LDAPClientAuthentication
|
⇤ ← Revision 1 as of 2006-01-01 17:05:42
Size: 4407
Comment:
|
Size: 5474
Comment: additional configuration information and error correction
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 34: | Line 34: |
| Now you can test if you accomplished the first two steps successfully by using the following line (substitude ''<someldapuser>'' with a user known by your LDAP server): | === testing the ''nsswitch.conf'' configuration using ''getent'' === Now you can test if you accomplished the first two steps successfully by using the following line (substitude ''<someldapuser>'' with a user and ''<someldapgroup>'' with a group known by your LDAP server): |
| Line 37: | Line 38: |
| $ getent group <someldapgroup> | |
| Line 39: | Line 41: |
| If you get a response, your LDAP ''nsswitch.conf'' configuration is correct and all you need to do is to configure PAM. | If you get a response in both cases, your LDAP ''nsswitch.conf'' configuration is correct and all you need to do is to configure PAM. === Changing the lookup order for ''nsswitch.conf'' === You might want to swap around ''ldap'' and ''files'' to first check your local passwd file before consulting the LDAP server: {{{ $ sudo vi /etc/nsswitch.conf }}} ...and change the lines to show the following: {{{ passwd: files ldap group: files ldap shadow: files ldap }}} |
| Line 67: | Line 83: |
| ==== standard configuration ==== | |
| Line 77: | Line 94: |
| ==== using stronger passwords ==== If you want stronger passwords, you might be interested in ''libpam-cracklib'': {{{ $ sudo apt-get install libpam-cracklib }}} You than need to change the configuration of ''/etc/pam.d/common-password'': {{{ $ sudo vi /etc/pam.d/common-password }}} Change the configuration so that the lines show the following: {{{ password required pam_cracklib.so retry=3 minlen=6 difok=3 password sufficient pam_ldap.so use_authtok nullok md5 password required pam_unix.so use_authtok use_first_pass }}} |
|
| Line 78: | Line 114: |
| ==== standard configuration ==== | |
| Line 88: | Line 125: |
| == Notes == === Changing the lookup order for ''nsswitch.conf'' === While configuring ''nsswitch.conf'' you might want to swap around ''ldap'' and ''files'' to first check your local passwd file before consulting the LDAP server: |
==== automatically creating home dir on first logon ==== If you want to create the home dir for the user to be created automaticly uppon first logon, you need to edit the file ''common-session'' once again: |
| Line 92: | Line 128: |
| passwd: files ldap group: files ldap shadow: files ldap |
$ sudo vi /etc/pam.d/common-session |
| Line 97: | Line 131: |
| === automatically creating home dir on first logon === You might want to add the following line to your ''common-session'' file: |
Change the configuration so that the lines show the following: |
| Line 100: | Line 133: |
| session required pam_mkhomedir.so | session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so |
| Line 103: | Line 138: |
| === Use ''getent'' to check if your configuration for ''groups'' is correct === You can use the following line to check if your ''group'' configuration in PAM and ''nsswitch.conf'' is correct (substitude ''<someldapgroup>'' with a group known by your LDAP server): {{{ $ getent group <someldapgroup> }}} |
= Notes = * I cannot promise this document is free of errors or it works for any given machine, but I've tested it and it works for me |
| Line 110: | Line 142: |
| Most of the information used in this document was found on the following page: http://craige.mcwhirter.com.au/blog/archive/2005/01/17/making_a_debian_or_ubuntu_mach |
* Most of the information used in this document was found on the following page: http://craige.mcwhirter.com.au/blog/archive/2005/01/17/making_a_debian_or_ubuntu_mach * Some additional documentation I found here: http://www.gentoo.org/doc/en/ldap-howto.xml |
Who is this page for?
This page is intended for everyone who wants to enable his/her ubuntu client to authenticate with an already for authentication configured LDAP server.
Installing and configuring LDAP authentication
1. Install the necessary packages
You will need to install the packages libpam-ldap and libnss-ldap to be able to use LDAP authentication:
$ sudo apt-get install libpam-ldap libnss-ldap
During install you will be asked the following questions:
The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com
The distinguished name of the search base. For example dc=example,dc=com
The LDAP version to use. You usually would choose 3 here.
If your database requires logging in. You would usually choose no here.
If you want to make configuration readable/writeable by owner only. A no should be the answer to this.
A Dialog will follow to explain it cannot manage nsswitch.conf automatically. Just select OK.
If you want the local root to be the database admin. You would usually choose yes here.
Again If your database requires logging in. You would usually choose no here.
Your root login account. For example: cn=manager,dc=example,dc=com
Your root password.
After a dialog explaining the different encription methods you will close by selecting OK, you will be asked for the encryption method to use before sending your password. exop is usually a very good choice.
2. Configuring nsswitch.conf
Unfortunately we cannot test if we answered correctly the above questions unless we configure nsswitch.conf first, but this step luckily is pretty easy:
$ sudo vi /etc/nsswitch.conf
and enter the following line, which will replace compat with ldap files:
:%s/compat/ldap files/g
testing the ''nsswitch.conf'' configuration using ''getent''
Now you can test if you accomplished the first two steps successfully by using the following line (substitude <someldapuser> with a user and <someldapgroup> with a group known by your LDAP server):
$ getent passwd <someldapuser> $ getent group <someldapgroup>
If you get a response in both cases, your LDAP nsswitch.conf configuration is correct and all you need to do is to configure PAM.
Changing the lookup order for ''nsswitch.conf''
You might want to swap around ldap and files to first check your local passwd file before consulting the LDAP server:
$ sudo vi /etc/nsswitch.conf
...and change the lines to show the following:
passwd: files ldap group: files ldap shadow: files ldap
3. Configuring PAM
The PAM configuration is split in 4 files: common-account, common-auth, common-password and common-session
/etc/pam.d/common-account
$ sudo vi /etc/pam.d/common-account
Change the configuration so that the lines show the following:
account sufficient pam_ldap.so account required pam_unix.so
/etc/pam.d/common-auth
$ sudo vi /etc/pam.d/common-auth
Change the configuration so that the lines show the following:
auth sufficient pam_ldap.so nullok_secure auth required pam_unix.so use_first_pass
/etc/pam.d/common-password
standard configuration
$ sudo vi /etc/pam.d/common-password
Change the configuration so that the lines show the following:
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5
using stronger passwords
If you want stronger passwords, you might be interested in libpam-cracklib:
$ sudo apt-get install libpam-cracklib
You than need to change the configuration of /etc/pam.d/common-password:
$ sudo vi /etc/pam.d/common-password
Change the configuration so that the lines show the following:
password required pam_cracklib.so retry=3 minlen=6 difok=3 password sufficient pam_ldap.so use_authtok nullok md5 password required pam_unix.so use_authtok use_first_pass
/etc/pam.d/common-session
standard configuration
$ sudo vi /etc/pam.d/common-session
Change the configuration so that the lines show the following:
session sufficient pam_ldap.so session required pam_unix.so
automatically creating home dir on first logon
If you want to create the home dir for the user to be created automaticly uppon first logon, you need to edit the file common-session once again:
$ sudo vi /etc/pam.d/common-session
Change the configuration so that the lines show the following:
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so
Notes
- I cannot promise this document is free of errors or it works for any given machine, but I've tested it and it works for me
Credits
Most of the information used in this document was found on the following page: http://craige.mcwhirter.com.au/blog/archive/2005/01/17/making_a_debian_or_ubuntu_mach
Some additional documentation I found here: http://www.gentoo.org/doc/en/ldap-howto.xml
LDAPClientAuthentication (last edited 2008-08-06 16:24:16 by localhost)