LDAP/Client/Linux
Konfiguration der OpenLDAP-Benutzerauthentifizierung
Beschreibung
Sofern Sie kein OpenLDAP-Experte sind, ist eine ausführlichere Dokumentation als hier angegeben erforderlich. Weitere Informationen finden Sie in den Referenzen unter Abschnitt 28.9, "Zusätzliche Ressourcen".
Installation
Stellen Sie sicher, dass die entsprechenden Pakete sowohl auf dem LDAP-Server als auch auf den LDAP-Client-Rechnern installiert sind. Folgende Pakete müssen auf allen LDAP-clients installiert sein.
- openldap
- openldap-clients
- nss_ldap
Anwendungen
Fehlerbehebung
Syntax
Optionen
Parameter
Umgebungsvariablen
Exit-Status
Konfiguration
Bearbeiten Sie auf dem Server die Datei /etc/openldap/slapd.conf auf dem LDAP-Server, um sicherzustellen, dass sie mit den Besonderheiten der Organisation übereinstimmt.
- Anweisungen zum Bearbeiten der Datei slapd.conf finden Sie in Section 28.6.1, “Editing /etc/openldap/slapd.conf”.
Auf den Client-Rechnern müssen sowohl
- /etc/ldap.conf als auch
- /etc/openldap/ldap.conf
die richtigen Server- und Suchbasisinformationen für die Organisation enthalten.
Grafische Konfiguration
Führen Sie dazu das grafische Authentifizierungskonfigurationsprogramm (system-config-authentication) aus und wählen Sie auf der Registerkarte Benutzerinformationen die Option LDAP-Unterstützung aktivieren.
Auf den Client-Rechnern muss die Datei /etc/nsswitch.conf für die Verwendung von LDAP bearbeitet werden.
Führen Sie dazu das Authentifizierungskonfigurationsprogramm (system-config-authentication) aus und wählen Sie auf der Registerkarte Benutzerinformationen die Option LDAP-Unterstützung aktivieren.
Manuelle Konfiguration
Wenn Sie /etc/nsswitch.conf von Hand bearbeiten, fügen Sie ldap zu den entsprechenden Zeilen hinzu.
- Beispiel
passwd: Dateien ldap shadow: dateien ldap group: dateien ldap
Dateien
Sicherheit
Dokumentation
RFC
Man-Pages
Info-Pages
Siehe auch
Links
Projekt-Homepage
Weblinks
Einzelnachweise
Testfragen
Testfrage 1
Testfrage 2
Testfrage 3
Testfrage 4
Testfrage 5
TMP
LDAP Authentication In Linux
This howto will show you how to store your users in LDAP and authenticate some of the services against it. I will not show how to install particular packages, as it is distribution/system dependent. I will focus on "pure" configuration of all components needed to have LDAP authentication/storage of users. The howto assumes somehow, that you are migrating from a regular passwd/shadow authentication, but it is also suitable for people who do it from scratch.Vorlage:Anchor Vorlage:Anchor
Requirements
Introducion
The thing we want to achieve is to have our users stored in LDAP, authenticated against LDAP ( direct or pam ) and have some tool to manage this in a human understandable way.
This way we can use all software, which has LDAP support or fallback to PAM LDAP module, which will act as a PAM->LDAP gateway.
More information on LDAP idea can be found on Wikipedia: LDAP wikipedia
Configuring OpenLDAP
OpenLDAP consists of slapd and slurpd daemon. This howto covers one LDAP server without a replication, so we will focus only on slapd. I also assume you installed and initialized your OpenLDAP installation (depends on system/distribution). If so, let's go to the configuration part.
