KubuntuLdapAuth: Difference between revisions

From LLL
Jump to navigationJump to search
(Import from phpWiki)
 
No edit summary
Line 73: Line 73:
The first handles the verification of the user's password, whereas the second decides whether that user (whose identity is already established at that point) is allowed to connect (there could be restriction, such as login only allowed on certain times for certain users, etc.)
The first handles the verification of the user's password, whereas the second decides whether that user (whose identity is already established at that point) is allowed to connect (there could be restriction, such as login only allowed on certain times for certain users, etc.)


By default these contain only one line describing local authentication. This needs to be kept (but its <code>required</code> keyword replaced by a <code>sufficient</code> keyword), and a new line for LDAP should be added. The change to <code>sufficient</code> is needed because we want to allow user&#347; that are known locally ''or'' remotely.
By default these contain only one line describing local authentication. This needs to be kept (but its <code>required</code> keyword replaced by a <code>sufficient</code> keyword), and a new line for LDAP should be added. The change to <code>sufficient</code> is needed because we want to allow user&#347; that are known locally ''or'' remotely. Indeed, with <code>sufficient</code>, the chain succeeds (without continuing) if the rule succeeds, and continues otherwise, whereas with <code>required</code>, the chain fails (without continuing) if the rule fails, and continues otherwise.
 
However, due to a bug, the last rule must have required, or else the user may log in with any old password that he can make up...


In common-auth, you'd have:
In common-auth, you'd have:
Line 79: Line 81:
<pre>
<pre>
auth      sufficient          pam_unix.so nullok_secure
auth      sufficient          pam_unix.so nullok_secure
auth      sufficient          pam_ldap.so use_first_pass
auth      required            pam_ldap.so use_first_pass
</pre>
</pre>


Line 88: Line 90:
<pre>
<pre>
acct      sufficient          pam_unix.so
acct      sufficient          pam_unix.so
acct      sufficient          pam_ldap.so
acct      required            pam_ldap.so
</pre>
</pre>


8. Test it by logging in as a remote user, and then as a local user.
8. Test it by logging in as a remote user, and then as a local user.

Revision as of 06:43, 6 November 2007

In order to set up authentication via LDAP, the following steps need to be performed:


1. Install the packages:

apt-get install libnss-ldap

Usually, this should also pull in libpam-ldap automatically

2. For debugging purposes, also install ldap-utils

3. Configure libnss-ldap

libnss-ldap is configured using the /etc/ldap.conf file (not to be confused with =/etc/ldap/ldap.conf"which is the general LDAP configuration file)

The following settings need to be added/changed:

Set your server's URL:

uri ldaps://192.168.1.1/

Disable hostname (because we specified a URI, hostname is not needed:

# host 127.0.0.1

Set your DN:

base dc=lll,dc=lu
nss_base_passwd ou=People,dc=org,dc=lu
nss_base_shadow ou=People,dc=org,dc=lu
nss_base_group ou=Group,dc=org,dc=lu

Disable initgroups for local users needed during startup (without this, machine will hang at boot, because libnssldap will try to log its lookup failures for the groups of local users, but syslog itself is hung because it uses libnssldap itself)

nss_initgroups_ignoreusers root,syslog,klog

4. If you're using SSL, but without a real certificate, disable certificate check

This needs to be done in /etc/ldap/ldap.conf :

TLS_REQCERT never

5. Activate it in /etc/nsswitch.conf :

NSS is used for user lookups (as needed by id, ls -l , etc.)

passwd:     compat ldap
group:      compat ldap

6. Test NSS:

Do id someremoteuser , and id somelocaluser

If both succeed, your NSS is ok

7. Activate it in pam

PAM is needed for authenticating users, to allow network users to log in.

Two files (at minimum) need to be changed, /etc/pam.d/common-auth and /etc/pam.d/common-account).

The first handles the verification of the user's password, whereas the second decides whether that user (whose identity is already established at that point) is allowed to connect (there could be restriction, such as login only allowed on certain times for certain users, etc.)

By default these contain only one line describing local authentication. This needs to be kept (but its required keyword replaced by a sufficient keyword), and a new line for LDAP should be added. The change to sufficient is needed because we want to allow userś that are known locally or remotely. Indeed, with sufficient, the chain succeeds (without continuing) if the rule succeeds, and continues otherwise, whereas with required, the chain fails (without continuing) if the rule fails, and continues otherwise.

However, due to a bug, the last rule must have required, or else the user may log in with any old password that he can make up...

In common-auth, you'd have:

auth       sufficient          pam_unix.so nullok_secure
auth       required            pam_ldap.so use_first_pass

usefirstpass instructs pam_ldap to re-use the same password as the user already entered for local authentication, rather than prompt for another one.

Same idea for common-account

acct       sufficient          pam_unix.so
acct       required            pam_ldap.so

8. Test it by logging in as a remote user, and then as a local user.