Copyright 2021 Simon Quantrill, All Rights Reserved

Modifications for LDAP authentication debian and ubuntu

Tue 10 March 2015

This is an older tip for setting up ldap authentication, as many of mu posts are just my notes from the past it might now be dated. However feel free to try it for yourself ;)

aptitude install libpam-ldap libnss-ldap patch autofs nfs-common openldap-utils aptitude install nscd

NB: in Configuring libnss-ldap enter

ldap:// click ok

Distinguished name of search base is dc=server,dc=nl Choose Ldap version 3 For LDAP Account root add cn=admin,dc=server,dc=nl type in the root password Check ldap with

ldapsearch -x -h ldapserver -b “dc=server,dc=nl” -s sub “sn=quantrill”

NB: you can use dpkg-reconfigure ldap-auth-config to change things

New working configuration for the newest versions of ubuntu

cat nsswitch.conf

/etc/nsswitch.conf

Example configuration of GNU Name Service Switch functionality.

If you have the glibc-doc-reference' andinfo’ packages installed, try:

`info libc “Name Service Switch”’ for information about this file.

passwd: compat

group: compat

shadow: compat

passwd: files ldap compat group: files ldap compat shadow: files ldap

hosts: files dns networks: files

protocols: db files services: db files ethers: db files rpc: db files

netgroup: nis

auth-client-config -t nss -p lac_ldap

pam-auth-update

From the Pam auth menu choose unix ldap options only

Add at the top of /etc/pam.d/common.auth

session required pam_mkhomedir.so umask=0022

reboot..

For Debian or older than 9.10 versions of Ubuntu

For older versions we have to stick with the manual configuration option

cat /etc/pam.d/common-account

/etc/pam.d/common-account - authorization settings common to all services

This file is included from other service-specific PAM config files,

and should contain a list of the authorization modules that define

the central access policy for use on the system. The default is to

only deny service to users whose accounts are expired in /etc/shadow.

account required pam_unix.so

account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_ldap.so

cat /etc/pam.d/common-auth

/etc/pam.d/common-auth - authentication settings common to all services

This file is included from other service-specific PAM config files,

and should contain a list of the authentication modules that define

the central authentication scheme for use on the system

(e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the

traditional Unix authentication mechanisms.

auth required pam_unix.so nullok_secure

auth requisite pam_unix.so nullok_secure

auth optional pam_smbpass.so migrate

auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so

cat /etc/pam.d/common-password

/etc/pam.d/common-password - password-related modules common to all services

This file is included from other service-specific PAM config files,

and should contain a list of modules that define the services to be

used to change user passwords. The default is pam_unix

The “nullok” option allows users to change an empty password, else

empty passwords are treated as locked accounts.

(Add `md5’ after the module name to enable MD5 passwords)

The “obscure” option replaces the old `OBSCURE_CHECKS_ENAB’ option in

login.defs. Also the “min” and “max” options enforce the length of the

new password.

password required pam_unix.so nullok obscure min=4 max=8 md5

Alternate strength checking for password. Note that this

requires the libpam-cracklib package to be installed.

You will need to comment out the password line above and

uncomment the next two in order to use this.

(Replaces the OBSCURE_CHECKS_ENAB',CRACKLIB_DICTPATH’)

password required pam_cracklib.so retry=3 minlen=6 difok=3

password required pam_unix.so use_authtok nullok md5

password sufficient pam_ldap.so password required pam_unix.so nullok md5 obscure min=4 max=8

cat /etc/pam.d/common-session

/etc/pam.d/common-session - session-related modules common to all services

This file is included from other service-specific PAM config files,

and should contain a list of modules that define tasks to be performed

at the start and end of sessions of any kind (both interactive and

non-interactive). The default is pam_unix.

session required pam_unix.so

session required pam_mkhomedir.so umask=0022 session required pam_limits.so session required pam_unix.so session optional pam_ldap.so

UBUNTU: cat /etc/ldap.conf

OR

DEBIAN4: cat /etc/pam_ldap.conf

OR

RedHat: cat /etc/ldap/ldap.conf

$OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $

LDAP Defaults

See ldap.conf(5) for details

This file should be world readable but not world writable.

BASE dc=server, dc=nl URI ldap://ldapserver1 ldap://ldapserver2

pam_filter objectclass=posixAccount pam_login_attribute uid pam_crypt local

pam_member_attribute memberuid nss_base_passwd ou=computers,dc=server,dc=nl nss_base_passwd ou=people,dc=server,dc=nl nss_base_shadow ou=people,dc=server,dc=nl nss_base_group ou=group,dc=server,dc=nl nss_base_hosts ou=hosts,dc=server,dc=nl

SIZELIMIT 12

TIMELIMIT 15

DEREF never

cat nsswitch.conf

/etc/nsswitch.conf

Example configuration of GNU Name Service Switch functionality.

If you have the glibc-doc-reference' andinfo’ packages installed, try:

`info libc “Name Service Switch”’ for information about this file.

passwd: compat

group: compat

shadow: compat

passwd: files ldap group: files ldap shadow: files ldap

hosts: files dns networks: files

protocols: db files services: db files ethers: db files rpc: db files

netgroup: nis

NB: With lenny you have to modify /etc/libnss-ldap.conf

bind_policy soft

on the top

Comments