Manager,dc=example,dc=org
+
cn: Manager
+
description: LDAP administrator
+
roleOccupant: dc=example,dc=org
+
objectClass: organizationalRole
+
objectClass: top
+
 
+
# People, example.org
+
dn: ou=People,dc=example,dc=org
+
ou: People
+
objectClass: top
+
objectClass: organizationalUnit
+
 
+
# Group, example.org
+
dn: ou=Group,dc=example,dc=org
+
ou: Group
+
objectClass: top
+
objectClass: organizationalUnit
+
</nowiki>}}
+
 
+
Add it to your OpenLDAP Tree:
+
 
+
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
+
 
+
Test to make sure the data was imported:
+
 
+
$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'
+
 
+
=== Adding users ===
+
To manually add a user, create an {{ic|.ldif}} file like this:
+
{{hc|example.ldif|<nowiki>
+
dn: uid=johndoe,ou=People,dc=example,dc=org
+
objectClass: top
+
objectClass: person
+
objectClass: organizationalPerson
+
objectClass: inetOrgPerson
+
objectClass: posixAccount
+
objectClass: shadowAccount
+
uid: johndoe
+
cn: John Doe
+
sn: John
+
givenName: Doe
+
title: Guinea Pig
+
telephoneNumber: +0 000 000 0000
+
mobile: +0 000 000 0000
+
postalAddress: AddressLine1$AddressLine2$AddressLine3
+
userPassword: {CRYPT}xxxxxxxxxx
+
labeledURI: https://archlinux.org/
+
loginShell: /bin/bash
+
uidNumber: 9999
+
gidNumber: 9999
+
homeDirectory: /home/johndoe/
+
description: This is an example user
+
</nowiki>}}
+
 
+
the {{ic|xxxxxxxxxx}} in the {{ic|userPassword}} entry should be replaced with the value in {{ic|/etc/shadow}}.
+
 
+
You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's [http://www.padl.com/OSS/MigrationTools.html Migration Tools].
+
 
+
== Client Setup ==
+
 
+
Install the OpenLDAP client as described in [[OpenLDAP]]. Make sure you can query the server with {{ic|ldapsearch}}.
+
 
+
Next, [[pacman|install]] {{AUR|nss-pam-ldapd}} from the [[official repositories]].
+
 
+
=== NSS Configuration ===
+
NSS is a system facility which manages different sources as configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database, which stores the user accounts.
+
 
+
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:
+
 
+
passwd: files ldap
+
group: files ldap
+
shadow: files ldap
+
 
+
Restart {{ic|nslcd.service}}.
+
 
+
You now should see your LDAP users when running {{ic|getent passwd}} on the client.
+
 
+
==== Name Service Cache Daemon ====
+
You can optionally run NSCD. This is a daemon that NSS uses to cache lookups and queries for network backends. This way you can login when the LDAP server is down, it will also reduce load on the LDAP server.
+
 
+
Start {{ic|nscd.service}} using systemd.
+
 
+
{{Note|It is recommended to stop the NSCD when troubleshooting because it may mask problems by serving cached queries.}}
+
 
+
=== PAM Configuration ===
+
{{Out of date|{{pkg|pambase}} obsoletes most of the pam section}}
+
Edit {{ic|/etc/pam.d/login}}:
+
 
+
auth            requisite      pam_securetty.so
+
auth            requisite      pam_nologin.so
+
auth            sufficient      pam_ldap.so             
+
auth            required        pam_env.so
+
auth            required        pam_unix.so nullok try_first_pass
+
account        sufficient      pam_ldap.so
+
account        required        pam_access.so
+
account        required        pam_unix.so
+
session        required        pam_motd.so
+
session        required        pam_limits.so
+
session        optional        pam_mail.so dir=/var/spool/mail standard
+
session        optional        pam_lastlog.so
+
session        required        pam_unix.so
+
 
+
Edit {{ic|/etc/pam.d/passwd}}:
+
 
+
password        sufficient      pam_ldap.so
+
password        required        pam_unix.so shadow md5 nullok
+
 
+
Edit {{ic|/etc/pam.d/shadow}}:
+
 
+
auth            sufficient      pam_ldap.so
+
auth            sufficient      pam_rootok.so
+
auth            required        pam_unix.so
+
account        sufficient      pam_ldap.so
+
account        required        pam_unix.so
+
session        sufficient      pam_ldap.so
+
session        required        pam_unix.so
+
password        sufficient      pam_ldap.so
+
password        required        pam_permit.so
+
 
+
Edit {{ic|/etc/pam.d/su}}:
+
 
+
auth            sufficient      pam_ldap.so
+
auth            sufficient      pam_rootok.so
+
auth            required        pam_unix.so use_first_pass
+
account        sufficient      pam_ldap.so
+
account        required        pam_unix.so
+
session        sufficient      pam_ldap.so
+
session        required        pam_unix.so
+
 
+
Edit {{ic|/etc/pam.d/sshd}}:
+
 
+
auth            sufficient      pam_ldap.so
+
auth            required        pam_securetty.so        #Disable remote root
+
auth            required        pam_unix.so try_first_pass
+
auth            required        pam_nologin.so
+
auth            required        pam_env.so
+
account        sufficient      pam_ldap.so
+
account        required        pam_unix.so
+
account        required        pam_time.so
+
password        sufficient      pam_ldap.so
+
password        required        pam_unix.so
+
session        required        pam_unix_session.so
+
session        required        pam_limits.so
+
 
+
Edit {{ic|/etc/pam.d/other}}:
+
 
+
auth            sufficient      pam_ldap.so
+
auth            required        pam_unix.so
+
account        sufficient      pam_ldap.so
+
account        required        pam_unix.so
+
password        sufficient      pam_ldap.so
+
password        required        pam_unix.so
+
session        required        pam_unix.so
+
 
+
== Resources ==
+
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]
+
 
+
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]
+
 
+
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]
+
 
+
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]
+
 
+
[http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]
+

Revision as of 00:59, 6 November 2013