LDAP and PAM authentification
This is only very short remainder notes to install a LDAP server and configure a Linux client to authentication through the PAM/LDAP module
Server side
Add a DNS entry for ldap.softndesign.org in /etc/bind/db.softndesign.org
Code
ldap CNAME babylon |
Install LDAP server
Shell
aptitude install slapd ldap-utils |
Debconf answers
- Omit OpenLDAP server configuration? No
- DNS domain name: softndesig.org
- Organization name? softndesign.org
- Administrator password: PASSWORD
- Confirm password: PASSWORD
- Database backend to use: HDB
- Do you want the database to be removed when slapd is purged? No
- Allow LDAPv2 protocol? No
Configure ldap utilities in /etc/ldap/ldap.conf
Code
BASE dc=softndesign,dc=org | |
URI ldap://ldap.softndesign.org |
Modify /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif to index uid
Code
olcDbIndex: uid eq |
then build index
Shell
invoke-rc.d slapd stop | |
slapindex | |
chown -R openldap:openldap /var/lib/ldap | |
invoke-rc.d slapd start |
Install phpldapadmin
Shell
aptitude install phpldapadmin |
Configure phpldapadmin in /etc/phpldapadmin/config.php
PHP
$servers->setValue('server','name',"Soft'n'Design LDAP Server"); | |
$servers->setValue('server','host','ldap.softndesign.org'); | |
$servers->setValue('server','base',array('dc=softndesign,dc=org')); | |
$servers->setValue('login','bind_id','cn=admin,dc=softndesign,dc=org'); |
In /etc/phpldapadmin/templates/creation, only keep
- alias.xml
- dNSDomain.xml
- inetOrgPerson.xml
- organizationalRole.xml
- ou.xml
- posixAccount.xml
- posixGroup.xml
- simpleSecurityObject.xml
Modify /etc/phpldapadmin/templates/creation/posixGroup.xml, thus first group number will be 0, then 1000, 1001...
XML
<!−− <value>=php.GetNextNumber(/;gidNumber)</value> −−> | |
<value><![CDATA[=php.GetNextNumber(/;gidNumber;false;(&(objectClass=posixGroup));+0;1000)]]></value> |
Modify /etc/phpldapadmin/templates/creation/posixAccount.xml, thus first user number will be 0, then 1000, 1001...
XML
<!−− <value>=php.GetNextNumber(/;uidNumber)</value> −−> | |
<value><![CDATA[=php.GetNextNumber(/;uidNumber;false;(&(objectClass=posixAccount));+0;1000)]]></value> |
Modify /etc/phpldapadmin/templates/creation/posixAccount.xml, thus bash or zsh will be login shell.
XML
<value id="/bin/nologin">false</value> | |
<value id="/bin/sh">/bin/sh</value> | |
<value id="/bin/csh">/bin/csh</value> | |
<value id="/bin/tsh">/bin/tsh</value> | |
<value id="/bin/zsh">/bin/zsh</value> | |
<value id="/bin/bash">/bin/bash</value> |
Setup your directory:
- Log on http://127.0.0.1/phpldapadmin with admin password.
- Create two organisational unit: Groups and People.
- Create posix groups (first must be root as gid is 0) as child elements of Groups.
- Create user accounts (first must be root as uid is 0) as child elements of People.
- Modify groups to assign users.
Check that your ldap server is operationnal.
Shell
ldapsearch -x uid=lmazet |
Client side
Install Name Service Switch modules.
Shell
aptitude install libnss-ldap nscd |
Debconf answers
- libnss-ldap
- LDAP server Uniform Resource Identifier: ldap://ldap.softndesign.org/
- Distinguished name of the search base: dc=softndesign,dc=org
- LDAP version to use: 3
- Does the LDAP database require login? No
- Special LDAP privileges for root? No
- Make the configuration file readable/writeable by its owner only? No
- libpam-ldap
- Allow LDAP admin account to behave like local root? Yes
- Does the LDAP database require login? No
- LDAP administrative account: cn=admin,dc=softndesign,dc=org
- LDAP administrative password: PASSWORD
- Local encryption algorithm to use for passwords: md5
- libpam-runtime
- PAM profiles to enable: select all
Configure NSS module in /etc/libnss-ldap.conf
Code
base dc=softndesign,dc=org | |
uri ldap://ldap.softndesign.org/ | |
ldap_version 3 |
Activate the LDAP NSS module in /etc/nsswitch.conf
Code
passwd: files ldap | |
group: files ldap |
Deactivate temporary nscd and check that a ldap user is visible.
Shell
invoke-rc.d nscd stop | |
id lmazet |
Install PAM module (already done thank to Debian installer).
Code
aptitude install libpam-ldap |
Debconf answers:
- Allow LDAP admin account to behave like local root? Yes
- Does the LDAP database require login? No
- LDAP administrative account: cn=admin,dc=softndesign,dc=org
- LDAP administrative password: PASSWORD
- Local encryption algorithm to use for passwords: md5
Configure LDAP PAM module in /etc/pam_ldap.conf
Code
base dc=softndesign,dc=org | |
uri ldap://ldap.softndesign.org/ | |
ldap_version 3 | |
rootbinddn cn=admin,dc=softndesign,dc=org | |
pam_password md5 |
Configure PAM session in /etc/pam.d/common-session
Code
session required pam_unix.so | |
# create home dir on first login | |
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
Create home root directory.
Shell
mkdir /home/users |
Add some default files (.bashrc, .emacs, .forward, .procmail, .profile, .screenrc, .vimrc, .zshrc) and directories (.gnupg, .ssh, .xemacs, bin, Maildir, tmp) into /etc/skel
Apache side
Activate apache LDAP modules:
Shell
cd /etc/apache2/mods-enabled | |
ln -s ../mods-available/ldap.conf . | |
ln -s ../mods-available/ldap.load . | |
ln -s ../mods-available/authnz_ldap.load . |
Enable LDAP authentification per location:
Code
<Location /hg/> | |
AuthType Basic | |
AuthName "Mercurial repositories" | |
AuthBasicProvider ldap | |
AuthzLDAPAuthoritative on | |
AuthLDAPURL "ldap://ldap.softndesign.org/ou=People,dc=softndesign,dc=org?uid?sub" | |
AuthLDAPGroupAttribute memberUid | |
AuthLDAPGroupAttributeIsDN off | |
AuthLDAPRemoteUserIsDN off | |
# require a valid user | |
Require ldap-filter &(uid=*) | |
</Location> | |
| |
<Location /hg/debug-lib/> | |
# require that user is in debug-lib group from Mercurial organisation unit | |
Require ldap-group cn=debug-lib,ou=Mercurial,dc=softndesign,dc=org | |
</Location> |
ProFTPd server side
Enable PAM/LDAP authentication in /etc/proftpd/proftpd.conf
Code
# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords: | |
PersistentPasswd off | |
| |
# This is required to use both PAM-based authentication and local passwords | |
AuthOrder mod_auth_pam.c* mod_auth_unix.c |
Thank to Davor Ocelic.