Penguin
Recent Changes
Blame: LDAPAuthentication
EditPageHistoryDiffInfoLikePages
Annotated edit history of LDAPAuthentication version 19, including all changes. View license author blame.
Rev Author # Line
18 JohnMcPherson 1 This is intended to be a brief guide to setting up [LDAP] authentication under Linux, mainly focusing on the bits that might trip you up. It isn't intended to be perfect -- a lot of the stuff is just the way I've done things and it works for me. Although I've noticed several of the guides around the internet give you a few different ways to do things anyway.
15 PerryLorier 2
3 __Installing the LDAP Server__
4
5 Firstly, you'll want to install the LDAP server and get it running. Under Debian, you can simply apt-get install slapd. You may have to compile it or build it from source or whatever. If you want TLS (probably a good idea) under Debian, you'll have to build from source using a source deb or whatever. See LDAPNotes for details on how to do this.
6
7 Here you want to ensure you have included the correct schemas in your slapd.conf. I have the following, and they work. Samba isn't required unless you want to do tricky Samba LDAP auth (not covered here):
8
9 include /etc/ldap/schema/core.schema
10 include /etc/ldap/schema/cosine.schema
11 include /etc/ldap/schema/nis.schema
12 include /etc/ldap/schema/inetorgperson.schema
13 include /etc/ldap/schema/samba.schema
14 include /etc/ldap/schema/rfc822.schema
15
16 Now, rfc822.schema is a tricky one. I noticed the migration tools (next section) wanted to do stuff that needed this. Bear in mind that if all you want is simple password auth off ldap, this probably isn't needed, but I didn't have time to play with the migration tools to exclude it, and you can just delete irrelevant sections later. Here are the contents of my rfc822.schema, which I discovered in a mailing list archive:
17
18 attributetype
19 ( 1.3.6.1.4.1.42.2.27.2.1.15
20 NAME 'rfc822MailMember'
21 DESC 'rfc822 mail address of group member(s)'
22 EQUALITY caseIgnoreIA5Match
23 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
24 )
25 objectclass
26 ( 1.3.6.1.4.1.42.2.27.1.2.5
27 NAME 'nisMailAlias'
28 SUP top STRUCTURAL
29 DESC 'NIS mail alias'
30 MUST cn
31 MAY rfc822MailMember
32 )
33
34 Seemed to work for me, or at least, it stopped the migration script from barfing halfway through.
35
36 Update: /etc/ldap/schema/rfc822.schema is a substract of /etc/ldap/schema/misc.schema . You can either use rfc822.schema as shown above or add:
37 include /etc/ldap/schema/misc.schema
38 atop the /etc/ldap/slapd.conf file. Then restart slapd.
39
40 You also want to make sure you've got the correct ACLs. Something like this is required to let the admin see the shadowed crypted passwords, and nobody else:
41
42 access to attribute=userPassword
43 by dn="cn=admin,dc=wlug,dc=org,dc=nz" write
44 by anonymous auth
45 by self write
46 by * none
47
48
49 __Migrating your Configuration__
50
17 GreigMcGill 51 Once slapd is up and running, after choosing a sensible base dn and so on (this is beyond the scope of this document -- does someone want to wiki setting up slapd? or I'll do it later), it's time to migrate your existing files. This is easiest done by using PADL's excellent [Migration Tools|http://www.padl.com/OSS/MigrationTools.html], or simply apt-get install migrationtools if you're lucky enough to be running Debian.
15 PerryLorier 52
53 Edit your migration_common.ph file and enter in the values appropriate for your setup. Under Debian, it'll be in /usr/share/migrationtools. Also, please do not set $EXTENDED_SCHEMA = 1 unless you really have the extended schemas. You'll want to pay attention to any gids/uids you want to ignore. It's probably a good idea to ignore 'system' users and groups. The defaults in Debian are users below 1000 (probably a good idea) and groups below 100. However, I have several groups I would consider 'system' groups (netsaint, etc, among others) at 101, 102... user groups don't start until 1000. So I suggest ignoring groups below 1000. Greig says this is inclusive, so maybe ignore below 999. Another issue I had was that if I tell it to ignore ANY groups, it ignores ALL the groups, so my groups ended up empty on my LDAP server (''This is to do with a bug in the migration script, which I'm surprised didn't leap out at you straight away. It was comparing the higher and lower GID settings with a variable called $uid -- which didn't exist. $gid was the one it was reading from the group file. This has been fixed in unstable, but its not in stable (woody) nor ever will be I think -- DanielLawson'') (''The culprit lines are on lines 55 and 56 of migrate_group.pl and migrate_passwd.pl - change $uid to $gid'' -- TomHibbert). I had to tell it to ignore none and delete the ones I didn't want manually. Greig says this works for him under Woody and RH, but it certainly didn't work for me. [YMMV]. (''Also, you may run into a problem where migrate_all_online.sh barfs because its trying to add the same entry twice. This happens when you have two entries of the same name (in my case news: root) in /etc/aliases''-- TomHibbert)
54
55 After you've configured this, run the script migrate_all_online.sh and let the tools do all the work. I had a few hiccups here, but that was mainly due to slapd being horribly misconfigured. If you have any problems you can't find solutions to, it's probably a good idea to restart slapd several times, or simply stop it for a while, and try again. I don't really know why, but this seemed to fix some of my problems magically.
