Until recently, I honestly had no idea what LDAP was all about. My work has now led to me research it a bit and implement a small sized solution for the research centre. I still have no idea what LDAP is all about, but here’s some scribblings I’ve gathered on the matter while we’re at it. Getting LDAP to work on Linux with the OpenLDAP tools is largely a matter of figuring out the right schemas, filling the database, and pointing things at it. But why LDAP? When administering a network of more than trivial size, it soon becomes a pain to create and maintain user accounts. An LDAP server can be used to provide a central point of control for Unix and Samba accounts, as well as email and web server authentication. There’s always more to it than meets the eye, but in this particular instance what we want here is to have a set of workstation machines in a private subnet behind a router - which incidentally acts as the LDAP server as well - having central authentication. Basically, all user login information is stored in the server, leaving only local root (and services) accounts in each machine for administration purposes. Moreover, we want each user home directory to be remotely mounted in an external file server (the HP MSA1000 storage array I’ve been blabbering about) via NFS. This last part will be covered in a forthcoming post. Onwards to the configuration… setting up LDAP involves configuring both the server and how many clients we want using LDAP authentication. In this case, we’re working off a Debian system, configuration filenames can and will vary across different distributions. (The following is, again, in a personal notes style, if you come across this and need any further explanation, feel free to email me and I’ll try my best to help). SERVER SIDE
# apt-get install slapd ldap-utils
Configuration of these, depending on your setup and environment, should be something along these lines:
Omit OpenLDAP server configuration? no DNS domain name: ldap.example.org Name of your organization: example_organization Admin password: <administrative LDAP password> Database backend to use: BDB Do you want your database to be removed when slapd is purged? no Allow LDAPv2 protocol? no
Now is probably a good time to setup some basic organizational/user/group information. This can be done either from scratch, perhaps using some app to manage LDAP, or using a basic set of LDIF (LDAP Data Interchange Files) files. See http://www.moduli.net/pages/sarge-ldap-auth-howto under “Set Up Base Information and Test User and Group” for more on this. One nitpick, also covered in the aforementioned guide, is allowing users to change their own details, including password, as is usually possible when the accounts are stored locally. This can be achieved by editing /etc/ldap/slapd.conf and adding:
access to attrs=loginShell,shadowLastChange,gecos by dn="cn=admin,dc=ldap,dc=example,dc=org" write by self write by * read
CLIENT SIDE
# apt-get install ldap-utils libpam-ldap libnss-ldap nscd LDAP Server host: 1.2.3.4 The distinguished name of the search base: dc=ldap,dc=example,dc=org LDAP version to use: 3 Database requires login? no Make configuration readable/writeable by owner only? yes The distinguished name of the search base: dc=ldap,dc=example,dc=org Make local root Database admin: yes Database requires logging in: no Root login account: cn=admin,dc=ldap,dc=example,dc=org Root login password: <enter LDAP admin password here> Local crypt to use when changing passwords: md5
In /etc/nsswitch.conf:
passwd: ldap files group: ldap files shadow: ldap files
In /etc/ldap/ldap.conf:
BASE dc=ldap,dc=example,dc=org URI ldap://1.2.3.4 # your ldap server IP here
Followed by /etc/init.d/nscd restart. PAM
# apt-get install libpam-passwdqc
Debian has a series of files in /etc/pam.d appended by common- at the beginning of their names, which are included by the other files in that directory for specific services. We can tell PAM to use LDAP for all of these services by modifying these common files. In /etc/pam.d/common-password, comment out and replace:
password required pam_unix.so nullok obscure min=4 max=8 md5
or:
password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok nullok md5
with:
# try password files first, then ldap. enforce use of very strong passwords. password required pam_passwdqc.so min=disabled,16,12,8,6 max=256 password sufficient pam_unix.so use_authtok md5 password sufficient pam_ldap.so use_first_pass use_authtok md5 password required pam_deny.so
Read the pam_passwdqc man page for more about parameters you can give to it. In /etc/pam.d/common-auth comment:
auth required pam_unix.so nullok_secure
replace with:
# try password file first, then ldap auth sufficient pam_unix.so auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
/ In /etc/pam.d/common-account comment:
account required pam_unix.so
replace with:
# try password file first, then ldap account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so
And don’t forget to edit /etc/libnss-ldap.conf (which, by the way, on other systems is called /etc/ldap.conf) ! That would have saved me an entire afternoon… REFERENCES
- http://times.usefulinc.com/2005/09/25-ldap
- http://www.moduli.net/pages/sarge-ldap-auth-howto
- http://tldp.org/HOWTO/LDAP-HOWTO.html
- http://twistedmatrix.com/users/tv/ldap-intro/ldap-intro.html