Konfiguration der OpenLDAP-Benutzerauthentifizierung

Beschreibung

Sofern Sie kein OpenLDAP-Experte sind, ist eine ausführlichere Dokumentation als hier angegeben erforderlich. Weitere Informationen finden Sie in den Referenzen unter Abschnitt 28.9, "Zusätzliche Ressourcen".

Installation

Stellen Sie sicher, dass die entsprechenden Pakete sowohl auf dem LDAP-Server als auch auf den LDAP-Client-Rechnern installiert sind. Folgende Pakete müssen auf allen LDAP-clients installiert sein.

• openldap
• openldap-clients
• nss_ldap

Anwendungen

Fehlerbehebung

Syntax

Optionen

Parameter

Umgebungsvariablen

Exit-Status

Konfiguration

Bearbeiten Sie auf dem Server die Datei /etc/openldap/slapd.conf auf dem LDAP-Server, um sicherzustellen, dass sie mit den Besonderheiten der Organisation übereinstimmt.

• Anweisungen zum Bearbeiten der Datei slapd.conf finden Sie in Section 28.6.1, “Editing /etc/openldap/slapd.conf”.

Auf den Client-Rechnern müssen sowohl

• /etc/ldap.conf als auch
• /etc/openldap/ldap.conf

die richtigen Server- und Suchbasisinformationen für die Organisation enthalten.

Grafische Konfiguration

Führen Sie dazu das grafische Authentifizierungskonfigurationsprogramm (system-config-authentication) aus und wählen Sie auf der Registerkarte Benutzerinformationen die Option LDAP-Unterstützung aktivieren.

Auf den Client-Rechnern muss die Datei /etc/nsswitch.conf für die Verwendung von LDAP bearbeitet werden.

Führen Sie dazu das Authentifizierungskonfigurationsprogramm (system-config-authentication) aus und wählen Sie auf der Registerkarte Benutzerinformationen die Option LDAP-Unterstützung aktivieren.

Manuelle Konfiguration

Wenn Sie /etc/nsswitch.conf von Hand bearbeiten, fügen Sie ldap zu den entsprechenden Zeilen hinzu.

Beispiel

passwd: Dateien ldap
shadow: dateien ldap
group: dateien ldap

Dateien

Sicherheit

Dokumentation

RFC

Man-Pages

Info-Pages

Siehe auch

Links

Projekt

Weblinks

1. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-ldap-pam

TMP

LDAP Authentication

This howto will show you how to store your users in LDAP and authenticate some of the services against it. I will not show how to install particular packages, as it is distribution/system dependent. I will focus on "pure" configuration of all components needed to have LDAP authentication/storage of users. The howto assumes somehow, that you are migrating from a regular passwd/shadow authentication, but it is also suitable for people who do it from scratch.

Requirements

• OpenLDAP
• pam_ldap
• nss_ldap
• PADL migrationtools

Introducion

The thing we want to achieve is to have our users stored in LDAP, authenticated against LDAP ( direct or pam ) and have some tool to manage this in a human understandable way.

This way we can use all software, which has LDAP support or fallback to PAM LDAP module, which will act as a PAM->LDAP gateway.

More information on LDAP idea can be found on Wikipedia: LDAP wikipedia

Configuring OpenLDAP

OpenLDAP consists of slapd and slurpd daemon. This howto covers one LDAP server without a replication, so we will focus only on slapd. I also assume you installed and initialized your OpenLDAP installation (depends on system/distribution). If so, let's go to the configuration part.

On my system (Gentoo), OpenLDAP's configuration is stored in /etc/openldap, we are interested in /etc/openldap/slapd.conf file. But first we have to generate a password for LDAP administrator, to put it into the config file:

slappasswd -h {md5}

The config looks like this:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib/openldap/openldap

access to attrs=userPassword
        by dn="uid=root,ou=People,dc=domain,dc=com" write
        by dn="cn=Manager,dc=domain,dc=com" write
        by anonymous auth
        by self write
        by * none

access to dn.base="" by * read

access to *
         by dn="cn=Manager,dc=domain,dc=com" write
         by * read

database        bdb
suffix          "dc=domain,dc=com"

rootdn          "cn=Manager,dc=domain,dc=com"
rootpw          {MD5}Tk1sMytv5ipjr+Vhcf03JQ==

directory       /var/lib/openldap-data
index   objectClass     eq

Remember to change suffix and paths to your needs.

