KubuntuLdapAuth: Difference between revisions

From LLL
Jump to navigationJump to search
(Import from phpWiki)
 
(Remove instruction to ignore certificate validity)
 
(8 intermediate revisions by 2 users not shown)
Line 5: Line 5:


<pre>
<pre>
apt-get install libnss-ldap
apt-get install libpam-ldapd libnss-ldapd nss-updatedb libnss-db nscd nslcd ldap-utils
</pre>
</pre>


Usually, this should also pull in libpam-ldap automatically
Respond to the questions as follows:
 
* URI of the LDAP server to use: <code>ldaps://ldap/ or ldaps://192.168.178.2/</code>
* Distinguished name of the LDAP search base: <code>dc=infoladen,dc=org,dc=lu</code>
* LDAP version to use: <code>3</code>
* Make local root database admin: <code>No</code>
* Does the LDAP database require login?: <code>No</code>


2. For debugging purposes, also install ldap-utils
2. For debugging purposes, also install ldap-utils
Line 14: Line 20:
3. Configure libnss-ldap
3. Configure libnss-ldap


libnss-ldap is configured using the <code>/etc/ldap.conf</code> file (not to be confused with =/etc/ldap/ldap.conf"which is the ''general'' LDAP configuration file)
libnss-ldap is configured using the <code>/etc/ldap.conf</code> file (not to be confused with <code>/etc/ldap/ldap.conf</code>, which is the ''general'' LDAP configuration file)


The following settings need to be added/changed:
The following settings need to be added/changed if not already done so by interactive dialog while installing libnss-ldap:


Set your server's URL:
Set your server's URL:
<pre>
<pre>
uri ldaps://192.168.1.1/
uri ldaps://ldap.infoladen.org.lu/
</pre>
</pre>


Line 31: Line 37:
<pre>
<pre>
base dc=lll,dc=lu
base dc=lll,dc=lu
nss_base_passwd ou=People,dc=org,dc=lu
nss_base_shadow ou=People,dc=org,dc=lu
nss_base_group ou=Group,dc=org,dc=lu
</pre>
</pre>


Disable initgroups for local users needed during startup (without this, machine will hang at boot, because libnss''ldap will try to log its lookup failures for the groups of local users, but syslog itself is hung because it uses libnss''ldap itself)
The setting below will have to be done always:
 
Disable initgroups for local users needed during startup (without this, machine will hang at boot, because <code>libnss_ldap</code> will try to log its lookup failures for the groups of local users, but syslog itself is hung because it uses <code>libnss_ldap</code> itself)


<pre>
<pre>
Line 42: Line 47:
</pre>
</pre>


4. If you're using SSL, but without a real certificate, disable certificate check
This does of course not need to be (re)done if the file already contains an ignoreusers line with at least these 3 users.
 
4. Configure the list of CA certificates against which certificates will be verified


This needs to be done in <code>/etc/ldap/ldap.conf</code> :
This needs to be done in <code>/etc/ldap/ldap.conf</code> :


<pre>
<pre>
TLS_REQCERT never
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
</pre>
</pre>


Line 70: Line 77:


Two files (at minimum) need to be changed, <code>/etc/pam.d/common-auth</code> and <code>/etc/pam.d/common-account</code>).
Two files (at minimum) need to be changed, <code>/etc/pam.d/common-auth</code> and <code>/etc/pam.d/common-account</code>).
On recent Kubuntu versions (>= 10.04), this is automatically performed by the <tt>pam-auth-update</tt> utility, the rest of this section only applies to older versions which don't have this yet.


The first handles the verification of the user's password, whereas the second decides whether that user (whose identity is already established at that point) is allowed to connect (there could be restriction, such as login only allowed on certain times for certain users, etc.)
The first handles the verification of the user's password, whereas the second decides whether that user (whose identity is already established at that point) is allowed to connect (there could be restriction, such as login only allowed on certain times for certain users, etc.)


By default these contain only one line describing local authentication. This needs to be kept (but its <code>required</code> keyword replaced by a <code>sufficient</code> keyword), and a new line for LDAP should be added. The change to <code>sufficient</code> is needed because we want to allow user&#347; that are known locally ''or'' remotely.
By default these contain only one line describing local authentication. This needs to be kept (but its <code>required</code> keyword replaced by a <code>sufficient</code> keyword), and a new line for LDAP should be added. The change to <code>sufficient</code> is needed because we want to allow users that are known locally ''or'' remotely. Indeed, with <code>sufficient</code>, the chain succeeds (without continuing) if the rule succeeds, and continues otherwise, whereas with <code>required</code>, the chain fails (without continuing) if the rule fails, and continues otherwise.
 
However, due to a bug, the last rule must have required, or else the user may log in with any old password that he can make up...


In common-auth, you'd have:
In common-auth, you'd have:
Line 79: Line 90:
<pre>
<pre>
auth      sufficient          pam_unix.so nullok_secure
auth      sufficient          pam_unix.so nullok_secure
auth      sufficient         pam_ldap.so use_first_pass
auth      required            pam_ldap.so use_first_pass
</pre>
 
In common-account, you'd have:
 
<pre>
account sufficient     pam_unix.so
account required        pam_ldap.so use_first_pass
</pre>
</pre>


<code>use''first''pass</code> instructs pam_ldap to re-use the same password as the user already entered for local authentication, rather than prompt for another one.
<code>use_first_pass</code> instructs pam_ldap to re-use the same password as the user already entered for local authentication, rather than prompt for another one.


