Kaynak:
Guests cannot see links in the messages. Please register to forum by clicking href="member.php?action=register">here to see links.



Authenticating with LDAP using Openldap and PAM
copyright simon@imaginator.com
Still to add:

History of LDAP
OPENLDAP


Wouldn't it be nice to have a centralised authentication mechanism in Linux? LDAP enables this and much more. LDAP allows all user information to be kept in one place and accessed over the network. Like having a centeralised /etc/passwd, or NIS, LDAP allows the network administrator to store passwords, user-names, preferences, telephone numbers and anything else they choose in one place. The advantage of this is that you only need to make one change to to the LDAP server and you immediately influence permissions and information across the network. One problem that I regularly face is leaving users. Before, I'd have to go to all computers that they could have had accounts on and manually delete them from /etc/passwd. Now, it's just a case of removing them from the LDAP directory.

This document describes how to set-up the 3 components necessary to authenticate via an LDAP server. They are:

adding the necessary fields in the LDAP server
installing and configuring the PAM modules
installing and configuring the nsswitch libraries

--------------------------------------------------------------------------------

add user information to your LDAP database
To use LDAP authentication we need to add all employees to a database. The best source for this kind of thing is your /etc/passwd, /etc/group and /etc/shadow files. There are some good little migration tools that turn this:
cat /etc/passwd
...
simon:rF4x4xNEP1bA.:1000:1000:Simon Tenant,Fish-bowl,x 245,:/home/simon:/usr/bin/zsh
...

into something like this
dn: uid=simon,ou=People,dc=linuxcare,dc=com
uid: simon
cn: Simon Tennant
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}rF4x4xNEP1bA.
loginShell: /usr/bin/zsh
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/simon
gecos: Simon Tennant,Fishbowl,x 245

The magic is avaliable at: Guests cannot see links in the messages. Please register to forum by clicking href="member.php?action=register">here to see links. There are a couple of scripts in the tarball. The important one is: migrate_passwd.pl which sucks in your /etc/passwd and spits out LDAP entries in an ldif format.
This script knows how to deal with shadow passwords but it'll need to be able to read /etc/shadow so run it as root if you're using shadow passwords.

Using your favorite LDAP server you should now load these entries into the LDAP database. For openldap you'd run:

/etc/init.d/openldapd stop
ldif2ldbm -i /tmp/converted_passwd.out -f /etc/openldap/slapd.conf
/etc/init.d/openldapd start

and then check that the entries made it in:
ldapsearch -b dc=linuxcare,dc=com objectclass=posixaccount

This query is similar to the query that the ldap modules will run, so if you don't get any output now, best go back and check. Also check that you have used a consistent base(dc=...,dc=...).
--------------------------------------------------------------------------------

setting up the pam modules
Linux uses PAM (Pluggable Authentication Modules) for authentication. PAM, as it name suggests is highly configurable. If you'd like to learn more about PAM see:http://www.kernel.org/pub/linux/libs/pam/ . Have a look at any of the files in /etc/pam.d. The way that pam authentication works is by substituting the module that checks against the /etc/passwd and /etc/group with the pam_ldap.so module.

Here is sshd's pam configuration:

cat /etc/pam.d/ssh
#%PAM-1.0
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so

to use ldap authentication we need to download a module that we can subsitute for "pam_unix.so" that will check passwords against the ldap server. The veritable guys over at Guests cannot see links in the messages. Please register to forum by clicking href="member.php?action=register">here to see links. (LDAP backwards - geddit?) have a GPL'd pam module that works well with both Opendlap and Netscape/iPlanet's Directory server.

source Guests cannot see links in the messages. Please register to forum by clicking href="member.php?action=register">here to see links.
rpm at: Guests cannot see links in the messages. Please register to forum by clicking href="member.php?action=register">here to see links.
or apt-get install libpam-ldap if you are fortunate enough to use Debian.
The 2 important files are /lib/security/pam_ldap.so which will talk to the LDAP server and /etc/pam_ldap.conf which tells the module which ldap server it should talk to and what query it should make.

