LDAP Authentication HOWTO

LDAP is an alternative to using /etc/shaddow and /etc/passwd, or NIS. The advantage that LDAP has over password file is all information about users and groups can be held on one (centrally administered) server so the user information does not have to be replicated. The advantage over NIS is that LDAP can be used to store information besides user information (such as Netscape Roaming Profiles) and can be used on multiple platforms (NT, Novel, Solaris, and Linux for starters).

This document is designed to assist in setting up LDAP to manage authentication of users and their session information (UID, GID, shell and home directories).

Required Packages

Two packages are needed to get LDAP working for the client:

libpam-ldap to allow authentication via LDAP, and
libnss-ldap to allow session information to be send via LDAP.

Files to Modify

ldap.conf

/etc/openldap/ldap.conf (or /etc/ldap/ldap.conf) contains information about which server holds the LDAP information. change the BASE and HOST lines to something like the following.

BASE    o=pc154,c=NZ
HOST    pc154

The HOST is the host that the LDAP server resides on, and BASE is the base node in the LDAP directory.

The base could be any node in the LDAP directory, but it is easier if it is the root node. o is the organisation, and could be Foo inc for all that it matters. c is the country that the organisation resides, New Zealand in this case, and can be left out.

libnss-ldap.conf

/etc/libnss-ldap.conf contains the configuration information for the NSS module, that is in charge of loading the user's session on login. The changes that have to be made to this file is almost the same as those for ldapd.conf:

host    pc154
base    o=pc154,c=NZ

scope   sub

The only differences are:

the names are in lowercase, and
the scope line is added (or uncommented).

The scope is the search scope, in this case searching through all sup-directories on the LDAP server.

/etc/pam.d/

To authenticate the user the PAM configuration files need to be changed. All PAM configuration files are held in /etc/pam.d/. Each service, such as FTP and login, has a configuration file in this directory. Generally the modifications that need to be made to the files involve adding lines of the form:

type     sufficient      pam_ldap.so

to the configuration files, where type is one of account, auth, password, or session.

login

The first file that needs to be modified is /etc/pam.d/login that is responsible for checking whether the user is allowed to login to a machine. The full login file looks like this:

auth     required        pam_securetty.so
auth     required        pam_nologin.so
auth     sufficient      pam_ldap.so
auth     required        pam_unix_auth.so try_first_pass

account  sufficient      pam_ldap.so
account  required        pam_unix_acct.so

password required        pam_ldap.so

session  sufficient      pam_ldap.so
session  required        pam_unix_session.so

The above lines allow users that do not have LDAP accounts (such as root) to login as well as normal users. Users such as root are typically local to a machine for security.

GDM

For users who login using X /etc/pam.d/gdm has to be modified so GDM will use LDAP.

auth     sufficient     pam_ldap.so
auth     required       pam_nologin.so
auth     required       pam_env.so
auth     required       pam_unix_auth.so

account  sufficient     pam_ldap.so
account  required       pam_unix_acct.so

password required       pam_ldap.so

session  sufficient     pam_ldap.so
session  required       pam_unix_session.so

Password

Changing /etc/pam.d/passwd to include the following will allow users to change their password.

password sufficient     pam_ldap.so

SU

The su command is used to become another user. Typically it is used to become the Super User (root) but does allow any user to become any other user, if they supply the correct password. The sample configuration for /etc/pam.d/su is shown below. Note the option try_first_pass that is added to the auth required pam_unix.so line.

auth       sufficient pam_ldap.so
auth       required   pam_unix.so  try_first_pass

account    sufficient pam_ldap.so
account    required   pam_unix.so

session    sufficient pam_ldap.so
session    required   pam_unix.so

XScreensaver

If you have XScreensaver installed you will probabily want to change /etc/pam.d/xscreensaver to look like the following.

auth     sufficient     pam_ldap.so
auth     required       pam_unix_auth.so

FTP

The PAM configuration for FTP is diffrent than the other services. The main diffrence is pam_unix.so is a sufficient module, while pam_ldap.so is required. The ordering does matter.

auth    sufficient      pam_ftp.so
auth    sufficient      pam_unix.so
auth    required        pam_ldap.so

account sufficient      pam_ldap.so
account required        pam_unix_acct.so

session sufficient      pam_ldap.so
session required        pam_unix_session.so

Final Word about PAM

By allowing or disallowing LDAP logins, finer access control may be maintained. For example, it is possible to allow normal users to login only using X, and prevent other methods of login by removing the pam_ldap.so lines from the PAM configuration files.

Check all the files in /etc/pam.d/ to see if you wish to enable LDAP for them.

Information in the LDAP Directory

A LDAP directory stores information in nodes. Each user is has a node that stores all informaton pertinant to him or her, and each group has a node that stores information about which users are members.

To add information to the LDAP directory use:

ldapadd -D cn=admin,ou=people,o=pc154,c=NZ -W

This will prompt for a password, and then you type in the information (as below) or use the -f flag to load the information from a file.

User Information

The information that is needed for each user is shown below.

uid=ajr74,ou=People,o=pc154,c=NZ
uid=ajr74
cn=Andre John Renaud
sn=Renaud
givenname=Andre
objectclass=person
objectclass=posixaccount
objectclass=account
ou=People
uidnumber=30347
gidnumber=9450
homedirectory=/home/masters/ajr74
loginshell=/usr/bin/zsh

The first line is the key and that stores the user's ID, the organisation unit the the user is in (ou=people), the organisation the LDAP belongs to and the country (same as the information in the BASE field of the /etc/ldap.conf file).

Fields in an LDAP user record.
Field	Definition
`uid`	User Identification code.
`cn`	Full name.
`sn`	Surname.
`givenname`	Given (usually first) name.
`objectclass`	What sort of record this node is.
`ou`	Organisational Unit.
`uidnumber`	User ID Number (what the UID is mapped to).
`gidnumber`	Group ID Number (the user's primary group).
`homedirectory`	The user's home directory (usually a network drive).
`loginshell`	The login shell of the user (full path).

The only field that is missing from the above table is password. To set the user's password field the administrator has to run ldappasswd after the account has been created.

Group Information

Groups are simpler than users, as they have to store less information. A simple group is shown below.

cn=masters,ou=Groups,o=pc154,c=NZ
cn=masters
gidnumber=9450
memberuid=ajr74
objectclass=posixGroup
objectclass=top

Fields in an LDAP group record.
Field	Definition
`cn`	Group Name
`gidnumber`	Group ID Number (what the name is mapped to)
`memberuid`	User ID of a user who is a member of this group. Usually groups have many `memberuid` fields.
`objectclass`	What type of node this is.