This is intended to be a brief guide to setting up LDAP authentication under Linux, mainly focusing on the bits that might trip you up. It isn't intended to be perfect -- a lot of the stuff is just the way I've done things and it works for me. Although I've noticed several of the guides around the internet give you a few different ways to do things anyway.

Installing the LDAP Server

Firstly, you'll want to install the LDAP server and get it running. Under Debian, you can simply apt-get install slapd. You may have to compile it or build it from source or whatever. If you want TLS (probably a good idea) under Debian, you'll have to build from source using a source deb or whatever. See LDAPNotes for details on how to do this.

Here you want to ensure you have included the correct schemas in your slapd.conf. I have the following, and they work. Samba isn't required unless you want to do tricky Samba LDAP auth (not covered here)

include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/rfc822.schema

Now, rfc822.schema is a tricky one. I noticed the migration tools (next section) wanted to do stuff that needed this. Bear in mind that if all you want is simple password auth off ldap, this probably isn't needed, but I didn't have time to play with the migration tools to exclude it, and you can just delete irrelevant sections later. Here are the contents of my rfc822.schema, which I discovered in a mailing list archive

attributetype

( 1.3.6.1.4.1.42.2.27.2.1.15

NAME 'rfc822MailMember' DESC 'rfc822 mail address of group member(s)' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26

)

objectclass

( 1.3.6.1.4.1.42.2.27.1.2.5

NAME 'nisMailAlias' SUP top STRUCTURAL DESC 'NIS mail alias' MUST cn MAY rfc822MailMember

)

Seemed to work for me, or at least, it stopped the migration script from barfing halfway through.

You also want to make sure you've got the correct ACLs. Something like this is required to let the admin see the shadowed crypted passwords, and nobody else

access to attribute=userPassword,ntPassword,lmPassword,pwdlastset,shadowlastcha

by dn="cn=admin,o=niche,c=nz" write by anonymous auth by self write by * none

Migrating your Configuration

Once slapd is up and running, after choosing a sensible base dn and so on (this is beyond the scope of this document -- does someone want to wiki setting up slapd? or I'll do it later), it's time to migrate your existing files. This is easiest done by using PADL's excellent MigrationTools?. See http://www.padl.com/OSS/MigrationTools.html for them, or simply apt-get install migrationtools if you're lucky enough to be running Debian.

Edit your migration_common.ph file and enter in the values appropriate for your setup. Under Debian, it'll be in /usr/share/migrationtools. You'll want to pay attention to any gids/uids you want to ignore. It's probably a good idea to ignore 'system' users and groups. The defaults in Debian are users below 1000 (probably a good idea) and groups below 100. However, I have several groups I would consider 'system' groups (netsaint, etc, among others) at 101, 102... user groups don't start until 1000. So I suggest ignoring groups below 1000. Greig says this is inclusive, so maybe ignore below 999. Another issue I had was that if I tell it to ignore ANY groups, it ignores ALL the groups, so my groups ended up empty on my LDAP server. I had to tell it to ignore none and delete the ones I didn't want manually. Greig says this works for him under Woody and RH, but it certainly didn't work for me. YMMV.

After you've configured this, run the script migrate_all_online.sh and let the tools do all the work. I had a few hiccups here, but that was mainly due to slapd being horribly misconfigured. If you have any problems you can't find solutions to, it's probably a good idea to restart slapd several times, or simply stop it for a while, and try again. I don't really know why, but this seemed to fix some of my problems magically.

Setting up PAM

Next, you want to get PAM and NSS working. First, make sure you're on an OS that uses PAM. If you're not, complicated things happen. Fortunately, if you're using Linux, that shouldn't be a problem. You now want to install libpam-ldap and libnss-ldap. Under Debian, apt-get the packages. Under anything else, either RPMs or source as usual. Now that you've done that, you get to configure a few files.

/etc/ldap/ldap.conf tells LDAP clients where to access the LDAP server. Your slapd configuration may have already set this up for you. You probably want something like this

BASE dc=wlug,dc=org,dc=nz HOST 127.0.0.1

/etc/libpam_ldap.conf is the configuration file for the LDAP nameservice switch library and the LDAP PAM module. This file is relatively simple too -- when you installed it under Debian, all your configuration is probably done, but you should flip through it anyway.

host 127.0.0.1 base dc=wlug,dc=org,dc=nz ldap_version 3 rootbinddn cn=admin,dc=wlug,dc=org,dc=nz scope sub

...and that should be all. Note, you need rootbinddn to get set, and a valid password for it in /etc/ldap.secret (at least, that's where it is under Debian...). This is because you can't see the crypted passwords on the LDAP server as anything other than admin. Also, scobe sub is not included as part of the Debian default config, but I think it's a good idea to have it there. It sets the search scope to all subdirectories. It may be a terrible idea to have it there.

/etc/libnss-ldap.conf is the configuration file for the LDAP NSS library. You probably want it to contain something like this

host 127.0.0.1 base o=niche,c=nz ldap_version 3 scope sub

Note the lack of rootbinddn, nss doesn't need to bind as admin. Note, however, that if this file is readable only by root, users won't be able to resolve anything! As a solution, you can either install nscd?, a caching daemon which runs as root (this is a good idea anyway, see later) or set this file world readable.

Now that that's done, you probably want to edit /etc/nsswitch.conf and tell it to look at your LDAP server by default. This is done easily enough, change the lines

passwd: compat group: compat shadow: compat

(note that it may be 'files' or something else instead of 'compat', depending on your dist) to

passwd: ldap files group: ldap files shadow: ldap files

...and you should be looking at your ldap server instead of files. Testing this is a little weird, and you should probably leave it til sometime after the next step...

Setting up Application PAM LDAP Authentication

Now is the time to set up LDAP authentication for individual PAM applications. In /etc/pam.d there are a whole lot of files controlling how PAM authentication works for various different applications. Edit the entries of those you want to authenticate off LDAP. The general rule I used was to look for anything authenticating off pam_unix.so and add the line:

xxx sufficient pam_ldap.so

...above it, where xxx is whatever that field was for the pam_unix.so line. Bear in mind that where parameters are being passed to pam_unix.so (eg, password required pam_unix.so nullok obscure min=4 max=8 md5), pam_ldap.so may barf, so it's best to leave them off or experiment (carefully!).

A good idea is to do a service you can easily test first (say, pop3) and make sure everything's working. You could also temporarily delete your user or a user you care little about from /etc/passwd, /etc/shadow and /etc/group, to ensure that it really is getting things from LDAP. I'm not sure how much of a brilliant idea this is, but if you're careful it should be okay. DON'T REMOVE ROOT FROM /etc/passwd. root isn't in the ldap server.

So once you can telnet to the pop3 port and log on with pop3 against LDAP, start shifting some other services over, and test them as you go. Note that ssh likes to be restarted after you change it's pam.d file, this caught me out. Be careful shifting things like 'login' over. :)

The End

And that's it! After the services you want to use are shifted over, you're now running a system authenticating off LDAP. Delete your local users and leave the LDAP ones there. Don't delete user root, and don't put root on the LDAP server. It's probably not a good idea. Things may be going a little slowly, so you might want to install nscd? to speed things up, as it caches all ldap requests. To set up other machines to authenticate off this server, just perform the steps from "Setting up PAM" and onwards on the other machine, but using the IP of your real LDAP server instead of 127.0.0.1 (obviously).