These are basic options with some basic ACLs needed to change passwords by user. If you want more functionality, please read the manual about OpenLDAP. Now when we have a proper config for slapd, we can start the daemon :

service slapd start

Please remember to have something like that in the config file responsible for arguments passed to the slapd (the path should point to the slapd.sock):

OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

Now we can test if openldap is running and working properly. We do not have any data yet in the directory, but we can try to bind as cn=Manager,dc=domain,dc=com. When you are asked for the password, you should use the one you generated (of course the plain text version of it :):

ldapsearch -D "cn=Manager,dc=domain,dc=com" -W

Migrate/Add data to the directory

Now when we have a running LDAP server, we have to fill it with data, either create or migrate entries. I will show you how to migrate existing entries from regular /etc/passwd, /etc/shadow , /etc/groups

The first step is to configure mogrationtools to your needs. The configuration file on Gentoo is located in /usr/share/migrationtools/migrate_common.ph.

Generally, you need to change only these:

$DEFAULT_BASE = "dc=domain,dc=com";
$EXTENDED_SCHEMA = 1;

Now you are ready to migrate the data (actually it works even without the export command):

export ETC_SHADOW=/etc/shadow
./migrate_base.pl > /tmp/base.ldif
./migrate_group.pl /etc/group /tmp/group.ldif
./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

Now we have the data in the format understood by the LDAP server. Please open one of the files with a text editor to get used to the syntax. After that, we can add the data from ldifs.

ldapadd -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/base.ldif
ldapadd -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/group.ldif
ldapadd -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/passwd.ldif
ldapadd -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/hosts.ldif

You can try searching for some data:

ldapsearch uid=foouser

Client configuration

By client, I mean the machine, which connects to LDAP server to get users and authorize. It can be also the machine, the LDAP server runs on. In both cases we have to edit three files : /etc/ldap.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth

Let's start with ldap.conf, the ldap's client:

BASE    dc=domain, dc=com
scope sub
suffix          "dc=domain,dc=com"

## when you want to change user's password by root 
rootbinddn cn=Manager,dc=domain,dc=com

## there are needed when your ldap dies
timelimit 5
bind_timelimit 5

uri ldap://ldap.domain.com/
pam_password exop

ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid

nss_base_passwd ou=Computers,dc=cognifide,dc=pl
nss_base_passwd ou=People,dc=cognifide,dc=pl
nss_base_shadow ou=People,dc=cognifide,dc=pl
nss_base_group  ou=Group,dc=cognifide,dc=pl
nss_base_hosts  ou=Hosts,dc=cognifide,dc=pl

Now it is time for nsswitch.conf and pam

Add these to nsswitch.conf:

passwd: files ldap
shadow: files ldap
group:  files ldap

And change the system-auth (or whatever you have like login, sshd etc) to :

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so

account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so
account    required     pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_first_pass
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_ldap.so

Time to test it. The best tool for it is a good old getent. Pick a user from your system and issue:

getent passwd | grep foouser

You should get the result twice, if so the nss_ldap works fine. The pam part can be tested by deleting a user from the /etc/passwd and trying to log in through ssh.

