home       inleiding       sysadmin       services       links       bash       werk       nothing      

ubuntu ldap client

1. install
    
   We have to install libnss and libpam to get started:
    
   # sudo apt-get install libnss-ldap libpam-ldap

   Reading package lists... Done
   Building dependency tree       
   Reading state information... Done
   The following extra packages will be installed:
   auth-client-config ldap-auth-client ldap-auth-config
   Suggested packages:
   libpam-cracklib nscd
   The following NEW packages will be installed:
   auth-client-config ldap-auth-client ldap-auth-config libnss-ldap libpam-ldap
   0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
   Need to get 138 kB of archives.
   After this operation, 579 kB of additional disk space will be used.
   Do you want to continue [Y/n]? y
   Get:1 http://be.archive.ubuntu.com/ubuntu/ precise/main auth-client-config all 0.9ubuntu1 
   Get:2 http://be.archive.ubuntu.com/ubuntu/ precise/main libpam-ldap amd64 184-8.5ubuntu2 
   Get:3 http://be.archive.ubuntu.com/ubuntu/ precise/main libnss-ldap amd64 264-2.2ubuntu2 
   Get:4 http://be.archive.ubuntu.com/ubuntu/ precise/main ldap-auth-client all 0.5.3 [2760 B]
   Get:5 http://be.archive.ubuntu.com/ubuntu/ precise/main ldap-auth-config all 0.5.3 [9434 B]
   Fetched 138 kB in 0s (1603 kB/s)

   A series of pop-up screens lead us to configure ldap-auth-config:

   -------------------------------------------------------------------------------
   Configuring ldap-auth-config 
    
   Please enter the URI of the LDAP server to use. This is a string in the form of       ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:/// can also be used. 
   The port number is optional.                            │  
    
   Note: It is usually a good idea to use an IP address because it reduces risks of failure 
   in the event name service problems.                                                                                        
     
   LDAP server Uniform Resource Identifier:                                                                ldap://172.16.100.21
   -------------------------------------------------------------------------------
   Distinguished name of the search base:
   dc=myorg,dc=net
   -------------------------------------------------------------------------------
   LDAP version to use: 3
   -------------------------------------------------------------------------------
   This option will allow you to make password utilities that use pam to behave like you would be changing local passwords.                                                                                        The password will be stored in a separate file which will be made readable to root only.              
    
   If you are using NFS mounted /etc or any other custom setup, you should disable this.
    
   Make local root Database admin: YES
   -------------------------------------------------------------------------------
   Choose this option if you are required to login to the database to retrieve entries.
   Note: Under a normal setup, this is not needed.
    
   Does the LDAP database require login?  NO
   -------------------------------------------------------------------------------
   This account will be used when root changes a password.
   Note: This account has to be a privileged account.
     
   LDAP account for root:  cn=admin,dc=myorg,dc=net
   -------------------------------------------------------------------------------
   Please enter the password to use when ldap-auth-config tries to login to the LDAP directory using the LDAP account for root. 
   The password will be stored in a separate file /etc/ldap.secret which will be made readable to root only. Entering an empty password will re-use the old password.
     
   LDAP root account password: x-x-x-x-x

    
   A file /etc/ldap.conf has been created:
    
   $ grep -v "^#" /etc/ldap.conf

   base dc=myorg,dc=net
   uri ldap://172.16.100.21
   ldap_version 3
   rootbinddn cn=admin,dc=myorg,dc=net
   pam_password md5

    
   and a file /etc/ldap.secret
 
$ ls -l /etc/ldap.secret
-rw------- 1 root root 9 Aug 19 00:05 /etc/ldap.secret
    

2. enabling authentication
    
   To enable authentication we have to edit the file /etc/nsswitch.conf
   (whenever a change was made we put an asterisk right of that line)

   # /etc/nsswitch.conf
   #
   # Example configuration of GNU Name Service Switch functionality.
   # If you have the `glibc-doc-reference' and `info' packages installed, try:
   # `info libc "Name Service Switch"' for information about this file.
    
   passwd:         compat ldap  ***
   group:          compat ldap  ***
   shadow:         compat ldap  ***
    
   hosts:          files dns
   networks:       files
    
   protocols:      db files
   services:       db files
   ethers:         db files
   rpc:            db files
    
   netgroup:       nis

    
   Checking whether it works:
    
   $ getent passwd

   root:x:0:0:root:/root:/bin/bash
   daemon:x:1:1:daemon:/usr/sbin:/bin/sh
   ...
   sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
   karel:x:1000:1000:karel,,:/home/karel:/bin/bash
   *** ldap-user:x:10001:10001:ldap-user:/home/ldap-user:/bin/bash
   *** desjarel:x:10010:10010:desjarel:/home/desjarel:/bin/bash

   The entries *** do not exist in the local /etc/passwd !!!
    
