LDAPClientAuthentication

Differences between revisions 4 and 5
Revision 4 as of 2006-01-01 21:37:02
Size: 5543
Editor: S0106000000cc07fc
Comment: rename to camelcase
Revision 5 as of 2006-01-22 11:02:25
Size: 5555
Editor: 203-206-46-153
Comment: added SunLDAPClientAuthentication, performed major cleanup
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
= Who is this page for? =
This page is intended for everyone who wants to enable his/her ubuntu client to authenticate with an already for authentication configured LDAP server.
= Intended Audience =
This page is intended for anyone who wants to enable his/her Ubuntu client to authenticate with an existing authenticating OpenLDAP server.

Users wishing to authenticate off a Sun Java Enterprise System Directory Server should use the SunLDAPClientAuthentication page instead.
Line 7: Line 9:
You will need to install the packages ''libpam-ldap'' and ''libnss-ldap'' to be able to use LDAP authentication: You will need to install the packages ''libpam-ldap'' and ''libnss-ldap'' to be able to setup LDAP authentication:
Line 11: Line 13:
During install you will be asked the following questions: During installation, you will be asked the following questions:
Line 22: Line 24:
 * After a dialog explaining the different encription methods you will close by selecting ''OK'', you will be asked for the '''encryption method to use before sending your password'''. ''exop'' is usually a very good choice.  * After a dialog explaining the different encryption methods you will close by selecting ''OK'', you will then be asked for the '''encryption method to use before sending your password'''. ''exop'' is usually a good choice.
Line 25: Line 27:
Unfortunately we cannot test if we answered correctly the above questions unless we configure nsswitch.conf first, but this step luckily is pretty easy: Unfortunately we cannot test the above configuration until /etc/nsswitch.conf is configured:
Line 30: Line 32:
and enter the following line, which will replace ''compat'' with ''ldap files'': and enter the following command, which will replace ''compat'' with ''ldap files'':
Line 36: Line 38:
Now you can test if you accomplished the first two steps successfully by using the following line (substitude ''<someldapuser>'' with a user and ''<someldapgroup>'' with a group known by your LDAP server): Now you can test the configuration by using the following line (substitute ''<someldapuser>'' with a user and ''<someldapgroup>'' with a group known by your LDAP server):
Line 126: Line 128:
==== automatically creating home dir on first logon ====
If you want to create the home dir for the user to be created automaticly uppon first logon, you need to edit the file ''common-session'' once again:
==== automatically creating home directory on first logon ====
If you want the home directory for the user to be created automatically upon first logon, you need to edit the ''common-session'' file again:
Line 140: Line 142:
 * I cannot promise this document is free of errors or it works for any given machine, but I've tested it and it works for me  * I cannot promise this document is free of errors or it works for any given machine, but I've tested it and it works for me.
Line 143: Line 145:
 * Most of the information used in this document was found on the following page: http://craige.mcwhirter.com.au/blog/archive/2005/01/17/making_a_debian_or_ubuntu_mach  * Most of the information used in this document was found on the following page: http://craige.mcwhirter.com.au/2005/ubuntu-ldap-client.html

Intended Audience

This page is intended for anyone who wants to enable his/her Ubuntu client to authenticate with an existing authenticating OpenLDAP server.

Users wishing to authenticate off a Sun Java Enterprise System Directory Server should use the SunLDAPClientAuthentication page instead.

Installing and configuring LDAP authentication

1. Install the necessary packages

You will need to install the packages libpam-ldap and libnss-ldap to be able to setup LDAP authentication:

$ sudo apt-get install libpam-ldap libnss-ldap

During installation, you will be asked the following questions:

  • The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com

  • The distinguished name of the search base. For example dc=example,dc=com

  • The LDAP version to use. You usually would choose 3 here.

  • If your database requires logging in. You would usually choose no here.

  • If you want to make configuration readable/writeable by owner only. A no should be the answer to this.

  • A Dialog will follow to explain it cannot manage nsswitch.conf automatically. Just select OK.

  • If you want the local root to be the database admin. You would usually choose yes here.

  • Again If your database requires logging in. You would usually choose no here.

  • Your root login account. For example: cn=manager,dc=example,dc=com

  • Your root password.

  • After a dialog explaining the different encryption methods you will close by selecting OK, you will then be asked for the encryption method to use before sending your password. exop is usually a good choice.

2. Configuring nsswitch.conf

Unfortunately we cannot test the above configuration until /etc/nsswitch.conf is configured:

$ sudo vi /etc/nsswitch.conf

and enter the following command, which will replace compat with ldap files:

:%s/compat/ldap files/g

testing the ''nsswitch.conf'' configuration using ''getent''

Now you can test the configuration by using the following line (substitute <someldapuser> with a user and <someldapgroup> with a group known by your LDAP server):

$ getent passwd <someldapuser>
$ getent group <someldapgroup>

If you get a response in both cases, your LDAP nsswitch.conf configuration is correct and all you need to do is to configure PAM.

Changing the lookup order for ''nsswitch.conf''

You might want to swap around ldap and files to first check your local passwd file before consulting the LDAP server:

$ sudo vi /etc/nsswitch.conf

...and change the lines to show the following:

passwd: files ldap
group:  files ldap
shadow: files ldap

3. Configuring PAM

The PAM configuration is split in 4 files: common-account, common-auth, common-password and common-session

/etc/pam.d/common-account

$ sudo vi /etc/pam.d/common-account

Change the configuration so that the lines show the following:

account sufficient      pam_ldap.so
account required        pam_unix.so

/etc/pam.d/common-auth

$ sudo vi /etc/pam.d/common-auth

Change the configuration so that the lines show the following:

auth    sufficient      pam_ldap.so nullok_secure
auth    required        pam_unix.so use_first_pass

/etc/pam.d/common-password

standard configuration

$ sudo vi /etc/pam.d/common-password

Change the configuration so that the lines show the following:

password        sufficient      pam_ldap.so
password        required        pam_unix.so nullok obscure min=4 max=8 md5

using stronger passwords

If you want stronger passwords, you might be interested in libpam-cracklib:

$ sudo apt-get install libpam-cracklib

You than need to change the configuration of /etc/pam.d/common-password:

$ sudo vi /etc/pam.d/common-password

Change the configuration so that the lines show the following:

password        required        pam_cracklib.so retry=3 minlen=6 difok=3
password        sufficient      pam_ldap.so use_authtok nullok md5
password        required        pam_unix.so use_authtok use_first_pass

/etc/pam.d/common-session

standard configuration

$ sudo vi /etc/pam.d/common-session

Change the configuration so that the lines show the following:

session sufficient      pam_ldap.so
session required        pam_unix.so

automatically creating home directory on first logon

If you want the home directory for the user to be created automatically upon first logon, you need to edit the common-session file again:

$ sudo vi /etc/pam.d/common-session

Change the configuration so that the lines show the following:

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/
session optional        pam_ldap.so

Notes

  • I cannot promise this document is free of errors or it works for any given machine, but I've tested it and it works for me.

Credits


CategoryDocumentation CategoryCleanup

LDAPClientAuthentication (last edited 2008-08-06 16:24:16 by localhost)