On my system (Gentoo), OpenLDAP's configuration is stored in /etc/openldap, we are interested in /etc/openldap/slapd.conf file. But first we have to generate a password for LDAP administrator, to put it into the config file:
slappasswd -h {md5}
The config looks like this:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib/openldap/openldap access to attrs=userPassword by dn="uid=root,ou=People,dc=domain,dc=com" write by dn="cn=Manager,dc=domain,dc=com" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=Manager,dc=domain,dc=com" write by * read database bdb suffix "dc=domain,dc=com" rootdn "cn=Manager,dc=domain,dc=com" rootpw {MD5}Tk1sMytv5ipjr+Vhcf03JQ== directory /var/lib/openldap-data index objectClass eq
Remember to change suffix and paths to your needs.
These are basic options with some basic ACLs needed to change passwords by user. If you want more functionality, please read the manual about OpenLDAP. Now when we have a proper config for slapd, we can start the daemon :
service slapd start
Please remember to have something like that in the config file responsible for arguments passed to the slapd (the path should point to the slapd.sock):Vorlage:Anchor Vorlage:Anchor
OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
Now we can test if openldap is running and working properly. We do not have any data yet in the directory, but we can try to bind as cn=Manager,dc=domain,dc=com. When you are asked for the password, you should use the one you generated (of course the plain text version of it :):
ldapsearch -D "cn=Manager,dc=domain,dc=com" -W
Migrate/Add data to the directory
Now when we have a running LDAP server, we have to fill it with data, either create or migrate entries. I will show you how to migrate existing entries from regular /etc/passwd, /etc/shadow , /etc/groups
The first step is to configure mogrationtools to your needs. The configuration file on Gentoo is located in /usr/share/migrationtools/migrate_common.ph.
Generally, you need to change only these:
$DEFAULT_BASE = "dc=domain,dc=com"; $EXTENDED_SCHEMA = 1;
Now you are ready to migrate the data (actually it works even without the export command):Vorlage:Anchor Vorlage:Anchor
export ETC_SHADOW=/etc/shadow ./migrate_base.pl > /tmp/base.ldif ./migrate_group.pl /etc/group /tmp/group.ldif ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
Now we have the data in the format understood by the LDAP server. Please open one of the files with a text editor to get used to the syntax. After that, we can add the data from ldifs.
ldapadd -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/base.ldif ldapadd -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/group.ldif ldapadd -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/passwd.ldif ldapadd -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/hosts.ldif
You can try searching for some data:
ldapsearch uid=foouser
Client configuration
By client, I mean the machine, which connects to LDAP server to get users and authorize. It can be also the machine, the LDAP server runs on. In both cases we have to edit three files : /etc/ldap.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth
Let's start with ldap.conf, the ldap's client:
BASE dc=domain, dc=com scope sub suffix "dc=domain,dc=com" ## when you want to change user's password by root rootbinddn cn=Manager,dc=domain,dc=com ## there are needed when your ldap dies timelimit 5 bind_timelimit 5 uri ldap://ldap.domain.com/ pam_password exop ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=Computers,dc=cognifide,dc=pl nss_base_passwd ou=People,dc=cognifide,dc=pl nss_base_shadow ou=People,dc=cognifide,dc=pl nss_base_group ou=Group,dc=cognifide,dc=pl nss_base_hosts ou=Hosts,dc=cognifide,dc=pl
Now it is time for nsswitch.conf and pam
Add these to nsswitch.conf:
passwd: files ldap shadow: files ldap group: files ldap
And change the system-auth (or whatever you have like login, sshd etc) to :
auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_ldap.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_first_pass password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so
Time to test it. The best tool for it is a good old getent. Pick a user from your system and issue:
getent passwd | grep foouser
You should get the result twice, if so the nss_ldap works fine. The pam part can be tested by deleting a user from the /etc/passwd and trying to log in through ssh.