Apache mod_auth_ldap

To have LDAP authorization in apache, you have to load mod_auth_ldap moduleAdvertisement

LoadModule mm_auth_ldap_module modules/mod_auth_ldap.so

Now it is enough to make .htaccess like that:

AuthName "Restricted"
AuthType Basic
AuthLDAPURL ldap://ldap.domain.com:389/ou=People,dc=domain,dc=com?uid
AuthLDAPBindDN "cn=Manager,dc=domain,dc=com"
AuthLDAPBindPassword "your_secret_secret_password_to_ldap_admin"
require valid-user

Note that this method can be also used for WebDAV subversion authorization

Administration tools for LDAP

There are few tool I recommend using to administrate OpenLDAP server * phpldapadmin - web-based tool

• ldapvi - vim browsing
• PADL migrationtools - migration tools
• IDEALX sambaldap tools - samba LDAP tools

Other ldap aware applications

• Postfix
• Courier IMAP
• jabberd
• eGroupware

Summary

If someone has something to add, please do it. This configuration may not be perfect.

Weblink

https://www.howtoforge.com/linux_ldap_authentication

Active-Directory-Authentifizierung

Zentrale Verzeichnisdienste wie OpenLDAP oder Active Directory (AD) vereinfachen das Passwort-Management für Administrator und Benutzer. In Bezug auf Linux-Server ist vor allem der Aspekt der SSH-Authentifizierung über ein AD interessant. Aus Sicht der IT-Sicherheit ist diese Lösung ebenfalls vorteilhaft:

• Administratoren müssen nicht mehr für jeden Server unterschiedliche Passwörter wählen und verwalten. Sie können sich mit dem AD-Passwort auf den Servern einloggen.
• Die Passwort-Änderung oder Deaktivierung eines Accounts kann über das AD vorgenommen werden.
• Zentral verwaltete root-Passwörter müssen nicht mehr allen Administratoren bekannt sein.

Der folgende Artikel zeigt, wie unter Debian über mod_pam mit libpam-ldapd eine Authentifizierung mit einem AD konfiguriert wird. Die Authentifizierung gilt nach erfolgter Konfiguration nicht nur für SSH, sondern für alle Services, die PAM verwenden (wie auch z. B. sudo). Da es die libpam-ldapd Packages auch für Ubuntu gibt[https///www.thomas-krenn.com/de/wiki/Passwort-Authentifizierung_mit_Active_Directory_unter_Debian_einrichten#cite_note-1 [1]] , kann die Anleitung auch für Ubuntu übernommen werden.

Voraussetzungen und Zweck

Folgende Informationen werden für die Einrichtung benötigt:

1. Die LDAP-URL des AD-Servers.
2. Die Search oder Base DN, in der sich die Benutzer befinden.
3. (empfohlen) Ein Bind DN inkl. Passwort, der zum Durchsuchen des ADs bzw. der Base DN verwendet wird.
4. Für TLS
   • Die Zertifikatsdatei für die verschlüsselte Kommunikation (da bei der Authentifizierung die Passwörter zwischen Server <-> AD übertragen werden, wird eine verschlüsselte Kommunikation dringend empfohlen).
5. Am Server selbst müssen die Benutzer, die sich anmelden wollen, bereits existieren.

Außerdem kurz zusammen gefasst, welche Ziele die unten stehende Anleitung verfolgt: * Passwort-Authentifizierung von Benutzern über die im AD hinterlegten Passwörter.

• Weitere Dinge, wie Gruppen, Home-Pfade o.Ä., werden nicht aus dem AD geholt.
• Der Benutzer root soll sich weiterhin mit dem lokalen Passwort anmelden können.

Achtung
Konfigurationen an PAM Modulen können dazu führen, dass Sie sich nicht mehr anmelden/authentifizieren können. Halten Sie sich für den Notfall immer ein root Terminal bereit! 

Verbindung zum AD testen

Im ersten Schritt wird die Verbindung zwischen Server<->AD getestet. Bei der Verwendung von LDAP mit START_TLS findet die Kommunikation über Port 389 statt:

# telnet ldap.example.com 389
Trying ...
Connected to ldap.example.com
Escape character is '^]'.

Anschließend wird über ein ldapsearch eine tatsächliche LDAP-Abfrage durchgeführt (für eine verschlüsselte Verbindung - Parameter '-ZZ' - muss in der Datei /etc/ldap.conf das Zertifikat konfiguriert werden.):

ldapsearch -x -H ldap://ldap.example.com -D "CN=Georg Schönberger,OU=Users,DC=example,DC=com" \
-b OU=Users,DC=example,DC=com -W -ZZ sAMAccountName=gschoenberger

Installation von libpam-ldapd

Die zentrale Komponente am Debian-Server bildet das Package libpam-ldapd (packages.debian.org). Mit diesem Package wird außerdem der Daemon nslcd (packages.debian.org) mit installiert, der für die Kommunikation zwischen Server <-> AD zuständig ist.

