Talk:LDAP authentication

From ArchWiki

Poor writing

This article needs to include more explanatory information rather than an example of one user's configuration (which may or may not work?). -- pointone 11:41, 17 January 2011 (EST)

Error

Following this guide and the other one out of the box I get the following error when trying to import (ldapadd) or search (ldapsearch)

slapd[20458]: fd=12 DENIED from unknown (127.0.0.1)

And yes I do have slapd in the hosts.allow

Add to /etc/hosts.allow:
slapd: 127.0.0.1
Peleki 11:14, 21 August 2010 (EDT)

Suggestions

If you want hdb as backend, you have to adjust the PKGBUILD to --enable-hdb and rebuild the package

To disable the IPV6 error, add -4 to the slapd init script at line 14 (/usr/sbin/slapd -4 $SLAPD_OPTIONS)

To disable the " openldap configure monitor database to enable" add "database monitor" in /etc/openldap/slapd.conf BEFORE any database backend type (hdb or bdb)

--mvinnicius 19:55, 14 February 2011 (EST)

For the record, it's probably better to add -4 to the SLAPD_OPTIONS variable in /etc/conf.d/slapd than to modify the rc-script. --DJPohly 21:09, 14 February 2011 (EST)

Overhaul

I started editing the page with the goal of merging it with the LDAP Authentication one and also with the main OpenLDAP article. I rewrote the introduction and added some explanations for the client side like NSS and PAM. I'm gooing to remove the pam_ldap and nss_ldap bit and use nss_pam_ldapd from AUR which is the most uptodate (and robust) version. If anyone has any objections feel free to say so.

Clarification

I think the client configuration section should clarify that you would want to choose between ldap or sssd (with sssd being the more robust of the two).

Also, in the sssd section, there's a handy note pointing out that sudo is not compiled with sssd support. I created a sudo-sssd package in the aur. Perhaps it would be beneficial to link to it?

Niq000 (talk) 06:36, 9 July 2015 (UTC)Reply

I've found several conflicts in this article that I think need to be resolved or annotated.

1. This article refers to OpenLDAP for initial setup which sets you up with rootdn as "cn=root,dc=example,dc=org". However this article expects that you've set up rootdn "cn=Manager,dc=example,dc=org". We should be consistent or figure out a better way to refer to this new user.

2. The file changes described in "Client Setup" completely conflict with the changes in "Online and Offline Authentication with SSSD". If these sections are exclusive, it is important to describe the options available before people start with the intuitive "Client Setup". If the primary advantage of SSSD is that offline authentication is possible, it's important to describe that as a limitation in the "Client Setup" section and refer to SSSD for the better approach.

3. In "LDAP Server Setup" -> "Set up access controls" the article instructs to change /etc/openldap/slapd.conf and restart slapd.service, however that is insufficient according to the OpenLDAP page. Instead you need to slapindex, then chown some files before restarting the service.

4. Initial entries are described in "Populate LDAP Tree with Base Data", however this is already done in the original OpenLDAP article (to a lesser extent). There should be a note in the original reference to the OpenLDAP article of when to stop following the guide. If a user finishes one before starting here, there will be conflicting records.

5. The OpenLDAP article says that we will likely want to add some typically used schemas to the top of slapd.conf and some indexes to the bottom of slapd.conf. In this article we should specify which schemas and indexes are applicable to this particular application.

6. A fresh install shows a signficant difference in /etc/pam.d/sudo from what is described in the "Enable Sudo" section. Instead it has a set of include statements instead of what is described here. I suspect that the first half of this section is no longer necessary.

7. If packages nss-pam-ldapd and sssd are not totally exclusive, then it should be noted in "Online and Offline Authentication with SSSD" how far one should follow the "Client Setup" section.

8. The "SSSD Configuration" section points to "man sssd.conf" for info. However ldap-relevant config used here such as ldap_tls_reqcert are only defined in "man sssd-ldap". We should correct the reference.

9. If you've completed the "Client Setup" section, then you've added pam_ldap.so in many of the files in /etc/pam.d. In SSSD's "PAM configuration" section, we replace all instances of pam_ldap.so with pam_sss.so except for in /etc/pam.d/su and su-l. It's unclear regarding whether this instance should also be replaced.

Unfortunately I don't have the confidence to make these changes, especially since I haven't had success yet for my configuration.

Stewbond (talk) 19:36, 19 January 2017 (UTC)Reply

PAM error on sudo

As of 05/Jan/2019, the package pambase contains a new fallback option in /etc/pam.d/other, which simply denies all unregistered services. Due to this change, the configuration for SSSD + sudo in LDAP_authentication#1. SUDO Configuration doesn't work any more because it contains only `auth` section but `account` and `session` are missing. (All `sudo` attempts result in errors, saying "sudo: account validation failure, is your account locked?")

To resolve this issue we can either `account include system-auth` or `account required pam_sss.so`, however I cannot tell which is preferable. Could you please give me some advice on this?

Itakeshi (talk) 13:07, 12 February 2019 (UTC)Reply

Configs need to be updated to new cn=config format

The OpenLDAP article already uses the new cn=config format, so this article's slapd.conf configs should be updated as well. Ta180m (talk) 21:17, 2 August 2021 (UTC)Reply

OK, I made a few edits to fix this. Someone should probably check over them to make sure that they are correct. Ta180m (talk) 16:56, 4 August 2021 (UTC)Reply

The article talks about LDAP authentication but only mentions OpenLDAP

The article talks about LDAP authentication but only mentions OpenLDAP either the article is only about OpenLDAP and should be named accordingly or should also mention 389-ds. --Thaodan (talk) 10:14, 12 November 2022 (UTC)Reply