KubuntuLdapAuth: Difference between revisions
AlainKnaff (talk | contribs) m (Typo) |
AlainKnaff (talk | contribs) (Proofread, and adopted for 8.04) |
||
Line 9: | Line 9: | ||
Usually, this should also pull in libpam-ldap automatically | Usually, this should also pull in libpam-ldap automatically | ||
Respond to the questions as follows: | |||
* URI of the LDAP server to use: <code>ldaps://ldap/ or ldaps://192.168.178.2/</code> | |||
* Distinguished name of the LDAP search base: <code>dc=infoladen,dc=org,dc=lu</code> | |||
* LDAP version to use: <code>3</code> | |||
* Make local root database admin: <code>No</code> | |||
* Does the LDAP database require login?: <code>No</code> | |||
2. For debugging purposes, also install ldap-utils | 2. For debugging purposes, also install ldap-utils | ||
Line 14: | Line 22: | ||
3. Configure libnss-ldap | 3. Configure libnss-ldap | ||
libnss-ldap is configured using the <code>/etc/ldap.conf</code> file (not to be confused with | libnss-ldap is configured using the <code>/etc/ldap.conf</code> file (not to be confused with <code>/etc/ldap/ldap.conf</code>, which is the ''general'' LDAP configuration file) | ||
The following settings need to be added/changed: | The following settings need to be added/changed if not already done so by interactive dialog while installing libnss-ldap: | ||
Set your server's URL: | Set your server's URL: | ||
<pre> | <pre> | ||
uri ldaps:// | uri ldaps://ldap.infoladen.org.lu/ | ||
</pre> | </pre> | ||
Line 31: | Line 39: | ||
<pre> | <pre> | ||
base dc=lll,dc=lu | base dc=lll,dc=lu | ||
</pre> | </pre> | ||
Disable initgroups for local users needed during startup (without this, machine will hang at boot, because | The setting below will have to be done always: | ||
Disable initgroups for local users needed during startup (without this, machine will hang at boot, because <code>libnss_ldap</code> will try to log its lookup failures for the groups of local users, but syslog itself is hung because it uses <code>libnss_ldap</code> itself) | |||
<pre> | <pre> | ||
Line 84: | Line 91: | ||
</pre> | </pre> | ||
<code> | In common-account, you'd have: | ||
<pre> | |||
account sufficient pam_unix.so | |||
account required pam_ldap.so use_first_pass | |||
</pre> | |||
<code>use_first_pass</code> instructs pam_ldap to re-use the same password as the user already entered for local authentication, rather than prompt for another one. | |||
Same idea for common-account | Same idea for common-account | ||
Line 93: | Line 107: | ||
</pre> | </pre> | ||
8. Test it by logging in as a remote user, and then as a local user. | 8. Set up NFS mount for /home | ||
Install nfs: | |||
<pre> | |||
apt-get install nfs-common | |||
</pre> | |||
Insert the following line (replace server IP as appropriate) into <code>/etc/fstab</code>: | |||
<pre> | |||
192.168.178.2:/home /home nfs async,intr,soft,nolock | |||
</pre> | |||
Then mount home. You might first need to move a pre-existing home directory with local users out of the way: | |||
<pre> | |||
mv /home /lhome | |||
mkdir /home | |||
mount /home | |||
</pre> | |||
9. Test it by logging in as a remote user, and then as a local user. |
Revision as of 13:53, 6 August 2008
In order to set up authentication via LDAP, the following steps need to be performed:
1. Install the packages:
apt-get install libnss-ldap
Usually, this should also pull in libpam-ldap automatically
Respond to the questions as follows:
- URI of the LDAP server to use:
ldaps://ldap/ or ldaps://192.168.178.2/
- Distinguished name of the LDAP search base:
dc=infoladen,dc=org,dc=lu
- LDAP version to use:
3
- Make local root database admin:
No
- Does the LDAP database require login?:
No
2. For debugging purposes, also install ldap-utils
3. Configure libnss-ldap
libnss-ldap is configured using the /etc/ldap.conf
file (not to be confused with /etc/ldap/ldap.conf
, which is the general LDAP configuration file)
The following settings need to be added/changed if not already done so by interactive dialog while installing libnss-ldap:
Set your server's URL:
uri ldaps://ldap.infoladen.org.lu/
Disable hostname (because we specified a URI, hostname is not needed:
# host 127.0.0.1
Set your DN:
base dc=lll,dc=lu
The setting below will have to be done always:
Disable initgroups for local users needed during startup (without this, machine will hang at boot, because libnss_ldap
will try to log its lookup failures for the groups of local users, but syslog itself is hung because it uses libnss_ldap
itself)
nss_initgroups_ignoreusers root,syslog,klog
4. If you're using SSL, but without a real certificate, disable certificate check
This needs to be done in /etc/ldap/ldap.conf
:
TLS_REQCERT never
5. Activate it in /etc/nsswitch.conf
:
NSS is used for user lookups (as needed by id
, ls -l
, etc.)
passwd: compat ldap group: compat ldap
6. Test NSS:
Do id someremoteuser , and id somelocaluser
If both succeed, your NSS is ok
7. Activate it in pam
PAM is needed for authenticating users, to allow network users to log in.
Two files (at minimum) need to be changed, /etc/pam.d/common-auth
and /etc/pam.d/common-account
).
The first handles the verification of the user's password, whereas the second decides whether that user (whose identity is already established at that point) is allowed to connect (there could be restriction, such as login only allowed on certain times for certain users, etc.)
By default these contain only one line describing local authentication. This needs to be kept (but its required
keyword replaced by a sufficient
keyword), and a new line for LDAP should be added. The change to sufficient
is needed because we want to allow users that are known locally or remotely. Indeed, with sufficient
, the chain succeeds (without continuing) if the rule succeeds, and continues otherwise, whereas with required
, the chain fails (without continuing) if the rule fails, and continues otherwise.
However, due to a bug, the last rule must have required, or else the user may log in with any old password that he can make up...
In common-auth, you'd have:
auth sufficient pam_unix.so nullok_secure auth required pam_ldap.so use_first_pass
In common-account, you'd have:
account sufficient pam_unix.so account required pam_ldap.so use_first_pass
use_first_pass
instructs pam_ldap to re-use the same password as the user already entered for local authentication, rather than prompt for another one.
Same idea for common-account
acct sufficient pam_unix.so acct required pam_ldap.so
8. Set up NFS mount for /home
Install nfs:
apt-get install nfs-common
Insert the following line (replace server IP as appropriate) into /etc/fstab
:
192.168.178.2:/home /home nfs async,intr,soft,nolock
Then mount home. You might first need to move a pre-existing home directory with local users out of the way:
mv /home /lhome mkdir /home mount /home
9. Test it by logging in as a remote user, and then as a local user.