 # apt-get install libpam-ldapd
[...]
The following NEW packages will be installed:
  bind9-host geoip-database ldap-utils libbind9-80 libcap2 libdns88 libgeoip1 libisc84 libisccc80 libisccfg82
 liblwres80 libnss-ldapd libpam-ldapd libxml2 nscd nslcd sgml-base xml-core* Datei:Bild1.png

Die LDAP-Url zeigt zum Hostnamen des AD-Servers.

• Datei:Bild2.png

Die Search Base ist jener Teil des Verzeichnisses, in der sich die Benutzer befinden.

• Datei:Bild3.png

Wird das AD nur für die Passwort-Authentifizierung verwendet, muss die Datei nsswitch.conf nicht konfiguriert werden.

Wer die Package-Konfiguration ein weiteres Mal durchführen möchte, um Werte anzupassen, ruft einfach

#  dpkg-reconfigure nslcd

auf.

Konfiguration von nslcd

Folgende map und filter Einträge, binddn und bindpw, und TLS Optionen müssen der Datei /etc/nslcd.conf hinzugefügt werden:

[...]
base ou=Users,dc=example,dc=com
map             passwd          uid     sAMAccountName
filter          passwd          (objectClass=user)

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=reader,dc=example,dc=com
bindpw secret

[...]

# SSL options
ssl start_tls
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/Example-com-cacert.pem
[...]

In der Datei /etc/nslcd.conf befinden sich, wie oben ersichtlich, die getätigten Einstellungen der Package Installation.

Konfiguration von pam_ldap

Grundsätzlich eignet sich die Konfiguration der Package Installation bereits für eine AD-Authentifizierung. Benutzer können sich jedoch mit der Standard-Konfiguration sowohl per AD/LDAP als auch mit lokalem Passwort authentifizieren. Um die lokalen Passwörter für Benutzer - außer root - nicht mehr zu erlauben, muss folgende Änderung in der DateI /etc/pam.d/common-auth.conf vorgenommen werden.

Achtung: Nach dieser Änderung kann nur mehr root sein lokales Passwort verwenden. Alle anderen Benutzer sind auf das AD und eine funktionieren Verbindung zwischen Server<->AD angewiesen:[2]

# vi /etc/pam.d/common-auth
[...]
auth    sufficient      pam_ldap.so minimum_uid=1000
auth    requisite       pam_succeed_if.so uid eq 0
auth    sufficient      pam_unix.so nullok_secure
 # here's the fallback if no module succeeds
[...]

Danach ist für alle Benutzer mit uid > 1000 eine AD-Authentifizierung zum Anmelden ausreichend. Die lokalen Passwörter funktionieren nicht mehr!

Die Konfiguration der AD-Authentifizierung ist nach den oben genannten Schritten abgeschlossen.

Fehleranalyse

nslcd

Der Daemon nslcd bietet zur Analyse der LDAP-Authentifizierung eine Debus-Modus an:

# nslcd -d
nslcd: DEBUG: add_uri(ldap://ldap.example.com)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,2)
[...]
nslcd: accepting connections

Wird der Parameter -d öfter angegeben, erhöht sich das Debug-Level von nslcd.