Go ahead and set-up the /etc/pam_ldap.conf to suit your organisation. Here's a sample one:

cat /etc/pam_ldap.conf

# Your LDAP server.
host ldap.linuxcare.com

# The distinguished name of the search base.
base dc=linuxcare,dc=com

# Use the V3 protocol to optimize searches
ldap_version 2

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_crypt local

As you can see we use openldap, all queries will be sent to ldap.linuxcare.com and that we search from a base of dc=linuxcare,dc=com.
To enable our changes we change the /etc/pam.d/ssh file to read something like this. Modify to suit your environment, jsut make sure you don't inadvertently lock yourself out of your machine. Also you should check the location of the modules is correct.

auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_pwdb.so shadow nodelay
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required /lib/security/pam_pwdb.so

Notice the second to last line. That automatically creates a home directory if one does not exist.
--------------------------------------------------------------------------------

setting up the nsswitch libraries
Various functions in the C Library which programs like login and passwd depend upon need to be configured to work with ldap. nsswitch is the glue without the goo that enables this. A good example is when you do an ls on a directory containing files that are owned by an ldap user.
ls -l /home
drwxr-sr-x 3 redsteel users 1024 Feb 27 05:44 redsteel
drwxr-sr-x 5 rob users 1024 May 27 13:54 rob
drwxr-sr-x 2 robert users 1024 Sep 12 1999 robert
drwxr-sr-x 5 rslomkow users 1024 Jul 15 19:40 rslomkow
drwxr-sr-x 3 10002 users 1024 Jun 22 1999 sam
drwxr-sr-x 85 10011 users 7168 Jul 24 12:09 simon
drwxr-sr-x 2 10301 users 1024 Jun 30 17:53 stephane

For this to work ls needs to look up the uids and gids of the files in the directory. Unless the user has a local account this is not doable. Here's where we use nsswitch. We can instrct all programs that depend on the C libray to first lookup uids and gids in /etc/passwd and /etc/group and the check the ldap server.
ls -l /home
drwxr-sr-x 3 redsteel users 1024 Feb 27 05:44 redsteel
drwxr-sr-x 5 rob users 1024 May 27 13:54 rob
drwxr-sr-x 2 robert users 1024 Sep 12 1999 robert
drwxr-sr-x 5 rslomkow users 1024 Jul 15 19:40 rslomkow
drwxr-sr-x 3 sam users 1024 Jun 22 1999 sam
drwxr-sr-x 85 simon users 7168 Jul 24 12:09 simon
drwxr-sr-x 2 stephane users 1024 Jun 30 17:53 stephane

With nsswitch installed we are able to tell ls to look at the ldap server for uids that it cannot find locally in /etc/passwd. So uid 10002 gets translated to sam, 10011 to simon and so on.
Enough about what it does. Let's set it up.
Once again the PADL guys have come through for us. Select as appropriate:

Source: Guests cannot see links in the messages. Please register to forum by clicking href="member.php?action=register">here to see links.
RPM: Guests cannot see links in the messages. Please register to forum by clicking href="member.php?action=register">here to see links.
Debian package: libnss-ldap
We need to tell libnss-ldap where to grab user information from:
cat /etc/lib-nss-ldap.conf

# Your LDAP server. Must be resolvable without using LDAP.
host ldap.linuxcare.com

# The distinguished name of the search base.
base dc=linuxcare,dc=com

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=manager,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The hashing algorith your libc uses.
# Optional: default is des
#crypt md5
#crypt sha
#crypt des

Very little will need to be modified from the default. You'll need to change the ldap server you wish to connect to and where you want to connect to the tree. We connect at the branch of "dc=linuxcare,dc=com".
nsswitch should now be told to use ldap when it does a lookup on uids or gids.

cat /etc/nsswitch.conf

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap


This setup tells ldap to first look at the /etc/passwd and then the ldap server.
Test your nsswitch configurationing:

getent passwd

this command will concatonate your /etc/passwd file and your ldap users that match the search for
ldapsearch -b dc=linuxcare,dc=com objectclass=posixaccount
and spit the results out to your screen. You should now see a list of local users and users pulled from the LDAP server.
stephane:nHBA0fvpJqzvk:1009:100::/home/stephane:/bin/bash
r3cgm:pCVsIxSgbsuNY:1011:1011:Christopher Mann,,,:/home/r3cgm:/usr/bin/tcsh
simon:x:15000:100:Simon Tennant (ldap test account):/home/simon:/bin/bash

Notice that the ldap users (in this case 'simon') do not have a crypted password displayed (just an 'x'). This is because the password is only compared with the server, and never sent from the server to clinet.
We now have everything correctly set-up on the client end and can begin to test.


--------------------------------------------------------------------------------

Testing:

--------------------------------------------------------------------------------

resouces
PADL's migration tools documentation
Openldap's website the most actively developed opensource ldap server.