LDAPClientAuthentication
5133
Comment: removing apt-get install instruction
|
5198
added note that libpam-ldap and libnss-ldap are in universe
|
Deletions are marked like this. | Additions are marked like this. |
Line 10: | Line 10: |
Install the following packages: {{{libpam-ldap libnss-ldap}}} (see InstallingSoftware). | Install the following packages: {{{libpam-ldap libnss-ldap}}} (see InstallingSoftware). Note that you have to enable the universe repositories for this. |
Intended Audience
This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see ["OpenLDAPServer"].
For authenticating on a Sun Java Enterprise System Directory Server should consult the ["SunLDAPClientAuthentication"] page.
Installing and configuring LDAP authentication
1. Install the necessary packages
Install the following packages: libpam-ldap libnss-ldap (see InstallingSoftware). Note that you have to enable the universe repositories for this.
During installation, you will be asked the following questions:
The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com
The distinguished name of the search base. For example dc=example,dc=com
The LDAP version to use. You usually would choose 3 here.
If your database requires logging in. You would usually choose no here.
If you want to make configuration readable/writeable by owner only. A no should be the answer to this.
A Dialog is displayed explaining it cannot manage nsswitch.conf automatically. Just select OK.
If you want the local root to be the database admin. You would usually choose yes here.
Again If your database requires logging in. You would usually choose no here.
Your root login account. For example: cn=manager,dc=example,dc=com
Your root password.
After, a dialog explaining the different encryption methods to specify the encryption method to use before sending your password. exop is usually a good choice.
2. Configuring nsswitch.conf
Unfortunately we cannot test the above configuration until /etc/nsswitch.conf is configured:
$ sudo vi /etc/nsswitch.conf
and enter the following command, which will replace compat with ldap files:
:%s/compat/ldap files/g
Testing the ''nsswitch.conf'' configuration using ''getent''
Now you can test the configuration by using the following line (substitute <someldapuser> with a user and <someldapgroup> with a group known by your LDAP server):
$ getent passwd <someldapuser> $ getent group <someldapgroup>
If you get a response in both cases, your LDAP nsswitch.conf configuration is correct and all you need to do is to configure PAM.
Changing the lookup order for ''nsswitch.conf''
You might want to swap around ldap and files to first check your local passwd file before consulting the LDAP server:
$ sudo vi /etc/nsswitch.conf
...and change the lines to show the following:
passwd: files ldap group: files ldap shadow: files ldap
3. Configuring PAM
The PAM configuration is split in 4 files: common-account, common-auth, common-password and common-session
/etc/pam.d/common-account
$ sudo vi /etc/pam.d/common-account
Enter the following lines:
account sufficient pam_ldap.so account required pam_unix.so
/etc/pam.d/common-auth
$ sudo vi /etc/pam.d/common-auth
Enter the following lines:
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password
Standard Configuration
$ sudo vi /etc/pam.d/common-password
Enter the following lines:
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5
Using Stronger Passwords
If you want stronger passwords, you might be interested in libpam-cracklib. Install the following packages: libpam-cracklib (see InstallingSoftware).
You than need to change the configuration of /etc/pam.d/common-password:
$ sudo vi /etc/pam.d/common-password
Enter the following lines:
password required pam_cracklib.so retry=3 minlen=6 difok=3 password sufficient pam_ldap.so use_authtok nullok md5 password required pam_unix.so use_authtok use_first_pass
/etc/pam.d/common-session
Standard Configuration
$ sudo vi /etc/pam.d/common-session
Enter the following lines:
session sufficient pam_ldap.so session required pam_unix.so
Automatically creating home directory on first logon
If you want the home directory of the user to be created automatically at first logon, you need to edit the common-session file again:
$ sudo vi /etc/pam.d/common-session
Enter the following lines:
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so
Credits
Most of the information used in this document was found on the following page: http://craige.mcwhirter.com.au/2005/ubuntu-ldap-client.html
Some additional documentation I found here: http://www.gentoo.org/doc/en/ldap-howto.xml
LDAPClientAuthentication (last edited 2008-08-06 16:24:16 by localhost)