Etwas in die Irre führt die Fehlermeldung

DEBUG: failed to bind to LDAP server ldap://ldap.example.com: Invalid credentials: 80090308:
LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0

die auch auftritt, wenn ein Benutzer-Konto noch nicht am Server existiert.

pam_ldap

Wer die pam-Regeln in der Datei /etc/pam.d/common-auth.conf anpassen möchte, trifft in der Log-Datei /var/log/auth.log den Fehler

pam_succeed_if(sshd:auth): incomplete condition detected

an, wenn die Ausdrücke für pam_succeed_if.so nicht korrekt sind.[3]

Einzelnachweise

1. libpam-ldapd (packages.ubuntu.com)
2. PAM Explanation (pig.made-it.com)
3. Insufficient error checking in pam_succeed_if (bugzilla.redhat.com)
4. https://www.thomas-krenn.com/de/wiki/Passwort-Authentifizierung_mit_Active_Directory_unter_Debian_einrichten

LDAP authentication

Introduction and Concepts

This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).

The guide is divided into two parts. The first part deals with how to setup an OpenLDAP server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the second part.

NSS and PAM

NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, /etc/passwd is a file type source for the passwd database.

PAM (which stands for Pluggable Authentication Modules) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.

So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd, shadow and other configuration databases and then configure PAM to use these sources to authenticate its users.

LDAP Server Setup

Installation

Install the OpenLDAP server and configure the server and client. After you have completed that, return here.

Set up access controls

To make sure that no-one can read the (encrypted) passwords from the LDAP server, but still allowing users to edit some of their own select attributes (such as own password and photo), create and import the following LDIF and restart slapd.service afterwards:

Note: Alter the domain components "example" and "org" to your needs

dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=cn,givenName,sn,userPassword,shadowLastChange,mail,loginShell,photo by self write by anonymous auth by dn.base="cn=Manager,dc=example,dc=org" write by * none olcAccess: {1}to * by self read by dn.base="cn=Manager,dc=example,dc=org" write by * read

Populate LDAP Tree with Base Data

Create a temporary file called base.ldif with the following text.

base.ldif # example.org dn: dc=example,dc=org dc: example o: Example Organization objectClass: dcObject objectClass: organization

# Manager, example.org dn: cn=Manager,dc=example,dc=org cn: Manager description: LDAP administrator objectClass: organizationalRole objectClass: top roleOccupant: dc=example,dc=org

# People, example.org dn: ou=People,dc=example,dc=org ou: People objectClass: top objectClass: organizationalUnit

# Groups, example.org dn: ou=Group,dc=example,dc=org ou: Group objectClass: top objectClass: organizationalUnit

Add it to your OpenLDAP tree:

$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif

Test to make sure the data was imported:

$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'

Adding users

To manually add a user, create an .ldif file like this:

user_joe.ldif dn: uid=johndoe,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: johndoe cn: John Doe sn: Doe givenName: John title: Guinea Pig telephoneNumber: +0 000 000 0000 mobile: +0 000 000 0000 postalAddress: AddressLine1$AddressLine2$AddressLine3 userPassword: {CRYPT}xxxxxxxxxx labeledURI: https://archlinux.org/ loginShell: /bin/bash uidNumber: 9999 gidNumber: 9999 homeDirectory: /home/johndoe/ description: This is an example user

The xxxxxxxxxx in the userPassword entry should be replaced with the value in /etc/shadow or use the slappasswd command. Now add the user:

$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f user_joe.ldif

You can add a group similarly with

group_joe.ldif dn: cn=joe,ou=Group,dc=example,dc=org objectClass: top objectClass: posixGroup cn: joe gidNumber: 9999

Note: You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's openldap-migrationtoolsAUR.

Client Setup

Install the OpenLDAP client as described in OpenLDAP. Make sure you can query the server with ldapsearch.

Depending on your target, choose either online-only or online and offline authentication.

Online Authentication

NSS Configuration

NSS is a system facility which manages different sources as configuration databases. For example, /etc/passwd is a file type source for the passwd database, which stores the user accounts.

Install the nss-pam-ldapd package.

Edit /etc/nsswitch.conf which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the ldap directive to the passwd, group and shadow databases, so be sure your file looks like this:

passwd: files ldap group: files ldap shadow: files ldap

Edit /etc/nslcd.conf and change the base and uri lines to fit your ldap server setup.