Apache mod_auth_ldap
To have LDAP authorization in apache, you have to load mod_auth_ldap moduleAdvertisementVorlage:Anchor
LoadModule mm_auth_ldap_module modules/mod_auth_ldap.so
Now it is enough to make .htaccess like that:
AuthName "Restricted" AuthType Basic AuthLDAPURL ldap://ldap.domain.com:389/ou=People,dc=domain,dc=com?uid AuthLDAPBindDN "cn=Manager,dc=domain,dc=com" AuthLDAPBindPassword "your_secret_secret_password_to_ldap_admin" require valid-user
Note that this method can be also used for WebDAV subversion authorization
Administration tools for LDAP
There are few tool I recommend using to administrate OpenLDAP server * phpldapadmin - web-based tool
- ldapvi - vim browsing
- PADL migrationtools - migration tools
- IDEALX sambaldap tools - samba LDAP tools
Other ldap aware applications
- Postfix
- Courier IMAP
- jabberd
- eGroupware
Summary
If someone has something to add, please do it. I know the configuration may not be perfect.
https://www.howtoforge.com/linux_ldap_authentication
Passwort-Authentifizierung mit Active Directory unter Debian einrichten
Zentrale Verzeichnisdienste wie OpenLDAP oder Active Directory (AD) vereinfachen das Passwort-Management für Administrator und Benutzer. In Bezug auf Linux-Server ist vor allem der Aspekt der SSH-Authentifizierung über ein AD interessant. Aus Sicht der IT-Sicherheit ist diese Lösung ebenfalls vorteilhaft:
- Administratoren müssen nicht mehr für jeden Server unterschiedliche Passwörter wählen und verwalten. Sie können sich mit dem AD-Passwort auf den Servern einloggen.
- Die Passwort-Änderung oder Deaktivierung eines Accounts kann über das AD vorgenommen werden.
- Zentral verwaltete root-Passwörter müssen nicht mehr allen Administratoren bekannt sein.
Der folgende Artikel zeigt, wie unter Debian über mod_pam mit libpam-ldapd eine Authentifizierung mit einem AD konfiguriert wird. Die Authentifizierung gilt nach erfolgter Konfiguration nicht nur für SSH, sondern für alle Services, die PAM verwenden (wie auch z.B. sudo). Da es die libpam-ldapd Packages auch für Ubuntu gibt[1] , kann die Anleitung auch für Ubuntu übernommen werden.
Voraussetzungen und Zweck
Folgende Informationen werden für die Einrichtung benötigt:
- Die LDAP-URL des AD-Servers.
- Die Search oder Base DN, in der sich die Benutzer befinden.
- (empfohlen) Ein Bind DN inkl. Passwort, der zum Durchsuchen des ADs bzw. der Base DN verwendet wird.
- Für TLS
- Die Zertifikatsdatei für die verschlüsselte Kommunikation (da bei der Authentifizierung die Passwörter zwischen Server <-> AD übertragen werden, wird eine verschlüsselte Kommunikation dringend empfohlen).
- Am Server selbst müssen die Benutzer, die sich anmelden wollen, bereits existieren.
Außerdem kurz zusammen gefasst, welche Ziele die unten stehende Anleitung verfolgt: * Passwort-Authentifizierung von Benutzern über die im AD hinterlegten Passwörter.
- Weitere Dinge, wie Gruppen, Home-Pfade o.Ä., werden nicht aus dem AD geholt.
- Der Benutzer root soll sich weiterhin mit dem lokalen Passwort anmelden können.
Achtung Konfigurationen an PAM Modulen können dazu führen, dass Sie sich nicht mehr anmelden/authentifizieren können. Halten Sie sich für den Notfall immer ein root Terminal bereit!
Verbindung zum AD testen
Im ersten Schritt wird die Verbindung zwischen Server<->AD getestet. Bei der Verwendung von LDAP mit START_TLS findet die Kommunikation über Port 389 statt:
# telnet ldap.example.com 389 Trying ... Connected to ldap.example.com Escape character is '^]'.
Anschließend wird über ein ldapsearch eine tatsächliche LDAP-Abfrage durchgeführt (für eine verschlüsselte Verbindung - Parameter '-ZZ' - muss in der Datei /etc/ldap.conf das Zertifikat konfiguriert werden.):
ldapsearch -x -H ldap://ldap.example.com -D "CN=Georg Schönberger,OU=Users,DC=example,DC=com" \ -b OU=Users,DC=example,DC=com -W -ZZ sAMAccountName=gschoenberger
Installation von libpam-ldapd
Die zentrale Komponente am Debian-Server bildet das Package libpam-ldapd (packages.debian.org). Mit diesem Package wird außerdem der Daemon nslcd (packages.debian.org) mit installiert, der für die Kommunikation zwischen Server <-> AD zuständig ist.
