Scribd Logo
Upload

Welcome to Scribd!

  • Ldap Authentication For Linux

    Uploaded by

    Rayapudi Lakshmaiah
    44 views5 pages
    LDAP is a directory server technology that allows information such as usernames and passwords for an entire site to be stored on a central server. This whitepapers describes how to set up a Linux workstation to use an ldap server for user information and authentication.

    Original Description:

    Original Title

    Ldap Authentication for Linux

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    LDAP is a directory server technology that allows information such as usernames and passwords for an entire site to be stored on a central server. This whitepapers describes how to set up a Linux workstation to use an ldap server for user information and authentication.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    44 views5 pages

    Ldap Authentication For Linux

    Uploaded by

    Rayapudi Lakshmaiah
    LDAP is a directory server technology that allows information such as usernames and passwords for an entire site to be stored on a central server. This whitepapers describes how to set up a Linux workstation to use an ldap server for user information and authentication.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    LDAP Authentication for Linux

    LDAP Authentication for Linux


    2002 by metaconsultancy
    LDAP is a directory server technology that allows information such as usernames and
    passwords for an entire site to be stored on a central server. This whitepapers describes
    how to set up a Linux workstation to use an LDAP server for user information and
    authentication.
    Before proceeding, you will need a working LDAP server which can provide you with user
    information. If you need to set one up, consult our OpenLDAP whitepaper for instructions.
    User information consists of such data as mappings between user id numbers and user
    names (used, for example, by ls -l), or home directory locations (used, for example, by
    cd ~). Lookups of such information are handled by the name service subsystem,
    configured in the file /etc/nsswitch.conf. Authentication (password checking), on the
    other hand, is handled by the PAM (plugable authentication module) subsystem,
    configured in the /etc/pam.d/ directory. While these two subsystems can (in fact must)
    be configured seperately, you will likely want both to use LDAP.
    nss-ldap
    Begin by installing the shared library code necessary for the name service to use ldap.
    # apt-get install libnss-ldap
    Next, open the /etc/nsswitch.conf file, and tell the name service subsystem to use
    LDAP to obtain user information.
    nsswitch.conf
    passwd: files ldap
    group: files ldap
    shadow: files ldap
    Note that we do not eliminate the use of flat files, since some users and groups (e.g. root)
    will remain local. If your machines do not use flat files at all and your LDAP server goes
    down, not even root will be able to log in.
    Finally, you need to tell then name service subsystem how to talk to your LDAP server.
    http://www.metaconsultancy.com/whitepapers/ldap-linux.htm (1 di 5)30/09/2004 17.56.17
    LDAP Authentication for Linux
    This is done in the file /etc/libnss-ldap.conf.
    libnss-ldap.conf
    uri ldap://ldap.example.com/ ldap://ldap-backup.example.com/
    base dc=example, dc=org
    The uri directive specifies the domain name (or IP address) of your LDAP server. As our
    example illustrates, you can specify multiple LDAP servers, in which case they will be
    employed in failover fashion. The base directive specifies the root DN at which searches
    should start. For additional information on these and other configuration directives, man
    libnss-ldap.conf.
    nss-ldap expects accounts to be objects with the following attributes: uid, uidNumber,
    gidNumber, homeDirectory, and loginShell. These attributes are allowed by the
    objectClass posixAccount.
    There is a simple way to verify that your name service subsystem is using your LDAP
    server as instructed. Assign a file to be owned by a user that exists only in the LDAP
    database, not in /etc/passwd. If an ls -l correctly shows the username, then the
    name service subsystem is consulting the LDAP database; if it just shows the user
    number, something is wrong. For example, if the user john, with user number 1001, exists
    only in LDAP, we can try
    # touch /tmp/test
