OpenLDAP Authentication
Contents
Introduction and Concepts
This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).
The guide will be divided in two parts. The first part deals with how to setup an OpenLDAP server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticated against an already existing LDAP server then you can skip to the second part.
NSS and PAM
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, /etc/passwd is a file type source for the passwd database.
PAM (which stands for Pluggable Authentication Module) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd, shadow and other configuration databases and then configure PAM to use these sources to authenticate it's users.
LDAP Server Setup
Installation
You can read about installation and basic configuration in the OpenLDAP article. After you have completed that, return here.
Populate LDAP Tree with Base Data
Create a file called base.ldif with the following text:
base.ldif
# example.org dn: dc=example,dc=org objectClass: dcObject objectClass: organization o: Example Organization dc: example # Manager, example.org dn: cn=Manager,dc=example,dc=org cn: Manager description: LDAP administrator roleOccupant: dc=example,dc=org objectClass: organizationalRole objectClass: top # People, example.org dn: ou=People,dc=example,dc=org ou: People objectClass: top objectClass: organizationalUnit # Group, example.org dn: ou=Group,dc=example,dc=org ou: Group objectClass: top objectClass: organizationalUnit
Add it to your OpenLDAP Tree:
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
Test to make sure the data was imported:
$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'
Adding users
To manually add a user, create an .ldif file like this:
example.ldif
dn: uid=johndoe,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: johndoe
cn: John Doe
sn: John
givenName: Doe
title: Guinea Pig
telephoneNumber: +0 000 000 0000
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {CRYPT}xxxxxxxxxx
labeledURI: https://archlinux.org/
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 9999
homeDirectory: /home/johndoe/
description: This is an example user
the xxxxxxxxxx in the userPassword entry should be replaced with the value in /etc/shadow.
You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's Migration Tools.
Client Setup
Install the OpenLDAP client as described in OpenLDAP. Make sure you can query the server with ldapsearch.
Next, install nss-pam-ldapdAUR from the official repositories.
NSS Configuration
NSS is a system facility which manages different sources as configuration databases. For example, /etc/passwd is a file type source for the passwd database, which stores the user accounts.
Edit /etc/nsswitch.conf which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the ldap directive to the passwd, group and shadow databases, so be sure your file looks like this:
passwd: files ldap group: files ldap shadow: files ldap
Restart nslcd.service.
You now should see your LDAP users when running getent passwd on the client.
Name Service Cache Daemon
You can optionally run NSCD. This is a daemon that NSS uses to cache lookups and queries for network backends. This way you can login when the LDAP server is down, it will also reduce load on the LDAP server.
Start nscd.service using systemd.
PAM Configuration
Edit /etc/pam.d/login:
auth requisite pam_securetty.so auth requisite pam_nologin.so auth sufficient pam_ldap.so auth required pam_env.so auth required pam_unix.so nullok try_first_pass account sufficient pam_ldap.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/spool/mail standard session optional pam_lastlog.so session required pam_unix.so
Edit /etc/pam.d/passwd:
password sufficient pam_ldap.so password required pam_unix.so shadow md5 nullok
Edit /etc/pam.d/shadow:
auth sufficient pam_ldap.so auth sufficient pam_rootok.so auth required pam_unix.so account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so password sufficient pam_ldap.so password required pam_permit.so
Edit /etc/pam.d/su:
auth sufficient pam_ldap.so auth sufficient pam_rootok.so auth required pam_unix.so use_first_pass account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so
Edit /etc/pam.d/sshd:
auth sufficient pam_ldap.so auth required pam_securetty.so #Disable remote root auth required pam_unix.so try_first_pass auth required pam_nologin.so auth required pam_env.so account sufficient pam_ldap.so account required pam_unix.so account required pam_time.so password sufficient pam_ldap.so password required pam_unix.so session required pam_unix_session.so session required pam_limits.so
Edit /etc/pam.d/other:
auth sufficient pam_ldap.so auth required pam_unix.so account sufficient pam_ldap.so account required pam_unix.so password sufficient pam_ldap.so password required pam_unix.so session required pam_unix.so
Resources
The official page of the nss-pam-ldapd packet
The PAM and NSS page at the Debian Wiki 1 2
Using LDAP for single authentication