From Debian Clusters

This is the third page of a five-part tutorial on LDAP. The full tutorial includes

• User Authentication: LDAP
• LDAP Server
• LDAP Client
• Using LDAP
• Troubleshooting LDAP

LDAP Client Overview

The steps involved in setting up an LDAP client consist of

• configuring NSS
• configuring PAM

NSS

libnss-ldap

Libnss-ldap is a Name Switch Service (NSS) module that allows LDAP to authenticate users. First, apt-get install libnss-ldap.

LDAP server Uniform Resource Identifier:

• You'll want to enter the IP address of the computer you set up to act as the LDAP server. If you're setting up a client on the same machine as the server, that be the default, ldap://127.0.0.1, for the localhost. In my case, the IP is 192.168.1.254, so I entered ldap://192.168.1.254.

Distinguished name of the search base:

• This is the same URI as specified when setting up the client. Mine was dc=raptor,dc=loc.

LDAP version to use:

• Keep the default of 3.

LDAP account for root:

• This is the account set up earlier. If you used the default earlier, cn was equal to admin, not manager. Mine is cn=admin,dc=raptor,dc=loc.

LDAP root account password:

• Enter the same password as setup for LDAP root.

If you later run dpkg-reconfigure libnss-ldap, you'll get a few more options, but all of these should keep their default values. The extra options are

Does the LDAP database require login?

• Keep the default of No.

Special LDAP privileges for root?

• Keep the default of Yes.

Make the configuration file readable/writeable by its owner only?

• Keep the default of No.

ldap.conf

Finally, the file /etc/ldap/ldap.conf needs to be configured. This file specifies where the computer running the LDAP services can be reached at. It should currently contain the lines

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

The BASE needs to be replaced with the values for your set up that you specified when configuring the LDAP Server. URI needs to be changed to point to that specific computer via its IP or hostname. IP is preferable since if there are problems with DNS, it will still function. Both these lines need to be uncommented. For instance, my values are

BASE    dc=raptor, dc=loc
URI     ldap://192.168.1.254

nsswitch.conf

/etc/nsswitch.conf is the file responsible for the order of where files should be checked to authenticate a user. Right now it should have values something like these, as well as many others:

passwd:         compat
group:          compat
shadow:         compat

The compat specifies that the system should first and only check the compat files - the default Unix files. So, for passwd check /etc/password, for group check /etc/group, and for shadow check /etc/shadow. We need to change these so that LDAP is checked as well. We'll also change compat to files, which is another way of saying the default files. Change the nsswitch.conf values for the following:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

Notice that files is first. This gives precendence to the local users on the machine before checking LDAP. This is especially important for when the LDAP server may be down.

PAM

PAM, or Pluggable Authentication Module, provides the backend for nsswitch.conf to communicate with other authentication implementations such as LDAP. This isn't necessary on the LDAP server (unless the LDAP server is also an LDAP client), because the LDAP server isn't authenticating LDAP users to that machine. PAM is responsible for accepting the password for a user when they log in as well as changing the password. Without PAM configured correctly, you'll see errors like the following.

gyrfalcon:~# passwd mycooluser
passwd: User not known to the underlying authentication module
passwd: password unchanged

Your users also won't be able to log in. Kind of a problem!

libpam-ldap

These are the modules to allow PAM to talk to LDAP. Install with apt-get install libpam-ldap. For most prompts, keep the default settings.

Make local root Database admin.

• Keep the default of Yes.

Database requires logging in.

• Keep the default of No.

Root login account

• Change this to the root user at your domain. Mine is cn=admin,dc=raptor,dc=loc.

Root login password

• Put in the password for the account you used in the previous step (the "LDAP root password").

PAM Files

Now that the files for PAM to talk to LDAP are in place, you'll need to update the PAM files themselves. All four are located in /etc/pam.d/. These next couple changes are important - if done incorrectly, they can make your system unbootable. It's a good idea to make a backup at this point, such as running rsync -plarv /etc/pam.d/ /etc/pam.d.orig/.

common-account

This is responsible for accounts - who is and who is not allowed on the system. The file should currently consist of a line like this:

account required        pam_unix.so

This line specifies that the system should check for an account with the default UNIX files. You'll want to change it to these two lines:

account sufficient      pam_ldap.so
account required        pam_unix.so try_first_pass

With this configuration, the system will first try to verify an account with ldap (using pam_ldap.so). If it finds one, that is sufficient for the account to be verified - it doesn't need to have an entry on the local machine as well. However, if that fails, the account must exist on the local machine (pam_unix.so). try_first_pass specifies that the password originally entered by the user should be checked against pam_unix.so after it fails against pam_ldap.so - this prevents the user from having to enter his/her password twice.

common-auth

The file should currently consist of a line like this:

auth    required        pam_unix.so nullok_secure

We want to change this file also to look at LDAP first. nullok_secure specifies that logging in without a password is all right if authentication is accomplished another way, such as with ssh keys. Add the LDAP line before the existing line, and add try_first_pass to the second line, like this:

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure try_first_pass

common-password

These are the files involved with changing and manipulating password tokens. The only uncommented line in the file should look like this:

password   required   pam_unix.so nullok obscure min=4 max=8 md5

We want to add the LDAP line before it:

password   sufficient   pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5

This file doesn't need the tag try_first_pass.

common-session

common-session refers to the files responsible for what a user can/cannot do - it controls the limits of the environment. For instance, it can be used to limit how many processes a user can create. It is generally used to diminish users' capability on the system. The file should look like this:

session required        pam_unix.so

Again, we need to add the LDAP line, so the file looks like this:

session sufficient      pam_ldap.so
session required        pam_unix.so

Sanity Check

At this point, everything *should* be up and connected to the LDAP server. Without having installed ldap-utils, you won't have ldapsearch, but that's fine unless you specifically want it. (If you do want it, apt-get install ldap-utils.)

You should be able to change users passwords as root, as the user, and also be able to become

su - mycooluser

and id

id mycooluser

your LDAP users. Congratulations!