home       inleiding       sysadmin       services       links       bash       werk       nothing      

ubuntu ldap client

  1. install
     
    We have to install libnss and libpam to get started:
     
    # sudo apt-get install libnss-ldap libpam-ldap
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    The following extra packages will be installed:
    auth-client-config ldap-auth-client ldap-auth-config
    Suggested packages:
    libpam-cracklib nscd
    The following NEW packages will be installed:
    auth-client-config ldap-auth-client ldap-auth-config libnss-ldap libpam-ldap
    0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
    Need to get 138 kB of archives.
    After this operation, 579 kB of additional disk space will be used.
    Do you want to continue [Y/n]? y
    Get:1 http://be.archive.ubuntu.com/ubuntu/ precise/main auth-client-config all 0.9ubuntu1 
    Get:2 http://be.archive.ubuntu.com/ubuntu/ precise/main libpam-ldap amd64 184-8.5ubuntu2 
    Get:3 http://be.archive.ubuntu.com/ubuntu/ precise/main libnss-ldap amd64 264-2.2ubuntu2 
    Get:4 http://be.archive.ubuntu.com/ubuntu/ precise/main ldap-auth-client all 0.5.3 [2760 B]
    Get:5 http://be.archive.ubuntu.com/ubuntu/ precise/main ldap-auth-config all 0.5.3 [9434 B]
    Fetched 138 kB in 0s (1603 kB/s)

    A series of pop-up screens lead us to configure ldap-auth-config:

    -------------------------------------------------------------------------------
    Configuring ldap-auth-config 
     
    Please enter the URI of the LDAP server to use. This is a string in the form of       ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:/// can also be used. 
    The port number is optional.                            │  
     
    Note: It is usually a good idea to use an IP address because it reduces risks of failure 
    in the event name service problems.                                                                                        
      
    LDAP server Uniform Resource Identifier:                                                                ldap://172.16.100.21
    -------------------------------------------------------------------------------
    Distinguished name of the search base:
    dc=myorg,dc=net
    -------------------------------------------------------------------------------
    LDAP version to use: 3
    -------------------------------------------------------------------------------
    This option will allow you to make password utilities that use pam to behave like you would be changing local passwords.                                                                                        The password will be stored in a separate file which will be made readable to root only.              
     
    If you are using NFS mounted /etc or any other custom setup, you should disable this.
     
    Make local root Database admin: YES
    -------------------------------------------------------------------------------
    Choose this option if you are required to login to the database to retrieve entries.
    Note: Under a normal setup, this is not needed.
     
    Does the LDAP database require login?  NO
    -------------------------------------------------------------------------------
    This account will be used when root changes a password.
    Note: This account has to be a privileged account.
      
    LDAP account for root:  cn=admin,dc=myorg,dc=net
    -------------------------------------------------------------------------------
    Please enter the password to use when ldap-auth-config tries to login to the LDAP directory using the LDAP account for root. 
    The password will be stored in a separate file /etc/ldap.secret which will be made readable to root only. Entering an empty password will re-use the old password.
      
    LDAP root account password: x-x-x-x-x

     
    A file /etc/ldap.conf has been created:
     
    $ grep -v "^#" /etc/ldap.conf

    base dc=myorg,dc=net
    uri ldap://172.16.100.21
    ldap_version 3
    rootbinddn cn=admin,dc=myorg,dc=net
    pam_password md5

     
    and a file /etc/ldap.secret
     
    $ ls -l /etc/ldap.secret
    -rw------- 1 root root 9 Aug 19 00:05 /etc/ldap.secret
     

  2. enabling authentication
     
    To enable authentication we have to edit the file /etc/nsswitch.conf
    (whenever a change was made we put an asterisk right of that line)
    # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.
     
    passwd:         compat ldap  ***
    group:          compat ldap  ***
    shadow:         compat ldap  ***
     
    hosts:          files dns
    networks:       files
     
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
     
    netgroup:       nis

     
    Checking whether it works:
     
    $ getent passwd

    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    ...
    sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
    karel:x:1000:1000:karel,,:/home/karel:/bin/bash
    *** ldap-user:x:10001:10001:ldap-user:/home/ldap-user:/bin/bash
    *** desjarel:x:10010:10010:desjarel:/home/desjarel:/bin/bash

    The entries *** do not exist in the local /etc/passwd !!!
     