Edit the binddn and the bindpw if your LDAP server requires a password. Make sure you change the permission of your /etc/nslcd.conf to 0600 for nslcd to start properly.

Start nslcd.service using systemd.

You now should see your LDAP users when running getent passwd on the client.

PAM Configuration

The basic rule of thumb for PAM configuration is to include pam_ldap.so wherever pam_unix.so is included. Arch moving to pambase has helped decrease the amount of edits required. For more details about configuring pam, the RedHat Documentation is quite good. You might also want the upstream documentation for nss-pam-ldapd.

Tip: If you want to prevent UID clashes with local users on your system, you might want to include minimum_uid=10000 or similar on the end of the pam_ldap.so lines. You will have to make sure the LDAP server returns uidNumber fields that match the restriction.

Note: Each facility (auth, session, password, account) forms a separate chain and the order matters. Sufficient lines will sometimes "short circuit" and skip the rest of the section, so the rule of thumb for auth, password, and account is sufficient lines before required, but after required lines for the session section; optional can almost always go at the end. When adding your pam_ldap.so lines, do not change the relative order of the other lines without good reason! Simply insert LDAP within the chain.

First edit /etc/pam.d/system-auth. This file is included in most of the other files in pam.d, so changes here propagate nicely. Updates to pambase may change this file.

Make pam_ldap.so sufficient at the top of each section, except in the session section, where we make it optional.

/etc/pam.d/system-auth auth sufficient pam_ldap.so auth required pam_unix.so try_first_pass nullok auth optional pam_permit.so auth required pam_env.so

account sufficient pam_ldap.so account required pam_unix.so account optional pam_permit.so account required pam_time.so

password sufficient pam_ldap.so password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so

session required pam_limits.so session required pam_unix.so session optional pam_ldap.so session optional pam_permit.so

Then edit both /etc/pam.d/su and /etc/pam.d/su-l identically. The su-l file is used when the user runs su --login.

Make pam_ldap.so sufficient at the top of each section but below pam_rootok, and add use_first_pass to pam_unix in the auth section.

/etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_ldap.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth required pam_unix.so use_first_pass account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so

To enable users to edit their password, edit /etc/pam.d/passwd:

/etc/pam.d/passwd #%PAM-1.0 password sufficient pam_ldap.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok password required pam_unix.so sha512 shadow nullok

Create home folders at login

If you want home folders to be created at login (eg: if you are not using NFS to store home folders), edit /etc/pam.d/system-login and add pam_mkhomedir.so to the session section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, sddm, gdm, etc. You might choose to edit additional files in the same way, such as /etc/pam.d/su and /etc/pam.d/su-l to enable it for su and su --login. If you do not want to do this for ssh logins, edit system-local-login instead of system-login, etc.

/etc/pam.d/system-login ...top of file not shown... session optional pam_loginuid.so session include system-auth session optional pam_motd.so motd=/etc/motd session optional pam_mail.so dir=/var/spool/mail standard quiet -session optional pam_systemd.so session required pam_env.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 /etc/pam.d/su-l ...top of file not shown... session required pam_mkhomedir.so skel=/etc/skel umask=0077 session sufficient pam_ldap.so session required pam_unix.so

Enable sudo

To enable sudo from an LDAP user, edit /etc/pam.d/sudo. You will also need to modify sudoers accordingly.

/etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_ldap.so auth required pam_unix.so try_first_pass auth required pam_nologin.so

You will also need to add in /etc/openldap/ldap.conf the following:

/etc/openldap/ldap.conf sudoers_base ou=sudoers,dc=example,dc=org

Online and Offline Authentication with SSSD

SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will D-BUS based interfaces for extended user information. It provides also a better database to store local users as well as extended user data.

Note: You must configure StartTLS for your LDAP server, or SSSD will not work

Install the sssd package.

SSSD Configuration

If it does not exist create /etc/sssd/sssd.conf.

/etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = LDAP

[domain/LDAP] cache_credentials = true enumerate = true

id_provider = ldap auth_provider = ldap

ldap_uri = ldap://server1.example.org, ldap://server2.example.org ldap_search_base = dc=example,dc=org ldap_id_use_start_tls = true ldap_tls_reqcert = demand ldap_tls_cacert = /etc/openldap/certs/cacerts.pem chpass_provider = ldap ldap_chpass_uri = ldap://server1.example.org entry_cache_timeout = 600 ldap_network_timeout = 2

# OpenLDAP supports posixGroup, uncomment the following two lines # to get group membership support (and comment the other conflicting parameters) #ldap_schema = rfc2307 #ldap_group_member = memberUid

# Other LDAP servers may support this instead ldap_schema = rfc2307bis ldap_group_member = uniqueMember

The above is an example only. See sssd.conf(5) for the full details.

Finally set the file permissions chmod 600 /etc/sssd/sssd.conf otherwise sssd will fail to start.

NSCD Configuration

Disable caching for passwd, group and netgroup entries in /etc/nscd.conf as it will interfere with sssd caching.

Keep caching enabled for hosts entries otherwise some services may fail to start.

/etc/nscd.conf # Begin /etc/nscd.conf [...] enable-cache passwd no [...] enable-cache group no [...] enable-cache hosts yes [...] enable-cache netgroup no [...] # End /etc/nscd.conf

NSS Configuration

Edit /etc/nsswitch.conf as follows:

/etc/nsswitch.conf # Begin /etc/nsswitch.conf

passwd: files sss group: files sss shadow: files sss sudoers: files sss

publickey: files

hosts: files dns myhostname networks: files

protocols: files services: files ethers: files rpc: files

netgroup: files

# End /etc/nsswitch.conf

PAM Configuration

The first step is to edit /etc/pam.d/system-auth as follows:

/etc/pam.d/system-auth #%PAM-1.0

auth sufficient pam_sss.so forward_pass auth required pam_unix.so try_first_pass nullok auth optional pam_permit.so auth required pam_env.so

account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so account required pam_unix.so account optional pam_permit.so account required pam_time.so

password sufficient pam_sss.so use_authtok password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_limits.so session required pam_unix.so session optional pam_sss.so session optional pam_permit.so

Note: If you happen to use GNOME/Keyring: adding 'sufficient' in the beginning of the PAM stack results in Gnome Keyring not being unlocked. For a solution, look at Advanced PAM Configuration.

These PAM changes will apply to fresh login. To also allow the su command to authenticate through SSSD, edit /etc/pam.d/su:

/etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so

auth sufficient pam_sss.so forward_pass auth required pam_unix.so

account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so account required pam_unix.so

session required pam_unix.so session optional pam_sss.so

Enable sudo

Edit /etc/pam.d/sudo as follows:

/etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_sss.so auth required pam_unix.so try_first_pass auth required pam_nologin.so

Also add sudo service to the list of enabled services and the search base in /etc/sssd/sssd.conf:

/etc/sssd/sssd.conf [sssd] ... services = nss, pam, sudo ...

[domain/LDAP] ... ldap_sudo_search_base = ou=sudoers,dc=example,dc=org ...

Alternately, configure sudo to allow the desired LDAP users to use sudo.

Password Management

In order to enable users to change their passwords using passwd edit /etc/pam.d/passwd as follows:

/etc/pam.d/passwd #%PAM-1.0 password sufficient pam_sss.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok password required pam_unix.so sha512 shadow nullok

Start/enable sssd.service.

You should now be able to see details of your ldap users with getent passwd username or id username.

Once you have logged in with a user the credentials will be cached and you will be able to login using the cached credentials when the ldap server is offline or unavailable.

Related articles

• OpenLDAP
• LDAP Hosts
• Identity Management

See also

• The official page of the nss-pam-ldapd packet
• Debian Wiki - LDAP/NSS
• Debian Wiki - LDAP/PAM
• Using LDAP for single authentication
• Heterogeneous Network Authentication Introduction
• Discussion on suse's mailing lists about nss-pam-ldapd
• Fedora's SSSD User Guide

https://wiki.archlinux.org/title/LDAP_authentication