Thursday, April 24, 2008

LDAP Authentication in Ubuntu 7.10

I recently acquired a file server machine, and I wanted to be able to use NFS to share files between it and my laptop. To do so requires that all users on both machines have the same numeric user IDs. I have a bit of experience with LDAP, so I decided to go for it.

I set up a simple LDAP tree under "ou=elements,dc=mmlx,dc=us", storing user accounts in "ou=People" and groups in "ou=Groups". I used "uid=username" as the RDN for users, and "cn=groupname" for the groups. Users are all of objectClass person and posixAccount. I made a group (objectClass groupOfUniqueNames) for each machine, containing the users I want to be able to log in. I also made a posixGroup called "ldapusers", to which all users belong.

Since one of my machines is a laptop, I set it up as an LDAP mirror, so that I can authenticate against localhost even when I am not connected to a network.

I installed libnss-ldap and libpam-ldap. I put the following in /etc/ldap.conf, and symlinked it to /etc/ldap/ldap.conf:

host 127.0.0.1
base ou=elements,dc=mmlx,dc=us
ldap_version 3
bind_policy soft
pam_groupdn cn=beryllium,ou=Groups,ou=elements,dc=mmlx,dc=us
pam_member_attribute uniqueMember
pam_min_uid 1000
pam_password md5
nss_base_passwd         ou=People,ou=elements,dc=mmlx,dc=us
nss_base_shadow         ou=People,ou=elements,dc=mmlx,dc=us
nss_base_group          ou=Groups,ou=elements,dc=mmlx,dc=us

Then, in /etc/nsswitch.conf, I changed the "passwd", "shadow", and "group" lines to:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

At the top of /etc/pam.d/common-account, I added:

account [ authinfo_unavail=ignore ignore=ignore success=ok default=bad ]  pam_ldap.so ignore_unknown_user

At the top of /etc/pam.d/common-auth:

auth    sufficient      pam_ldap.so

At the top of /etc/pam.d/common-password:

password    sufficient      pam_ldap.so
I had read that adding references to pam_ldap.so in /etc/pam.d/common-session was also required, but I ended up commenting that out (unfortunately, I did that a while ago and don't remember why).

Then I tested the NSS configuration by using getent passwd someuser, where someuser was in LDAP and not the local machine. As long as that responds properly, you're good!

I used the following sources for this:
Making a Debian or Ubuntu Machine an LDAP Authentication Client
Re: [pamldap] pam_ldap for groupdn access control only?--Got it.
Need HOWTO for Ubuntu as an Open Directory client (LDAP/Kerberos/XServe)
at

No comments:

Post a Comment