   $ getent group

   root:x:0:
   daemon:x:1:
   ...
   ldap-user:*:10001:
   desjarel:*:10010:

    
   $ id ldap-user
uid=10001(ldap-user) gid=10001(ldap-user) groups=10001(ldap-user)
    

3. allowing ldap action
    
   • allow for ldap home-dir creation:
      
     $ sudo vim /etc/pam.d/common-session

     # /etc/pam.d/common-session - session-related modules common to all services
     #
     # This file is included from other service-specific PAM config files,
     # and should contain a list of modules that define tasks to be performed
     # at the start and end of sessions of *any* kind (both interactive and
     # non-interactive).
     #
     # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
     # To take advantage of this, it is recommended that you configure any
     # local modules either before or after the default block, and use
     # pam-auth-update to manage selection of other modules.  See
     # pam-auth-update(8) for details.
      
     # here are the per-package modules (the "Primary" block)
     session [default=1]                     pam_permit.so
     # here's the fallback if no module succeeds
     session requisite                       pam_deny.so
     # prime the stack with a positive return value if there isn't one already;
     # this avoids us returning an error just because nothing sets a success code
     # since the modules above will each just jump around
     session required                        pam_permit.so
     # The pam_umask module will set the umask according to the system default in
     # /etc/login.defs and user settings, solving the problem of different
     # umask settings with different shells, display managers, remote sessions etc.
     # See "man pam_umask".
     session optional                        pam_umask.so
     # and here are more per-package modules (the "Additional" block)
     session required                        pam_unix.so
     session optional                        pam_ldap.so
     *** session required                        pam_mkhomedir.so
     # end of pam-auth-update config

      

   • enable passwd on ldap accounts
      
     edit /etc/pam.d/common-password, and remove the parameter “use_authtok”

     # /etc/pam.d/common-password - password-related modules common to all services
     ..
     # pam-auth-update(8) for details.
      
     # here are the per-package modules (the "Primary" block)
     password        [success=2 default=ignore]      pam_unix.so obscure sha512
     *** password        [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
     # here's the fallback if no module succeeds
     password        requisite                       pam_deny.so
     # prime the stack with a positive return value if there isn't one already;
     # this avoids us returning an error just because nothing sets a success code
     # since the modules above will each just jump around
     password        required                        pam_permit.so
     # and here are more per-package modules (the "Additional" block)
     # end of pam-auth-update config

      

4. does it work
    
   Can we now login with ldap-user?
   $ ls -l /home
drwxr-xr-x 6 user user 4096 Aug 19 00:32 user
 
$ su ldap-user
Password: x-x-x-x-x
   Creating directory /home/ldap-user
 
$ passwd
Enter login(LDAP) password: x-x-x-x
New password: new!password
Re-enter new password: new!password
LDAP password information changed for ldap-user
passwd: password updated successfully
    
   ssh:
    
   karel@ldap-cl15:~$ ssh ldap-user@172.16.10.100
ldap-user@172.16.10.100's password:

   Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 3.13.0-34-generic x86_64)
   Your Hardware Enablement Stack (HWE) is supported until April 2021.
   ...

   ldap-user@ldap-cl16:~$ ls -la

   total 28
   drwxr-xr-x 3 ldap-user ldap-user 4096 Aug 19 00:36 .
   drwxr-xr-x 4 root  root  4096 Aug 19 00:33 ..
   -rw------- 1 ldap-user ldap-user   24 Aug 19 00:37 .bash_history
   -rw-r--r-- 1 ldap-user ldap-user  220 Aug 19 00:33 .bash_logout
   -rw-r--r-- 1 ldap-user ldap-user 3486 Aug 19 00:33 .bashrc
   drwx------ 2 ldap-user ldap-user 4096 Aug 19 00:36 .cache
   -rw-r--r-- 1 ldap-user ldap-user  675 Aug 19 00:33 .profile

   ldap-user@ldap-cl16:~$ exit
logout
Connection to 172.16.10.100 closed.
    

5. documentation
    
   http://documentation.fusiondirectory.org/en/documentation/authentification_base_ldap
    
   Connection between linux and ldap server
   http://wiki.debian.org/LDAP
   http://www.rjsystems.nl/en/2100-d6-openldap-client.php
   PAM explanation
   http://www.rjsystems.nl/en/2100-pam-debian.php