    $ getent group

    root:x:0:
    daemon:x:1:
    ...
    ldap-user:*:10001:
    desjarel:*:10010:

     
    $ id ldap-user
    uid=10001(ldap-user) gid=10001(ldap-user) groups=10001(ldap-user)
     

  3. allowing ldap action
     
    • allow for ldap home-dir creation:
       
      $ sudo vim /etc/pam.d/common-session
      # /etc/pam.d/common-session - session-related modules common to all services
      #
      # This file is included from other service-specific PAM config files,
      # and should contain a list of modules that define tasks to be performed
      # at the start and end of sessions of *any* kind (both interactive and
      # non-interactive).
      #
      # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
      # To take advantage of this, it is recommended that you configure any
      # local modules either before or after the default block, and use
      # pam-auth-update to manage selection of other modules.  See
      # pam-auth-update(8) for details.
       
      # here are the per-package modules (the "Primary" block)
      session [default=1]                     pam_permit.so
      # here's the fallback if no module succeeds
      session requisite                       pam_deny.so
      # prime the stack with a positive return value if there isn't one already;
      # this avoids us returning an error just because nothing sets a success code
      # since the modules above will each just jump around
      session required                        pam_permit.so
      # The pam_umask module will set the umask according to the system default in
      # /etc/login.defs and user settings, solving the problem of different
      # umask settings with different shells, display managers, remote sessions etc.
      # See "man pam_umask".
      session optional                        pam_umask.so
      # and here are more per-package modules (the "Additional" block)
      session required                        pam_unix.so
      session optional                        pam_ldap.so
      *** session required                        pam_mkhomedir.so
      # end of pam-auth-update config

       

    • enable passwd on ldap accounts
       
      edit /etc/pam.d/common-password, and remove the parameter “use_authtok”
      # /etc/pam.d/common-password - password-related modules common to all services
      ..
      # pam-auth-update(8) for details.
       
      # here are the per-package modules (the "Primary" block)
      password        [success=2 default=ignore]      pam_unix.so obscure sha512
      *** password        [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
      # here's the fallback if no module succeeds
      password        requisite                       pam_deny.so
      # prime the stack with a positive return value if there isn't one already;
      # this avoids us returning an error just because nothing sets a success code
      # since the modules above will each just jump around
      password        required                        pam_permit.so
      # and here are more per-package modules (the "Additional" block)
      # end of pam-auth-update config

       

  4. does it work
     
    Can we now login with ldap-user?
    $ ls -l /home
    drwxr-xr-x 6 user user 4096 Aug 19 00:32 user
     
    $ su ldap-user
    Password: x-x-x-x-x
    Creating directory /home/ldap-user
     
    $ passwd
    Enter login(LDAP) password: x-x-x-x
    New password: new!password
    Re-enter new password: new!password
    LDAP password information changed for ldap-user
    passwd: password updated successfully
     
    ssh:
     
    karel@ldap-cl15:~$ ssh ldap-user@172.16.10.100
    ldap-user@172.16.10.100's password:
    Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 3.13.0-34-generic x86_64)
    Your Hardware Enablement Stack (HWE) is supported until April 2021.
    ...

    ldap-user@ldap-cl16:~$ ls -la

    total 28
    drwxr-xr-x 3 ldap-user ldap-user 4096 Aug 19 00:36 .
    drwxr-xr-x 4 root  root  4096 Aug 19 00:33 ..
    -rw------- 1 ldap-user ldap-user   24 Aug 19 00:37 .bash_history
    -rw-r--r-- 1 ldap-user ldap-user  220 Aug 19 00:33 .bash_logout
    -rw-r--r-- 1 ldap-user ldap-user 3486 Aug 19 00:33 .bashrc
    drwx------ 2 ldap-user ldap-user 4096 Aug 19 00:36 .cache
    -rw-r--r-- 1 ldap-user ldap-user  675 Aug 19 00:33 .profile

    ldap-user@ldap-cl16:~$ exit
    logout
    Connection to 172.16.10.100 closed.
     

  5. documentation
     
    http://documentation.fusiondirectory.org/en/documentation/authentification_base_ldap
     
    Connection between linux and ldap server
    http://wiki.debian.org/LDAP
    http://www.rjsystems.nl/en/2100-d6-openldap-client.php
    PAM explanation
    http://www.rjsystems.nl/en/2100-pam-debian.php