    # chown 1001 /tmp/test
    # ls -l /tmp/test
    -rw-r----- 1 john users 0 Jan 1 12:00 test
    to determine whether the the name service is using LDAP.
    pam-ldap
    Next we configure the PAM subsystem to use LDAP for passwords. Begin by installing
    the necessary PAM module.
    # apt-get install libpam-ldap
    The configuration file for the pam_ldap.so module is /etc/pam_ldap.conf.
    http://www.metaconsultancy.com/whitepapers/ldap-linux.htm (2 di 5)30/09/2004 17.56.17
    LDAP Authentication for Linux
    pam_ldap.conf
    uri ldaps://ldap.example.com/
    base dc=example,dc=com
    pam_password exop
    The uri and base directives work the same way they do for /etc/libnss_ldap.conf
    and /etc/ldap/ldap.conf. Notice that we have used ldaps to ensure that
    connections over which passwords are exchanged are encrypted. The directive
    "pam_password exop" tells pam-ldap to change passwords in a way that allows
    OpenLDAP to apply the hashing algorithm specified in /etc/ldap/slapd.conf,
    instead of attempting to hash locally and write the result directly into the database.
    pam-ldap assumes accounts to be ojbects with the following attributes: uid and
    userPassword. The attributes are allowed by the objectClass posixAccount.
    We are now ready to configure individual services to use the LDAP server for password
    checking. Each service that uses PAM for authentication has its own configuration file /
    etc/pam.d/service. To configure a service to use LDAP for password-checking, you
    must modify its PAM configuration file.
    To avoid an in-depth explanation of PAM, we will content ourselves with a few examples.
    Consider first the login program, which handles logins from the text console. A typical
    PAM stack which checks passwords both in /etc/passwd and in the LDAP database
    follows.
    /etc/pam.d/login
    auth required pam_nologin.so
    auth sufficient pam_ldap.so
    auth sufficient pam_unix.so shadow use_first_pass
    auth required pam_deny.so
    After successful password authentication using the auth stack, login checks for the
    existance of an account using the account stack, so it is necessary to reference pam-ldap
    there, too.
    /etc/pam.d/login
    account sufficient pam_unix.so
    account sufficient pam_ldap.so
    account required pam_deny.so
    http://www.metaconsultancy.com/whitepapers/ldap-linux.htm (3 di 5)30/09/2004 17.56.17
    LDAP Authentication for Linux
    Other login-like programs include xdm and gdm (for graphical logins), ssh (for remote
    logins), su (for switching programs), and xlock and xscreensaver (for locked screens).
    Each has its own file in /etc/pam.d/.
    Some applications not only authenticate passwords, but can also be used to change
    them. The prototypical example is of course passwd, the standard password-changing
    utility. Such programs can be configured to use LDAP by modifying their password stack.
    /etc/pam.d/passwd
    password required pam_cracklib.so
    password sufficient pam_ldap.so
    password sufficient pam_unix.so
    password required pam_deny.so
    One convienient application of pam-ldap is to set up "black box" servers that can
    authenticate users for a particular service without having an account on the machine at
    all. Services such as netatalk, (Cyrus) imap, and (Postfix) smtp use PAM. By configuring
    their PAM stacks to use LDAP, while leaving LDAP out of the PAM stacks of services
    such as login and ssh, you can easily create a "black box" server.
    nscd
    To keep your computers from pounding your LDAP server every time a command such
    as ls -l /home is issued on a computer in your organization, it is a good idea to
    configure your workstations to cache some user data. As long as the data in the cache is
    sufficiently fresh, the workstations use in instead of asking your LDAP server again. The
    name server caching daemon (nscd) accomplishes exactly this task.
    To install nscd on Debian, just
    # apt-get install nscd
    The configuration file for nscd is /etc/nscd.conf.
    nscd.conf
    enable-cache passwd yes
    http://www.metaconsultancy.com/whitepapers/ldap-linux.htm (4 di 5)30/09/2004 17.56.17
    LDAP Authentication for Linux
    positive-time-to-live passwd 600
    negative-time-to-live passwd 20
    suggested-size passwd 211
    check-files passwd yes
    http://www.metaconsultancy.com/whitepapers/ldap-linux.htm (5 di 5)30/09/2004 17.56.17

    You might also like