# apt-get install libpam-ldapd
[...]
The following NEW packages will be installed:
bind9-host geoip-database ldap-utils libbind9-80 libcap2 libdns88 libgeoip1 libisc84 libisccc80 libisccfg82
liblwres80 libnss-ldapd libpam-ldapd libxml2 nscd nslcd sgml-base xml-core* Datei:Bild1.png
Die LDAP-Url zeigt zum Hostnamen des AD-Servers.
Die Search Base ist jener Teil des Verzeichnisses, in der sich die Benutzer befinden.
Wird das AD nur für die Passwort-Authentifizierung verwendet, muss die Datei nsswitch.conf nicht konfiguriert werden.
Wer die Package-Konfiguration ein weiteres Mal durchführen möchte, um Werte anzupassen, ruft einfach
# dpkg-reconfigure nslcd
auf.
Konfiguration von nslcd
Folgende map und filter Einträge, binddn und bindpw, und TLS Optionen müssen der Datei /etc/nslcd.conf hinzugefügt werden:
[...] base ou=Users,dc=example,dc=com map passwd uid sAMAccountName filter passwd (objectClass=user) # The LDAP protocol version to use. ldap_version 3 # The DN to bind with for normal lookups. binddn cn=reader,dc=example,dc=com bindpw secret
[...] # SSL options ssl start_tls tls_reqcert demand tls_cacertfile /etc/ssl/certs/Example-com-cacert.pem [...]
In der Datei /etc/nslcd.conf befinden sich, wie oben ersichtlich, die getätigten Einstellungen der Package Installation.
Konfiguration von pam_ldap
Grundsätzlich eignet sich die Konfiguration der Package Installation bereits für eine AD-Authentifizierung. Benutzer können sich jedoch mit der Standard-Konfiguration sowohl per AD/LDAP als auch mit lokalem Passwort authentifizieren. Um die lokalen Passwörter für Benutzer - außer root - nicht mehr zu erlauben, muss folgende Änderung in der DateI /etc/pam.d/common-auth.conf vorgenommen werden.
Achtung: Nach dieser Änderung kann nur mehr root sein lokales Passwort verwenden. Alle anderen Benutzer sind auf das AD und eine funktionieren Verbindung zwischen Server<->AD angewiesen:[2]
# vi /etc/pam.d/common-auth [...] auth sufficient pam_ldap.so minimum_uid=1000 auth requisite pam_succeed_if.so uid eq 0 auth sufficient pam_unix.so nullok_secure # here's the fallback if no module succeeds [...]
Danach ist für alle Benutzer mit uid > 1000 eine AD-Authentifizierung zum Anmelden ausreichend. Die lokalen Passwörter funktionieren nicht mehr!
Die Konfiguration der AD-Authentifizierung ist nach den oben genannten Schritten abgeschlossen.
Fehleranalyse
nslcd
Der Daemon nslcd bietet zur Analyse der LDAP-Authentifizierung eine Debus-Modus an:
# nslcd -d nslcd: DEBUG: add_uri(ldap://ldap.example.com) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,2) [...] nslcd: accepting connections
Wird der Parameter -d öfter angegeben, erhöht sich das Debug-Level von nslcd.
