Admin/SetupGuides/Setting up PAM/LDAP Client

Setting up a ldap Auth'd Server

Background

You have a central LDAP server. You build a new web server (for example), and you want people to be able to ssh into the new server using their main username and password.

You want to config the new client server to Authenticate off the Ldap server. This is the how-to for that. Note there is a very similar how-to on this wiki already, located at: ../../Move to hex

Install Required Pieces

apt-get install ldap-utils libldap2 libnss-ldap libpam-ldap

You may recieve a pop-up asking for settings. The main information to note is:

If you missed a piece of the above config - dont worry, the specifics are outlined below.

Configure Pieces

The main files of concern are:

  1. /etc/pam_ldap.conf

  2. /etc/libnss-ldap.conf

  3. /etc/ldap/ldap.conf

  4. /etc/ldap.secret

  5. /etc/libnss-ldap.secret

  6. /etc/pam_ldap.secret

  7. /etc/nsswitch.conf

  8. /etc/pam.d/common-auth

The above files need configing and editing. Below shows the configs required:

1. /etc/pam_ldap.conf

#host ldap.skynet.ie #leave this out to avoid a non ldaps initial connection
uri ldaps://ldap.skynet.ie

# The distinguished name of the search base.
base dc=skynet,dc=ie

ldap_version 3

rootbinddn cn=accounts,dc=skynet,dc=ie

pam_password exop

nss_base_passwd         ou=People,dc=skynet,dc=ie?one
nss_base_shadow         ou=People,dc=skynet,dc=ie?one
nss_base_group          ou=Group,dc=skynet,dc=ie?one
nss_base_hosts          ou=Hosts,dc=skynet,dc=ie?one
nss_base_services       ou=Services,dc=skynet,dc=ie?one
nss_base_networks       ou=Networks,dc=skynet,dc=ie?one
nss_base_protocols      ou=Protocols,dc=skynet,dc=ie?one
nss_base_rpc            ou=Rpc,dc=skynet,dc=ie?one
nss_base_ethers         ou=Ethers,dc=skynet,dc=ie?one
nss_base_netmasks       ou=Networks,dc=skynet,dc=ie?ne
nss_base_bootparams     ou=Ethers,dc=skynet,dc=ie?one
nss_base_aliases        ou=Aliases,dc=skynet,dc=ie?one
nss_base_netgroup       ou=Netgroup,dc=skynet,dc=ie?one

nss_map_attribute       rfc2307attribute        mapped_attribute
nss_map_objectclass     rfc2307objectclass      mapped_objectclass

2. /etc/libnss-ldap.conf

#host ldap.skynet.ie
uri ldaps://ldap.skynet.ie

# The distinguished name of the search base.
base dc=skynet,dc=ie

ldap_version 3

rootbinddn cn=accounts,dc=skynet,dc=ie

nss_base_passwd         ou=People,dc=skynet,dc=ie?one
nss_base_shadow         ou=People,dc=skynet,dc=ie?one
nss_base_group          ou=Group,dc=skynet,dc=ie?one
nss_base_hosts          ou=Hosts,dc=skynet,dc=ie?one
nss_base_services       ou=Services,dc=skynet,dc=ie?one
nss_base_networks       ou=Networks,dc=skynet,dc=ie?one
nss_base_protocols      ou=Protocols,dc=skynet,dc=ie?one
nss_base_rpc            ou=Rpc,dc=skynet,dc=ie?one
nss_base_ethers         ou=Ethers,dc=skynet,dc=ie?one
nss_base_netmasks       ou=Networks,dc=skynet,dc=ie?ne
nss_base_bootparams     ou=Ethers,dc=skynet,dc=ie?one
nss_base_aliases        ou=Aliases,dc=skynet,dc=ie?one
nss_base_netgroup       ou=Netgroup,dc=skynet,dc=ie?one

ssl on

3. /etc/ldap/ldap.conf


BASE dc=skynet,dc=ie
URI ldaps://ldap.skynet.ie

TLS_CACERT  /etc/ssl/certs/cacert.class1.pem
# note: The above cacert.class1.pem will have to be scp'd across from an existing working server. Also beware of logging out before fully configing PAM and LDAP. Otherwise you might not get back in.

4. /etc/ldap.secret

LDAP Password
# This can be gotten from an existing working server.

5. /etc/libnss-ldap.secret

ln -s /etc/ldap.secret /etc/libnss-ldap.secret
# a symlink like above should work fine.

6. /etc/pam_ldap.secret

ln -s /etc/ldap.secret /etc/pam_ldap.secret
# a symlink like above should work fine.

7. /etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

8. /etc/pam.d/common-auth

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure

Testing and Debugging

On the server itself:

id some_ldap_username
finger some_ldap_username
ldapsearch -x
tail /var/log/auth.log
tail /var/log/daemon.log

From another server in the cluster:

ssh username@server
tail /var/log/auth.log (on the server you are trying to ssh into)

Final Points

While debugging - I was wondering whether I should restart:  /etc/init.d/libnss-ldap restart  It gave me an error saying No Directory..Exists.. etc. To solve this I done the following:  mkdir /lib/init/rw  That solved the error.

Other things to check. This guide/how-to would want to be gone through again with another setup of Ldap etc. The server although not necessary - may require a reboot to see if it picks up things ok from boot. This is especially so if /home was to be nfs mounted, as it has given trouble before.

Ive also noticed - that all of the above config is not required! Apologies if thats the case.

Limiting People who can Login

Again there may be a more slick way of doing this, but...:

vi /etc/security/access.conf
# Disallow non-root logins on tty1
+:username1:ALL
+:username2:ALL
+:munin:ALL
+:root:ALL
-:ALL:ALL

and then

vi /etc/pam.d/common-account
account required        pam_access.so
account sufficient      pam_ldap.so
account required        pam_unix.so

Note: I had to include munin, because I realised its cronjobs did happen. I found the appropriate errors in auth.log. No restart of stuff should be necessary.

Disabling User Login (apart from Root)

The above limit on people is NOT ideal. As seen with the problem with munin having to be added! A much better way is as follows:

Ideally - we want to auth users via LDAP and Apache and NOT to be able to login via ssh.

touch /etc/nologin
less /etc/pam.d/login  #to read about it.

The above will disable non-root logins, allow apps to run as users, and to auth via apache etc.

Configure Apache to Auth off PAM

apt-get install libapache2-mod-auth-pam
# Check to see if it enabled itself in /etc/apache2/mods-enabled/, otherwise a2enmod auth_pam
vi .htaccess
SSLRequireSSL
DirectoryIndex index.html
AuthPAM_Enabled on
AuthType Basic
AuthName "Monitoring of Skynet Services (Skynet Login: Admins Only)"
#Require valid-user
#As the /etc/nologin option was chosen, we need to selectively choose who can login.
Require user username1 username2 username3
Order allow,deny
Allow from all

A restart of Apache may be require to pick up changes to Pam.

-steviewdr 08-03-07

last edited 2007-04-12 12:58:19 by 193