Introduction and Concepts
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired). The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data. The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in thepackage, so you need to install it regardless of o local or network OpenLDAP install.
NSS and PAM
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example,
/etc/passwd is a
file type source for the passwd database.
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the
shadow and other configuration databases and then configure PAM to use these sources to authenticate it's users.
You can read about installation and basic configuration in the OpenLDAP article. After you have completed that, return here.
Populate LDAP Tree with Base Data
Create a file called base.ldif with the following text:
# example.org dn: dc=example,dc=org objectClass: dcObject objectClass: organization o: Example Organization dc: example # Manager, example.org dn: cn=Manager,dc=example,dc=org cn: Manager description: LDAP administrator roleOccupant: dc=example,dc=org objectClass: organizationalRole objectClass: top # People, example.org dn: ou=People,dc=example,dc=org ou: People objectClass: top objectClass: organizationalUnit # Group, example.org dn: ou=Group,dc=example,dc=org ou: Group objectClass: top objectClass: organizationalUnit
Add it to your OpenLDAP Tree:
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
Test to make sure the data was imported:
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'
There is the official repositoriesand from the
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.
You can search an LDAP server with the following command:
ldapsearch -x -H <URL> -b <BASE>
-xis required in all client commands because SASL authentication probably hasn't been configured.
You can add the URL and BASE settings to
/etc/openldap/ldap.conf in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.
NSS is a system facility which manages different sources as configuration databases. For example
/etc/passwd is i
file-type source for the
passwd which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.
/etc/nsswitch.conf which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the
ldap directive to the
shadow databases, so be sure your file looks like this:
passwd: files ldap group: files ldap shadow: files ldap
Name Service Cache Daemon
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.
READ THIS FIRST: [NSCD Bugged in Arch Linux] Fix nscd:
mkdir -p /var/db/nscd/ mkdir -p /var/run/nscd/
systemctl start nscd
auth requisite pam_securetty.so auth requisite pam_nologin.so auth sufficient pam_ldap.so auth required pam_env.so auth required pam_unix.so nullok try_first_pass account sufficient pam_ldap.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/spool/mail standard session optional pam_lastlog.so session required pam_unix.so
password sufficient pam_ldap.so password required pam_unix.so shadow md5 nullok
auth sufficient pam_ldap.so auth sufficient pam_rootok.so auth required pam_unix.so account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so password sufficient pam_ldap.so password required pam_permit.so
auth sufficient pam_ldap.so auth sufficient pam_rootok.so auth required pam_unix.so use_first_pass account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so
auth sufficient pam_ldap.so auth required pam_securetty.so #Disable remote root auth required pam_unix.so try_first_pass auth required pam_nologin.so auth required pam_env.so account sufficient pam_ldap.so account required pam_unix.so account required pam_time.so password sufficient pam_ldap.so password required pam_unix.so session required pam_unix_session.so session required pam_limits.so
auth sufficient pam_ldap.so auth required pam_unix.so account sufficient pam_ldap.so account required pam_unix.so password sufficient pam_ldap.so password required pam_unix.so session required pam_unix.so