LDAP authentication

I wanted to use the LDAP to authenticate the users on several computers and for several services. It took me a while to find out how to set this up. This page will provide you with the information to use OpenLDAP to authenticate users.

LDAP authentication

Before you can use OpenLDAP you have to install it first:

apt-get install slapd ldap-utils libldap2

Now you need to configure OpenLDAP. The configuration can be found in 2 files in the /etc/ldap directory. The files are ldap.conf and sldap.conf.

In the ldap.conf make sure the BASE and URI line look like:

BASE  dc=debooy, dc=eu
URI ldap://ldap.debooy.eu/

In the slap.conf make sure that there are 2 index entries:

index           objectClass eq
index           uid         eq

Also consider to set the loglevel (temporary?) to 256.

Now restart OpenLDAP to use the new configuration and check the contents.

invoke-rc.d slapd stop
slapindex
chown openldap:openldap /var/lib/ldap/*
ls -l /var/lib/ldap/
invoke-rc.d slapd start
ldapsearch -x

The result should look like:

# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# debooy.eu
dn: dc=debooy,dc=eu
objectClass: top
objectClass: dcObject
objectClass: organization
o: debooy.eu
dc: debooy

# admin, debooy.eu
dn: cn=admin,dc=debooy,dc=eu
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Now that the OpenLDAP is reacting we can start to fill it up with a tree structure to store the users and groups. To do so make an 'ldif' file with the required files:

dn: ou=People,dc=debooy,dc=eu
ou: People
objectClass: organizationalUnit

dn: ou=Group,dc=debooy,dc=eu
ou: Group
objectClass: organizationalUnit

Load it with the following command:

ldapadd -c -x -D cn=admin,dc=debooy,dc=eu -W -f initldap.ldif

Now that the structure is present we can insert the users. For each user create a file like:

dn: cn=dummy,ou=group,dc=debooy,dc=eu
cn: dummy
gidNumber: 20000
objectClass: top
objectClass: posixGroup

dn: uid=dummy,ou=people,dc=debooy,dc=eu
uid: dummy
uidNumber: 20000
gidNumber: 20000
cn: dummy, john
sn: dummy
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/dummy

Insert the file with the command:

ldapadd -c -x -D cn=admin,dc=debooy,dc=eu -W -f user.ldif

Now install the packages to use the LDAP with NSS and PAM:

apt-get install libnss-ldap nscd
apt-get install libpam-ldap

For both the ldap packages the installer asks questions. Reply No to each question. For the security reply with crypt. NSCD is a Name Service Cache Daemon. It is used to cache the password, group, and host information. When the /etc/nsswitch.conf file is changed then the new configuration is not used unless NSCD is re-started. Change the lines in the /etc/nsswitch.conf for the users, groups and shadow as:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

Also change the /etc/libnss-ldap.conf:

base dc=debooy,dc=eu
uri ldap://ldap.debooy.eu/

Restarts the NSC service to clear the cache:

invoke-rc.d nscd stop
invoke-rc.d nscd start

Now we can change the PAM configuration. For this you need to change 4 files.

/etc/pam_ldap.conf

base dc=debooy,dc=eu
uri ldap://ldap.debooy.eu/

/etc/pam.d/common-account

account sufficient      pam_unix.so
account required        pam_ldap.so

/etc/pam.d/common-auth

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so use_first_pass
auth required pam_permit.so

/etc/pam.d/common-session

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022

Now you can check to see if the user is know. If so the you can logon as this user. The home directory is created as a result.

id dummy
su - dummy

References