Modifications for LDAP authentication debian and ubuntu
Tue 10 March 2015
This is an older tip for setting up ldap authentication, as many of mu posts are just my notes from the past it might now be dated. However feel free to try it for yourself ;)
aptitude install libpam-ldap libnss-ldap patch autofs nfs-common openldap-utils aptitude install nscd
NB: in Configuring libnss-ldap enter
ldap:// click ok
Distinguished name of search base is dc=server,dc=nl Choose Ldap version 3 For LDAP Account root add cn=admin,dc=server,dc=nl type in the root password Check ldap with
ldapsearch -x -h ldapserver -b “dc=server,dc=nl” -s sub “sn=quantrill”
NB: you can use dpkg-reconfigure ldap-auth-config to change things
New working configuration for the newest versions of ubuntu
cat nsswitch.conf
/etc/nsswitch.conf
Example configuration of GNU Name Service Switch functionality.
If you have the glibc-doc-reference' and
info’ packages installed, try:
`info libc “Name Service Switch”’ for information about this file.
passwd: compat
group: compat
shadow: compat
passwd: files ldap compat group: files ldap compat shadow: files ldap
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis
auth-client-config -t nss -p lac_ldap
pam-auth-update
From the Pam auth menu choose unix ldap options only
Add at the top of /etc/pam.d/common.auth
session required pam_mkhomedir.so umask=0022
reboot..
For Debian or older than 9.10 versions of Ubuntu
For older versions we have to stick with the manual configuration option
cat /etc/pam.d/common-account
/etc/pam.d/common-account - authorization settings common to all services
This file is included from other service-specific PAM config files,
and should contain a list of the authorization modules that define
the central access policy for use on the system. The default is to
only deny service to users whose accounts are expired in /etc/shadow.
account required pam_unix.so
account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_ldap.so
cat /etc/pam.d/common-auth
/etc/pam.d/common-auth - authentication settings common to all services
This file is included from other service-specific PAM config files,
and should contain a list of the authentication modules that define
the central authentication scheme for use on the system
(e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
traditional Unix authentication mechanisms.
auth required pam_unix.so nullok_secure
auth requisite pam_unix.so nullok_secure
auth optional pam_smbpass.so migrate
auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
cat /etc/pam.d/common-password
/etc/pam.d/common-password - password-related modules common to all services
This file is included from other service-specific PAM config files,
and should contain a list of modules that define the services to be
used to change user passwords. The default is pam_unix
The “nullok” option allows users to change an empty password, else
empty passwords are treated as locked accounts.
(Add `md5’ after the module name to enable MD5 passwords)
The “obscure” option replaces the old `OBSCURE_CHECKS_ENAB’ option in
login.defs. Also the “min” and “max” options enforce the length of the
new password.
password required pam_unix.so nullok obscure min=4 max=8 md5
Alternate strength checking for password. Note that this
requires the libpam-cracklib package to be installed.
You will need to comment out the password line above and
uncomment the next two in order to use this.
(Replaces the OBSCURE_CHECKS_ENAB',
CRACKLIB_DICTPATH’)
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5
password sufficient pam_ldap.so password required pam_unix.so nullok md5 obscure min=4 max=8
cat /etc/pam.d/common-session
/etc/pam.d/common-session - session-related modules common to all services
This file is included from other service-specific PAM config files,
and should contain a list of modules that define tasks to be performed
at the start and end of sessions of any kind (both interactive and
non-interactive). The default is pam_unix.
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 session required pam_limits.so session required pam_unix.so session optional pam_ldap.so
UBUNTU: cat /etc/ldap.conf
OR
DEBIAN4: cat /etc/pam_ldap.conf
OR
RedHat: cat /etc/ldap/ldap.conf
$OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
LDAP Defaults
See ldap.conf(5) for details
This file should be world readable but not world writable.
BASE dc=server, dc=nl URI ldap://ldapserver1 ldap://ldapserver2
pam_filter objectclass=posixAccount pam_login_attribute uid pam_crypt local
pam_member_attribute memberuid nss_base_passwd ou=computers,dc=server,dc=nl nss_base_passwd ou=people,dc=server,dc=nl nss_base_shadow ou=people,dc=server,dc=nl nss_base_group ou=group,dc=server,dc=nl nss_base_hosts ou=hosts,dc=server,dc=nl
SIZELIMIT 12
TIMELIMIT 15
DEREF never
cat nsswitch.conf
/etc/nsswitch.conf
Example configuration of GNU Name Service Switch functionality.
If you have the glibc-doc-reference' and
info’ packages installed, try:
`info libc “Name Service Switch”’ for information about this file.
passwd: compat
group: compat
shadow: compat
passwd: files ldap group: files ldap shadow: files ldap
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis
NB: With lenny you have to modify /etc/libnss-ldap.conf
bind_policy soft