56
57 __Setting up PAM__
58
18 JohnMcPherson 59 Next, you want to get [PAM] and [NSS] working. First, make sure you're on an OS that uses PAM. If you're not, complicated things happen. Fortunately, if you're using Linux, that shouldn't be a problem. You now want to install libpam-ldap and libnss-ldap. Under Debian, apt-get the packages. ('When Debconf asks you for Root login account, its your rootdn.' --TomHibbert) Under anything else, either RPMs or source as usual. Now that you've done that, you get to configure a few files.
15 PerryLorier 60
61 /etc/ldap/ldap.conf tells LDAP clients where to access the LDAP server. Your slapd configuration may have already set this up for you. You probably want something like this:
62
63 BASE dc=wlug,dc=org,dc=nz
64 HOST 127.0.0.1
65
66 /etc/libpam_ldap.conf is the configuration file for the LDAP nameservice switch library and the LDAP PAM module. This file is relatively simple too -- when you installed it under Debian, all your configuration is probably done, but you should flip through it anyway.
67
68 host 127.0.0.1
69 base dc=wlug,dc=org,dc=nz
70 ldap_version 3
71 rootbinddn cn=admin,dc=wlug,dc=org,dc=nz
72 scope sub
73
74 ...and that should be all. Note, you need rootbinddn to get set, and a valid password for it in /etc/ldap.secret (at least, that's where it is under Debian...). This is because you can't see the crypted passwords on the LDAP server as anything other than admin. Also, scobe sub is not included as part of the Debian default config, but I think it's a good idea to have it there. It sets the search scope to all subdirectories. It may be a terrible idea to have it there.
75
18 JohnMcPherson 76 /etc/libnss-ldap.conf (see libnss-ldap.conf(5)) is the configuration file for the LDAP [NSS] library. You probably want it to contain something like this:
15 PerryLorier 77
78 host 127.0.0.1
79 base dc=wlug,dc=org,dc=nz
80 ldap_version 3
81 scope sub
82
83 Note the lack of rootbinddn, nss doesn't need to bind as admin. Note, however, that if this file is readable only by root, users won't be able to resolve anything! As a solution, you can either install nscd(8), a caching daemon which runs as root (this is a good idea anyway, see later) or set this file world readable.
84
85 Now that that's done, you probably want to edit /etc/nsswitch.conf and tell it to look at your LDAP server by default. This is done easily enough, change the lines:
86
87 passwd: compat
88 group: compat
89 shadow: compat
90
91 (note that it may be 'files' or something else instead of 'compat', depending on your dist) to:
92
93 passwd: ldap files
94 group: ldap files
95 shadow: ldap files
96
97 ...and you should be looking at your ldap server instead of files. Testing this is a little weird, and you should probably leave it til sometime after the next step...
98
99 __Setting up Application PAM LDAP Authentication__
100
101 Now is the time to set up LDAP authentication for individual PAM applications. In /etc/pam.d there are a whole lot of files controlling how PAM authentication works for various different applications. Edit the entries of those you want to authenticate off LDAP. The general rule I used was to look for anything authenticating off pam_unix.so and add the line:
102
103 xxx sufficient pam_ldap.so
104
105 ...above it, where xxx is whatever that field was for the pam_unix.so line. Bear in mind that where parameters are being passed to pam_unix.so (eg, password required pam_unix.so nullok obscure min=4 max=8 md5), pam_ldap.so may barf, so it's best to leave them off or experiment (carefully!).
106
107 A good idea is to do a service you can easily test first (say, pop3) and make sure everything's working. You could also temporarily delete your user or a user you care little about from /etc/passwd, /etc/shadow and /etc/group, to ensure that it really is getting things from LDAP. I'm not sure how much of a brilliant idea this is, but if you're careful it should be okay. DON'T REMOVE ROOT FROM /etc/passwd. root isn't in the ldap server.
