Usage of PAM-LDAP

Usage of PAM-LDAP

Posted By: pmietlicki

Published to Work on Jun 23, 2017

PAM-LDAP

Introduction

pam-ldap will permit your linux users to authenticate with your LDAP server. It is generally a good idea to avoid using generic account for which it is difficult to control what happens and trace the things that users do. An other use / case scenario would be to host a git repository and let your users using their LDAP account to connect.

Solution for the dummies

Use an all inclusive package like YuNoHost or Univention

Installation

Please verify that your server is able to connect to your ldap server, for example if your ldap port is 389 (generally 636 instead if over SSL), try :

telnet ldap.domain.com 389

The source of information is from the debian wiki and the ubuntu wiki

 apt-get install libnss-ldapd libpam-ldap 

Inside /etc/nslcd.conf :

uri ldap://ldap.domain.com
base ou=domain,ou=sub,o=other,c=fr
filter passwd (&(title=TEC))
filter group (objectClass=groupOfUniqueNames)
ldap_version 3

Other filter based on a group with isMemberOf (sun-ldap for example) :

 filter passwd (isMemberOf=cn=DSI,ou=Groups,ou=domain,ou=sub,o=other,c=fr) 

Inside /etc/nsswitch.conf :

 passwd:         files ldap
 group:          files ldap
 shadow:         files ldap

 hosts:          files dns ldap
 networks:       files ldap

 protocols:      db files
 services:       db files
 ethers:         db files
 rpc:            db files

 netgroup:       nis

Note that the filters is to limit access. But this is not mandatory because with our configuration you will still need to add the local uid (useradd pmietlicki for example). Only the authentication process will be managed by the LDAP server.

The parameters below must overwrite the one that already exist :

Inside /etc/pam.d/common-account :

account sufficient pam_ldap.so 
account required pam_unix.so

In /etc/pam.d/common-auth :

auth sufficient pam_ldap.so 
auth required pam_unix.so nullok_secure use_first_pass

In /etc/pam.d/common-password :

password sufficient pam_ldap.so 
password required pam_unix.so nullok obscure min=4 max=8 md5

Add the users that you want to have access to your server (must match the uid from the LDAP server) :

 useradd pmietlicki

Restart services :

/etc/ini.d/nscd restart
/etc/init.d/nslcd restart 

If you have problems, you can debug it with:

/etc/init.d/nscd stop 
/etc/init.d/nslcd stop 
nslcd -d 

Ensure your system is working by retrieving indicated users :

 getent passwd 

This command will display the nslcd logs and the LDAP requests :

 ldapsearch -h ldap.domain.com -b dc=ou=domain,ou=sub,o=other,c=fr -x uid=pmietlicki 

We can also permit the automated creation of the home repository by modifying common-session, you will find some information on the ubuntu wiki

Tags: Authentication, LDAP, PAM

Archive