Same idea for common-account
Same idea for common-account
Line 88: Line 106:
<pre>
<pre>
acct      sufficient          pam_unix.so
acct      sufficient          pam_unix.so
acct      sufficient          pam_ldap.so
acct      required            pam_ldap.so
</pre>
 
8. Set up NFS mount for /home
 
Install nfs:
<pre>
apt-get install nfs-common
</pre>
 
Insert the following line (replace server IP as appropriate) into <code>/etc/fstab</code>:
 
<pre>
192.168.178.2:/home    /home  nfs    async,intr,soft,nolock
</pre>
 
Then mount home. You might first need to move a pre-existing home directory with local users out of the way:
<pre>
mv /home /lhome
mkdir /home
mount /home
</pre>
 
9. Make sure minuid setting is adapted to your server system
 
By default, <tt>pam-auth-update</tt> leaves the following into <tt>/etc/pam.d/common-auth</tt>:
 
<pre>
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass
</pre>
 
This means that the LDAP client will only recognize server users whose id is greater than or equal 1000. If your servers has (non-system) users with lower ids, adjust this setting accordingly:
 
<pre>
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=500 use_first_pass
</pre>
</pre>


8. Test it by logging in as a remote user, and then as a local user.
 
10. Test it by logging in as a remote user, and then as a local user.
 
 
11. On an LLL system, "student" users have a non-writable home directory. In order to allow them to log in using KDE to clients, you must point KDE to a different location:
 
Near the top of <code>/etc/kde3/kdm/Xsession</code> (for instance after the initial comment), insert the following snippet:
 
<pre>
if [ ! -w $HOME ] ; then
HOME=$HOME/linuxhome
fi
</pre>

Latest revision as of 22:31, 17 January 2021

In order to set up authentication via LDAP, the following steps need to be performed:


1. Install the packages:

apt-get install libpam-ldapd libnss-ldapd nss-updatedb libnss-db nscd nslcd ldap-utils

Respond to the questions as follows:

  • URI of the LDAP server to use: ldaps://ldap/ or ldaps://192.168.178.2/
  • Distinguished name of the LDAP search base: dc=infoladen,dc=org,dc=lu
  • LDAP version to use: 3
  • Make local root database admin: No
  • Does the LDAP database require login?: No

2. For debugging purposes, also install ldap-utils

3. Configure libnss-ldap

libnss-ldap is configured using the /etc/ldap.conf file (not to be confused with /etc/ldap/ldap.conf, which is the general LDAP configuration file)

The following settings need to be added/changed if not already done so by interactive dialog while installing libnss-ldap:

Set your server's URL:

uri ldaps://ldap.infoladen.org.lu/

Disable hostname (because we specified a URI, hostname is not needed:

# host 127.0.0.1

Set your DN:

base dc=lll,dc=lu

The setting below will have to be done always:

Disable initgroups for local users needed during startup (without this, machine will hang at boot, because libnss_ldap will try to log its lookup failures for the groups of local users, but syslog itself is hung because it uses libnss_ldap itself)

nss_initgroups_ignoreusers root,syslog,klog

This does of course not need to be (re)done if the file already contains an ignoreusers line with at least these 3 users.

4. Configure the list of CA certificates against which certificates will be verified

This needs to be done in /etc/ldap/ldap.conf :

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

5. Activate it in /etc/nsswitch.conf :

NSS is used for user lookups (as needed by id, ls -l , etc.)

passwd:     compat ldap
group:      compat ldap

6. Test NSS:

Do id someremoteuser , and id somelocaluser

If both succeed, your NSS is ok

7. Activate it in pam

PAM is needed for authenticating users, to allow network users to log in.

Two files (at minimum) need to be changed, /etc/pam.d/common-auth and /etc/pam.d/common-account).

On recent Kubuntu versions (>= 10.04), this is automatically performed by the pam-auth-update utility, the rest of this section only applies to older versions which don't have this yet.

The first handles the verification of the user's password, whereas the second decides whether that user (whose identity is already established at that point) is allowed to connect (there could be restriction, such as login only allowed on certain times for certain users, etc.)

By default these contain only one line describing local authentication. This needs to be kept (but its required keyword replaced by a sufficient keyword), and a new line for LDAP should be added. The change to sufficient is needed because we want to allow users that are known locally or remotely. Indeed, with sufficient, the chain succeeds (without continuing) if the rule succeeds, and continues otherwise, whereas with required, the chain fails (without continuing) if the rule fails, and continues otherwise.

However, due to a bug, the last rule must have required, or else the user may log in with any old password that he can make up...

In common-auth, you'd have:

auth       sufficient          pam_unix.so nullok_secure
auth       required            pam_ldap.so use_first_pass

In common-account, you'd have:

account sufficient      pam_unix.so
account required        pam_ldap.so use_first_pass

use_first_pass instructs pam_ldap to re-use the same password as the user already entered for local authentication, rather than prompt for another one.

Same idea for common-account

acct       sufficient          pam_unix.so
acct       required            pam_ldap.so

8. Set up NFS mount for /home

Install nfs:

apt-get install nfs-common

Insert the following line (replace server IP as appropriate) into /etc/fstab:

192.168.178.2:/home     /home   nfs     async,intr,soft,nolock

Then mount home. You might first need to move a pre-existing home directory with local users out of the way:

mv /home /lhome
mkdir /home
mount /home

9. Make sure minuid setting is adapted to your server system

By default, pam-auth-update leaves the following into /etc/pam.d/common-auth:

auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass

This means that the LDAP client will only recognize server users whose id is greater than or equal 1000. If your servers has (non-system) users with lower ids, adjust this setting accordingly:

auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=500 use_first_pass


10. Test it by logging in as a remote user, and then as a local user.


11. On an LLL system, "student" users have a non-writable home directory. In order to allow them to log in using KDE to clients, you must point KDE to a different location:

Near the top of /etc/kde3/kdm/Xsession (for instance after the initial comment), insert the following snippet:

if [ ! -w $HOME ] ; then
	HOME=$HOME/linuxhome
fi