108
109 So once you can telnet to the pop3 port and log on with pop3 against LDAP, start shifting some other services over, and test them as you go. Note that ssh likes to be restarted after you change it's pam.d file, this caught me out. Be careful shifting things like 'login' over. :)
19 JohnMcPherson 110
111 Have a look at http://www.nerdcircus.org/wiki/LDAPClientPam for a few tips and tricks.
112
15 PerryLorier 113
114 __The End__
115
116 And that's it! After the services you want to use are shifted over, you're now running a system authenticating off LDAP. Delete your local users and leave the LDAP ones there. Don't delete user root, and don't put root on the LDAP server. It's probably not a good idea. Things may be going a little slowly, so you might want to install nscd(8) to speed things up, as it caches all ldap requests. To set up other machines to authenticate off this server, just perform the steps from "Setting up PAM" and onwards on the other machine, but using the IP of your real LDAP server instead of 127.0.0.1 (obviously).
117
118 __Troubleshooting__
119
120 1) Everything is working fine, but any authentication I do is REALLY slow. I expected some slowdown, but not this. What's wrong with my machine?
121
122 Actually, there isn't really any slowdown when using LDAP for authentication, even on very slow machines. I had this problem, and eventually discovered it was because I had turned loglevel up to around 40 in slapd.conf, which was causing pages of logs to spew out every time I touched the server, reducing it to running like a dog or some other slow running animal. Turn the logging off once you have everything working, and it's fine.
123
124 2) How can I tell if I'm really pulling information out of LDAP?
125
126 Make sure you have a user entry, or group entry, that is only in LDAP. Removing a user or group from your /etc/passwd or /etc/group is a good way of ensuring this. As said before, do NOT remove root.
127
128 Verify the user doesn't exist in /etc/passwd
129 # cat /etc/passwd | grep daniel
130 #
131
132 Now use getent to check that nsswitch can see the user
133 # getent passwd daniel
134 daniel:x:1000:1000:Daniel Lawson (LDAP):/home/daniel:/bin/bash
135 #
136
137 So this verifies that nsswitch can see the user. As long as you have your pam setup appropriately, you should be able to login as this user
138
139 3) I can't access protocols / services / host / ethers / etc information after I migrated to LDAP / libnss_ldap
140
141 EG: you can't do telnet hostname imap, you have to use the numeric port. Or you can't ping - it says unknown protocol icmp (see CommonErrors)
142
143 You (or your system package manager when you installed libnss_ldap) have probably told /etc/nsswitch.conf that your LDAP server is authoritative for these, whereas in fact its not. Remove the bits for these databases that pertain to LDAP, and you should be fine. Or, set up the protocols / services / hosts / ethers or what have you groups in the LDAP tree correctly. Duh!)
144
145
146 !!!RedHat Specific
147
148 This assumes you've migrated at least your /etc/{passwd,group,shadow} files into working LDAP server and can browse this information using a client like gq (http://biot.com/gq/)
149
150 Configuring clients to authentication off your [LDAP] server is pretty easy. Just run authconfig and select LDAP where nessessary and enter in your server settings. It is advisable to enable TLS as without it passwords are sent over your network in clear text.
151
152 The only "tweak" I made was to edit /etc/pam_ldap.conf to have the "pam_password" attribute set to "exop". In my experiementation I could only get the "clear", "crypt", and "exop" pam_password methods working. MD5 always failed. I think it might have had something to do with the way OpenLDAP & GQ were interacting when setting passwords encoded with MD5 tho. You might have better luck. Anyway when you use "pam_password exop" and then use passwd(1) to set your passwords in the LDAP directory they are stored encrypted using the very secure SSHA algorythm.
153
16 PerryLorier 154 __Note:__ I think I discovered a bug in authconfig. If you run it multiple times it can bugger up you /etc/pam.d/system-auth file. It appears to append lines to the end of existing configurations. This is bad. You need to make sure your system-auth file is properly setup. It should look like this:
15 PerryLorier 155
156 auth required /lib/security/pam_env.so
157 auth sufficient /lib/security/pam_unix.so likeauth nullok
158 auth sufficient /lib/security/pam_ldap.so use_first_pass
159 auth required /lib/security/pam_deny.so
160
161 account required /lib/security/pam_unix.so
162 account [[default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
163
164 password required /lib/security/pam_cracklib.so retry=3
165 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
166 password sufficient /lib/security/pam_ldap.so use_authtok
167 password required /lib/security/pam_deny.so
168
169 session required /lib/security/pam_limits.so
170 session required /lib/security/pam_unix.so
171 session optional /lib/security/pam_ldap.so
172
173 Be aware that if you edit this file it is likely to be overwritten the next time you run authconfig.
174
175 Authconfig also edits your /etc/nsswitch.conf file to enable looking up users and groups via LDAP. You shouldn't need to edit this file unless you also want to add things like aliases, networks, and ethers etc into your LDAP tree.
176
177
178 !!!SASL Notes
179
180 If you are using any tools that link against libsasl (and openldap2 is one of them, by default), and are trying to use any services that also link against libsasl, you'll probably run into an issue where the calling application (eg, Cyrus IMAPd) dies with SIGSEGV (SIG11, Segmentation Fault). This is to do with a non-rentrant bug in libsasl. See [SASLNotes] for more information