Etwas in die Irre führt die Fehlermeldung
DEBUG: failed to bind to LDAP server ldap://ldap.example.com: Invalid credentials: 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0
die auch auftritt, wenn ein Benutzer-Konto noch nicht am Server existiert.
pam_ldap
Wer die pam-Regeln in der Datei /etc/pam.d/common-auth.conf anpassen möchte, trifft in der Log-Datei /var/log/auth.log den Fehler
pam_succeed_if(sshd:auth): incomplete condition detected
an, wenn die Ausdrücke für pam_succeed_if.so nicht korrekt sind.[3]
Einzelnachweise
- libpam-ldapd (packages.ubuntu.com)
- PAM Explanation (pig.made-it.com)
- Insufficient error checking in pam_succeed_if (bugzilla.redhat.com)
- https://www.thomas-krenn.com/de/wiki/Passwort-Authentifizierung_mit_Active_Directory_unter_Debian_einrichten
LDAP authentication
Introduction and Concepts
This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).
The guide is divided into two parts. The first part deals with how to setup an OpenLDAP server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the second part.
NSS and PAM
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, /etc/passwd is a file type source for the passwd database.
PAM (which stands for Pluggable Authentication Modules) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd, shadow and other configuration databases and then configure PAM to use these sources to authenticate its users.
LDAP Server Setup
Installation
Install the OpenLDAP server and configure the server and client. After you have completed that, return here.
Set up access controls
To make sure that no-one can read the (encrypted) passwords from the LDAP server, but still allowing users to edit some of their own select attributes (such as own password and photo), create and import the following LDIF and restart slapd.service afterwards:
Note: Alter the domain components "example" and "org" to your needs
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=cn,givenName,sn,userPassword,shadowLastChange,mail,loginShell,photo by self write by anonymous auth by dn.base="cn=Manager,dc=example,dc=org" write by * none olcAccess: {1}to * by self read by dn.base="cn=Manager,dc=example,dc=org" write by * read
Populate LDAP Tree with Base Data
Create a temporary file called base.ldif with the following text.
base.ldif # example.org dn: dc=example,dc=org dc: example o: Example Organization objectClass: dcObject objectClass: organization
# Manager, example.org dn: cn=Manager,dc=example,dc=org cn: Manager description: LDAP administrator objectClass: organizationalRole objectClass: top roleOccupant: dc=example,dc=org
# People, example.org dn: ou=People,dc=example,dc=org ou: People objectClass: top objectClass: organizationalUnit
# Groups, example.org dn: ou=Group,dc=example,dc=org ou: Group objectClass: top objectClass: organizationalUnit
Add it to your OpenLDAP tree:
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
Test to make sure the data was imported:
$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'
Adding users
To manually add a user, create an .ldif file like this:
user_joe.ldif dn: uid=johndoe,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: johndoe cn: John Doe sn: Doe givenName: John title: Guinea Pig telephoneNumber: +0 000 000 0000 mobile: +0 000 000 0000 postalAddress: AddressLine1$AddressLine2$AddressLine3 userPassword: {CRYPT}xxxxxxxxxx labeledURI: https://archlinux.org/ loginShell: /bin/bash uidNumber: 9999 gidNumber: 9999 homeDirectory: /home/johndoe/ description: This is an example user
The xxxxxxxxxx in the userPassword entry should be replaced with the value in /etc/shadow or use the slappasswd command. Now add the user:
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f user_joe.ldif
You can add a group similarly with
group_joe.ldif dn: cn=joe,ou=Group,dc=example,dc=org objectClass: top objectClass: posixGroup cn: joe gidNumber: 9999
Note: You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's openldap-migrationtoolsAUR.
Client Setup
Install the OpenLDAP client as described in OpenLDAP. Make sure you can query the server with ldapsearch.
Depending on your target, choose either online-only or online and offline authentication.
Online Authentication
NSS Configuration
NSS is a system facility which manages different sources as configuration databases. For example, /etc/passwd is a file type source for the passwd database, which stores the user accounts.
Install the nss-pam-ldapd package.
Edit /etc/nsswitch.conf which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the ldap directive to the passwd, group and shadow databases, so be sure your file looks like this:
passwd: files ldap group: files ldap shadow: files ldap
Edit /etc/nslcd.conf and change the base and uri lines to fit your ldap server setup.
