281 lines
8.9 KiB
HTML
281 lines
8.9 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
|
|
<html>
|
|
<head>
|
|
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
|
|
<title>LDAP Authentication for Linux</title>
|
|
<link rel="stylesheet" type="text/css" href="index.css">
|
|
</head>
|
|
<body>
|
|
<div class="title">LDAP Authentication for Linux</div>© 2002 by
|
|
<a href="http://www.metaconsultancy.com">metaconsultancy</a><br>
|
|
|
|
<p>
|
|
LDAP is a directory server technology that allows information such
|
|
as usernames and passwords for an entire site to be stored on a central
|
|
server.
|
|
This whitepapers describes how to set up a Linux workstation
|
|
to use an LDAP server for user information and authentication.
|
|
</p>
|
|
|
|
<p>
|
|
Before proceeding, you will need a working LDAP server which can
|
|
provide you with user information. If you need to set one up,
|
|
consult our <a href="ldap.htm">OpenLDAP whitepaper</a> for
|
|
instructions.
|
|
</p>
|
|
|
|
<p>
|
|
User information consists of such data as mappings between user id numbers
|
|
and user names (used, for example, by <span class="in">ls -l</span>), or home directory
|
|
locations (used, for example, by <span class="in">cd ~</span>). Lookups of such information
|
|
are handled by the name service subsystem, configured in the file
|
|
<span class="path">/etc/nsswitch.conf</span>.
|
|
|
|
Authentication (password checking), on the other hand, is handled by the
|
|
PAM (plugable authentication module) subsystem, configured in the
|
|
<span class="path">/etc/pam.d/</span> directory.
|
|
|
|
While these two subsystems can (in fact must) be configured seperately,
|
|
you will likely want both to use LDAP.
|
|
</p>
|
|
|
|
<div class="section">
|
|
<span class="section">nss-ldap</span>
|
|
|
|
<p>
|
|
Begin by installing the shared library code necessary for the
|
|
name service to use ldap.
|
|
|
|
<div class="script"><pre class="code">
|
|
# <span class="in">apt-get install libnss-ldap</span>
|
|
</pre></div>
|
|
|
|
</p>
|
|
|
|
<p>
|
|
Next, open the <span class="path">/etc/nsswitch.conf</span> file, and tell the
|
|
name service subsystem to use LDAP to obtain user information.
|
|
|
|
<div class="script">
|
|
<div class="codetitle">nsswitch.conf</div>
|
|
<pre class="code">
|
|
passwd: files ldap
|
|
group: files ldap
|
|
shadow: files ldap
|
|
</pre>
|
|
</div>
|
|
|
|
Note that we do not eliminate the use of flat files, since some
|
|
users and groups (e.g. root) will remain local. If your machines do not
|
|
use flat files at all and your LDAP server goes down, not even
|
|
root will be able to log in.
|
|
</p>
|
|
|
|
<p>
|
|
Finally, you need to tell then name service subsystem how to talk
|
|
to your LDAP server. This is done in the file
|
|
<span class="path">/etc/libnss-ldap.conf</span>.
|
|
|
|
<div class="script">
|
|
<div class="codetitle">libnss-ldap.conf</div>
|
|
<pre class="code">
|
|
uri ldap://ldap.example.com/ ldap://ldap-backup.example.com/
|
|
base dc=example, dc=org
|
|
</pre>
|
|
</div>
|
|
|
|
The uri directive specifies the domain name (or IP address) of your LDAP
|
|
server. As our example illustrates, you can specify multiple LDAP servers,
|
|
in which case they will be employed in failover fashion.
|
|
|
|
The base directive specifies the root DN at which searches should start.
|
|
|
|
For additional information on these and other configuration directives,
|
|
<span class="in">man libnss-ldap.conf</span>.
|
|
|
|
</p>
|
|
|
|
<p>
|
|
nss-ldap expects accounts to be objects with the following attributes: uid,
|
|
uidNumber, gidNumber, homeDirectory, and loginShell. These attributes are
|
|
allowed by the objectClass posixAccount.
|
|
</p>
|
|
|
|
<p>
|
|
There is a simple way to verify that your name service subsystem is using
|
|
your LDAP server as instructed. Assign a file to be owned by a user that
|
|
exists only in the LDAP database, not in <span class="path">/etc/passwd</span>. If
|
|
an <span class="path">ls -l</span> correctly shows the username, then the name service
|
|
subsystem is consulting the LDAP database; if it just shows the user number,
|
|
something is wrong.
|
|
|
|
For example, if the user john, with user number 1001, exists only in
|
|
LDAP, we can try
|
|
|
|
<div class="script"><pre class="code">
|
|
# <span class="in">touch /tmp/test</span>
|
|
# <span class="in">chown 1001 /tmp/test</span>
|
|
# <span class="in">ls -l /tmp/test</span>
|
|
-rw-r----- 1 john users 0 Jan 1 12:00 test
|
|
</pre></div>
|
|
|
|
to determine whether the the name service is using LDAP.
