Matt's Linux Blog
My linux problems (and their respective solutions)Thursday, April 24, 2008
LDAP Authentication in Ubuntu 7.10
I recently acquired a file server machine, and I wanted to be able to use NFS to share files between it and my laptop. To do so requires that all users on both machines have the same numeric user IDs. I have a bit of experience with LDAP, so I decided to go for it.
I set up a simple LDAP tree under "ou=elements,dc=mmlx,dc=us", storing user accounts in "ou=People" and groups in "ou=Groups". I used "uid=username" as the RDN for users, and "cn=groupname" for the groups. Users are all of objectClass person and posixAccount. I made a group (objectClass groupOfUniqueNames) for each machine, containing the users I want to be able to log in. I also made a posixGroup called "ldapusers", to which all users belong.
Since one of my machines is a laptop, I set it up as an LDAP mirror, so that I can authenticate against localhost even when I am not connected to a network.
I installed libnss-ldap and libpam-ldap. I put the following in /etc/ldap.conf, and symlinked it to /etc/ldap/ldap.conf:
Then, in /etc/nsswitch.conf, I changed the "passwd", "shadow", and "group" lines to:
At the top of /etc/pam.d/common-account, I added:
At the top of /etc/pam.d/common-auth:
At the top of /etc/pam.d/common-password:
Then I tested the NSS configuration by using getent passwd someuser, where someuser was in LDAP and not the local machine. As long as that responds properly, you're good!
I used the following sources for this:
Making a Debian or Ubuntu Machine an LDAP Authentication Client
Re: [pamldap] pam_ldap for groupdn access control only?--Got it.
Need HOWTO for Ubuntu as an Open Directory client (LDAP/Kerberos/XServe)
I set up a simple LDAP tree under "ou=elements,dc=mmlx,dc=us", storing user accounts in "ou=People" and groups in "ou=Groups". I used "uid=username" as the RDN for users, and "cn=groupname" for the groups. Users are all of objectClass person and posixAccount. I made a group (objectClass groupOfUniqueNames) for each machine, containing the users I want to be able to log in. I also made a posixGroup called "ldapusers", to which all users belong.
Since one of my machines is a laptop, I set it up as an LDAP mirror, so that I can authenticate against localhost even when I am not connected to a network.
I installed libnss-ldap and libpam-ldap. I put the following in /etc/ldap.conf, and symlinked it to /etc/ldap/ldap.conf:
host 127.0.0.1
base ou=elements,dc=mmlx,dc=us
ldap_version 3
bind_policy soft
pam_groupdn cn=beryllium,ou=Groups,ou=elements,dc=mmlx,dc=us
pam_member_attribute uniqueMember
pam_min_uid 1000
pam_password md5
nss_base_passwd ou=People,ou=elements,dc=mmlx,dc=us
nss_base_shadow ou=People,ou=elements,dc=mmlx,dc=us
nss_base_group ou=Groups,ou=elements,dc=mmlx,dc=us
Then, in /etc/nsswitch.conf, I changed the "passwd", "shadow", and "group" lines to:
passwd: files ldap
group: files ldap
shadow: files ldap
At the top of /etc/pam.d/common-account, I added:
account [ authinfo_unavail=ignore ignore=ignore success=ok default=bad ] pam_ldap.so ignore_unknown_user
At the top of /etc/pam.d/common-auth:
auth sufficient pam_ldap.so
At the top of /etc/pam.d/common-password:
I had read that adding references to pam_ldap.so in /etc/pam.d/common-session was also required, but I ended up commenting that out (unfortunately, I did that a while ago and don't remember why).
password sufficient pam_ldap.so
Then I tested the NSS configuration by using getent passwd someuser, where someuser was in LDAP and not the local machine. As long as that responds properly, you're good!
I used the following sources for this:
Making a Debian or Ubuntu Machine an LDAP Authentication Client
Re: [pamldap] pam_ldap for groupdn access control only?--Got it.
Need HOWTO for Ubuntu as an Open Directory client (LDAP/Kerberos/XServe)
Archives
May 2007 June 2007 August 2007 October 2007 April 2008 May 2008 January 2009 May 2011
Subscribe to Posts [Atom]