Edit the binddn and the bindpw if your LDAP server requires a password. Make sure you change the permission of your /etc/nslcd.conf to 0600 for nslcd to start properly.
Start nslcd.service using systemd.
You now should see your LDAP users when running getent passwd on the client.
PAM Configuration
The basic rule of thumb for PAM configuration is to include pam_ldap.so wherever pam_unix.so is included. Arch moving to pambase has helped decrease the amount of edits required. For more details about configuring pam, the RedHat Documentation is quite good. You might also want the upstream documentation for nss-pam-ldapd.
Tip: If you want to prevent UID clashes with local users on your system, you might want to include minimum_uid=10000 or similar on the end of the pam_ldap.so lines. You will have to make sure the LDAP server returns uidNumber fields that match the restriction.
Note: Each facility (auth, session, password, account) forms a separate chain and the order matters. Sufficient lines will sometimes "short circuit" and skip the rest of the section, so the rule of thumb for auth, password, and account is sufficient lines before required, but after required lines for the session section; optional can almost always go at the end. When adding your pam_ldap.so lines, do not change the relative order of the other lines without good reason! Simply insert LDAP within the chain.
First edit /etc/pam.d/system-auth. This file is included in most of the other files in pam.d, so changes here propagate nicely. Updates to pambase may change this file.
Make pam_ldap.so sufficient at the top of each section, except in the session section, where we make it optional.
/etc/pam.d/system-auth auth sufficient pam_ldap.so auth required pam_unix.so try_first_pass nullok auth optional pam_permit.so auth required pam_env.so
account sufficient pam_ldap.so account required pam_unix.so account optional pam_permit.so account required pam_time.so
password sufficient pam_ldap.so password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so
session required pam_limits.so session required pam_unix.so session optional pam_ldap.so session optional pam_permit.so
Then edit both /etc/pam.d/su and /etc/pam.d/su-l identically. The su-l file is used when the user runs su --login.
Make pam_ldap.so sufficient at the top of each section but below pam_rootok, and add use_first_pass to pam_unix in the auth section.
/etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_ldap.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth required pam_unix.so use_first_pass account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so
To enable users to edit their password, edit /etc/pam.d/passwd:
/etc/pam.d/passwd #%PAM-1.0 password sufficient pam_ldap.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok password required pam_unix.so sha512 shadow nullok
Create home folders at login
If you want home folders to be created at login (eg: if you are not using NFS to store home folders), edit /etc/pam.d/system-login and add pam_mkhomedir.so to the session section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, sddm, gdm, etc. You might choose to edit additional files in the same way, such as /etc/pam.d/su and /etc/pam.d/su-l to enable it for su and su --login. If you do not want to do this for ssh logins, edit system-local-login instead of system-login, etc.
/etc/pam.d/system-login ...top of file not shown... session optional pam_loginuid.so session include system-auth session optional pam_motd.so motd=/etc/motd session optional pam_mail.so dir=/var/spool/mail standard quiet -session optional pam_systemd.so session required pam_env.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 /etc/pam.d/su-l ...top of file not shown... session required pam_mkhomedir.so skel=/etc/skel umask=0077 session sufficient pam_ldap.so session required pam_unix.so
Enable sudo
To enable sudo from an LDAP user, edit /etc/pam.d/sudo. You will also need to modify sudoers accordingly.
/etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_ldap.so auth required pam_unix.so try_first_pass auth required pam_nologin.so
You will also need to add in /etc/openldap/ldap.conf the following:
/etc/openldap/ldap.conf sudoers_base ou=sudoers,dc=example,dc=org
Online and Offline Authentication with SSSD
SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will D-BUS based interfaces for extended user information. It provides also a better database to store local users as well as extended user data.
Note: You must configure StartTLS for your LDAP server, or SSSD will not work
SSSD Configuration
If it does not exist create /etc/sssd/sssd.conf.
/etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = LDAP
[domain/LDAP] cache_credentials = true enumerate = true
id_provider = ldap auth_provider = ldap
ldap_uri = ldap://server1.example.org, ldap://server2.example.org ldap_search_base = dc=example,dc=org ldap_id_use_start_tls = true ldap_tls_reqcert = demand ldap_tls_cacert = /etc/openldap/certs/cacerts.pem chpass_provider = ldap ldap_chpass_uri = ldap://server1.example.org entry_cache_timeout = 600 ldap_network_timeout = 2
# OpenLDAP supports posixGroup, uncomment the following two lines # to get group membership support (and comment the other conflicting parameters) #ldap_schema = rfc2307 #ldap_group_member = memberUid
# Other LDAP servers may support this instead ldap_schema = rfc2307bis ldap_group_member = uniqueMember
The above is an example only. See sssd.conf(5) for the full details.
Finally set the file permissions chmod 600 /etc/sssd/sssd.conf otherwise sssd will fail to start.
NSCD Configuration
Disable caching for passwd, group and netgroup entries in /etc/nscd.conf as it will interfere with sssd caching.
Keep caching enabled for hosts entries otherwise some services may fail to start.
/etc/nscd.conf # Begin /etc/nscd.conf [...] enable-cache passwd no [...] enable-cache group no [...] enable-cache hosts yes [...] enable-cache netgroup no [...] # End /etc/nscd.conf
NSS Configuration
Edit /etc/nsswitch.conf as follows:
/etc/nsswitch.conf # Begin /etc/nsswitch.conf
passwd: files sss group: files sss shadow: files sss sudoers: files sss
publickey: files
hosts: files dns myhostname networks: files
protocols: files services: files ethers: files rpc: files
netgroup: files
# End /etc/nsswitch.conf
PAM Configuration
The first step is to edit /etc/pam.d/system-auth as follows:
/etc/pam.d/system-auth #%PAM-1.0
auth sufficient pam_sss.so forward_pass auth required pam_unix.so try_first_pass nullok auth optional pam_permit.so auth required pam_env.so
account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so account required pam_unix.so account optional pam_permit.so account required pam_time.so
password sufficient pam_sss.so use_authtok password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_limits.so session required pam_unix.so session optional pam_sss.so session optional pam_permit.so
Note: If you happen to use GNOME/Keyring: adding 'sufficient' in the beginning of the PAM stack results in Gnome Keyring not being unlocked. For a solution, look at Advanced PAM Configuration.
These PAM changes will apply to fresh login. To also allow the su command to authenticate through SSSD, edit /etc/pam.d/su:
/etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so
auth sufficient pam_sss.so forward_pass auth required pam_unix.so
account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so account required pam_unix.so
session required pam_unix.so session optional pam_sss.so
Enable sudo
Edit /etc/pam.d/sudo as follows:
/etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_sss.so auth required pam_unix.so try_first_pass auth required pam_nologin.so
Also add sudo service to the list of enabled services and the search base in /etc/sssd/sssd.conf:
/etc/sssd/sssd.conf [sssd] ... services = nss, pam, sudo ...
[domain/LDAP] ... ldap_sudo_search_base = ou=sudoers,dc=example,dc=org ...
Alternately, configure sudo to allow the desired LDAP users to use sudo.
Password Management
In order to enable users to change their passwords using passwd edit /etc/pam.d/passwd as follows:
/etc/pam.d/passwd #%PAM-1.0 password sufficient pam_sss.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok password required pam_unix.so sha512 shadow nullok
Start/enable sssd.service.
You should now be able to see details of your ldap users with getent passwd username or id username.
Once you have logged in with a user the credentials will be cached and you will be able to login using the cached credentials when the ldap server is offline or unavailable.
Related articles
See also
- The official page of the nss-pam-ldapd packet
- Debian Wiki - LDAP/NSS
- Debian Wiki - LDAP/PAM
- Using LDAP for single authentication
- Heterogeneous Network Authentication Introduction
- Discussion on suse's mailing lists about nss-pam-ldapd
- Fedora's SSSD User Guide