Unix + PAM + LDAP
Document created on 2013-10-09
Nicolas Bondier
Contents
Introduction
This document present the installation of an LDAP server for authenticating users on any server of a cluster with PAM.
This authentication will be used for many services, such as Linux command line, samba services across directories, dovecot IMAP server authentication and right enable storage, etc…
Prerequisites
No prerequisites. We need one server for LDAP and a second one for the authentication.
Install OpenLDAP server
Install slapd and ldap-utils packages.
root@ldap:~# aptitude update
root@ldap:~# aptitude install slapd ldap-utils
Install gosa:
root@ldap: aptitude install gosa
Install additional plugins:
root@ldap: aptitude install gosa-plugin-ssh gosa-plugin-ssh-schema gosa- root@ldap: plugin-sudo gosa-plugin-sudo-schema
Load all the gosa plugins located under /etc/gosa/:
root@ldap:~# for schema in
/etc/gosa/samba3.ldif
/etc/gosa/gosystem.ldif
/etc/gosa/gofon.ldif
/etc/gosa/gofax.ldif
/etc/gosa/goto.ldif
/etc/gosa/goserver.ldif
/etc/gosa/gosa-samba3.ldif
/etc/gosa/goto-mime.ldif
/etc/gosa/trust.ldif
/etc/gosa/pureftpd.ldif
/etc/gosa/fai.ldif
/etc/gosa/sudo.ldif
/etc/gosa/openssh-lpk.ldif
/etc/gosa/nagios.ldif
/etc/gosa/kolab2.ldif
/etc/dyngroup.ldif;
do ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/$schema || exit 1; done
Restart your ldap:
root@ldap:~# /etc/init.d/slapd start
Go to the Gosa configuration interface (http://ldap-server/gosa/), and follow the instructions for configuring Gosa:
Install ldap client
root@client:~# aptitude install libnss-ldap
And complete the required fields:
Below are the pam.d configuration files without the comments (‘egrep -v "^#|^[ ]*$" file’ command). Add the missing lines and verify the values:
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_smbpass.so migrate
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_ck_connector.so nox11
session required pam_mkhomedir.so umask=0077
session optional pam_umask.so
/etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
/etc/pam.d/common-password
password [success=2 default=ignore] pam_unix.so obscure sha512
word [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_smbpass.so nullok use_authtok use_first_pass
/etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/pam_ldap.conf
base dc=switzernet,dc=com
uri ldap://37.187.65.241/
ldap_version 3
pam_password crypt
Connect with SSH
Create a user in Gosa and give him POSIX settings:
If everything worked, you should be able to login with your LDAP account.
Links
This document: http://switzernet.com/3/public/131007-ldap-gosa-unix/
Debian LDAP PAM: https://wiki.debian.org/fr/LDAP/PAM
Gosa: https://oss.gonicus.de/labs/gosa
OpenLDAP: http://www.openldap.org/
This document is related to the project including:
Ceph cluster: http://switzernet.com/3/public/130925-ceph-cluster/
Dovecot + Ceph: http://switzernet.com/3/public/130910-ceph-dovecot/
* * *
Copyright © 2013 by Switzernet