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<div class="section">
|
|
<span class="section">pam-ldap</span>
|
|
|
|
<p>
|
|
Next we configure the PAM subsystem to use LDAP for passwords. Begin by
|
|
installing the necessary PAM module.
|
|
|
|
<div class="script"><pre class="code">
|
|
# <span class="in">apt-get install libpam-ldap</span>
|
|
</pre></div>
|
|
|
|
The configuration file for the <span class="path">pam_ldap.so</span> module is
|
|
<span class="path">/etc/pam_ldap.conf</span>.
|
|
|
|
<div class="script">
|
|
<div class="codetitle">pam_ldap.conf</div>
|
|
<pre class="code">
|
|
uri ldaps://ldap.example.com/
|
|
base dc=example,dc=com
|
|
pam_password exop
|
|
</pre>
|
|
</div>
|
|
|
|
The uri and base directives work the same way they do for
|
|
<span class="path">/etc/libnss_ldap.conf</span> and <span class="path">/etc/ldap/ldap.conf</span>.
|
|
Notice that we have used ldaps to ensure that connections over which
|
|
passwords are exchanged are encrypted.
|
|
The directive "pam_password exop" tells pam-ldap to change passwords in
|
|
a way that allows OpenLDAP to apply the hashing algorithm specified
|
|
in <span class="path">/etc/ldap/slapd.conf</span>, instead of attempting to hash
|
|
locally and write the result directly into the database.
|
|
</p>
|
|
|
|
<p>
|
|
pam-ldap assumes accounts to be ojbects with the following attributes:
|
|
uid and userPassword. The attributes are allowed by the objectClass
|
|
posixAccount.
|
|
</p>
|
|
|
|
<p>
|
|
We are now ready to configure individual services to use the LDAP server
|
|
for password checking. Each service that uses PAM for authentication has
|
|
its own configuration file <span class="path">/etc/pam.d/service</span>.
|
|
To configure a service to use LDAP for password-checking, you must modify
|
|
its PAM configuration file.
|
|
</p>
|
|
|
|
<p>
|
|
To avoid an in-depth explanation of PAM, we will
|
|
content ourselves with a few examples. Consider first the login program,
|
|
which handles logins from the text console. A typical PAM stack which
|
|
checks passwords both in <span class="path">/etc/passwd</span> and in the LDAP database
|
|
follows.
|
|
|
|
<div class="script">
|
|
<div class="codetitle">/etc/pam.d/login</div>
|
|
<pre class="code">
|
|
auth required pam_nologin.so
|
|
auth sufficient pam_ldap.so
|
|
auth sufficient pam_unix.so shadow use_first_pass
|
|
auth required pam_deny.so
|
|
</pre>
|
|
</div>
|
|
|
|
After successful password authentication using the auth stack, login checks
|
|
for the existance of an account using the account stack, so it is necessary
|
|
to reference pam-ldap there, too.
|
|
|
|
<div class="script">
|
|
<div class="codetitle">/etc/pam.d/login</div>
|
|
<pre class="code">
|
|
account sufficient pam_unix.so
|
|
account sufficient pam_ldap.so
|
|
account required pam_deny.so
|
|
</pre>
|
|
</div>
|
|
|
|
Other login-like programs include xdm and gdm (for graphical logins),
|
|
ssh (for remote logins), su (for switching programs), and
|
|
xlock and xscreensaver (for locked screens). Each has its own file
|
|
in <span class="path">/etc/pam.d/</span>.
|
|
</p>
|
|
|
|
<p>
|
|
Some applications not only authenticate passwords, but can also be used
|
|
to change them. The prototypical example is of course <span class="path">passwd</span>,
|
|
the standard password-changing utility. Such programs can be configured to
|
|
use LDAP by modifying their password stack.
|
|
|
|
<div class="script">
|
|
<div class="codetitle">/etc/pam.d/passwd</div>
|
|
<pre class="code">
|
|
password required pam_cracklib.so
|
|
password sufficient pam_ldap.so
|
|
password sufficient pam_unix.so
|
|
password required pam_deny.so
|
|
</pre>
|
|
</div>
|
|
|
|
</p>
|
|
|
|
<p>
|
|
One convienient application of pam-ldap is to set up "black box" servers
|
|
that can authenticate users for a particular service without having an
|
|
account on the machine at all. Services such as netatalk, (Cyrus) imap,
|
|
and (Postfix) smtp use PAM. By configuring their PAM stacks to use LDAP,
|
|
while leaving LDAP out of the PAM stacks of services such as login and ssh,
|
|
you can easily create a "black box" server.
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<div class="section">
|
|
<span class="section">nscd</span>
|
|
|
|
<p>
|
|
To keep your computers from pounding your LDAP server every time
|
|
a command such as <span class="in">ls -l /home</span> is issued on a computer in your
|
|
organization, it is a good idea to configure your workstations to
|
|
cache some user data. As long as the data in the cache is sufficiently
|
|
fresh, the workstations use in instead of asking your LDAP server again.
|
|
The name server caching daemon (nscd) accomplishes exactly
|
|
this task.
|
|
</p>
|
|
|
|
<p>
|
|
To install nscd on Debian, just
|
|
|
|
<div class="script"><pre class="code">
|
|
# <span class="in">apt-get install nscd</span>
|
|
</pre></div>
|
|
|
|
</p>
|
|
|
|
<p>
|
|
The configuration file for nscd is <span class="path">/etc/nscd.conf</span>.
|
|
|
|
<div class="script">
|
|
<div class="codetitle">nscd.conf</div>
|
|
<pre class="code">
|
|
enable-cache passwd yes
|
|
positive-time-to-live passwd 600
|
|
negative-time-to-live passwd 20
|
|
suggested-size passwd 211
|
|
check-files passwd yes
|
|
</pre>
|
|
</div>
|
|
|
|
</p>
|
|
|
|
</div>
|
|
|
|
</body>
|
|
</html>
|