Linux Client LDAP support

LDAP, PAM and NSS

© 2012 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later

Index

    1. Introduction
    2. LDAP authentication and authorization
      1. The PADL Software Pty Ltd Software
      2. The nss-pam-ldapd Software
    3. LDAP test tools
    4. Connecting NSS to LDAP
    5. Connecting PAM to LDAP

Introduction

This document assumes that you have a running LDAP server. It also uses LDAP to authenticate users, meaning that the user password is stored in LDAP. If you use e.g. Kerberos for this ignore the parts concerning the passwords.

LDAP authentication and authorization

Within the GNU/Linux system there are two places where authorization and authentication are done, not refering to flat files. There is PAM and there is NSS. To make them both behave well with LDAP one should pull in the right modules (libraries) to support LDAP. As of this writting (nov. 2012), there are two major projects that provide the right glue for LDAP support.

The PADL Software Pty Ltd Software

The software written by PADL Software Pty Ltd is probably the oldest implementation and well supported by all major Linux distributions. The software comes in two distinct packages:

Red Hat based systems provide a single package which contains both modules (nss_ldap). Both modules are compiled such that they use the same configuration file: /etc/ldap.conf.

Debian based systems provide two packages called libnss_ldap and libpam_ldap. In Debian each package uses its own configuration file, /etc/libnss_ldap.conf and /etc/libpam_ldap.conf respectively. In Ubuntu a single configuration file called /etc/ldap.conf is used.

The nss-pam-ldapd Software

The nss-pam-ldapd package comes as a single source package containing a pam_ldap.so and libnss_ldap.so library and an nslcd name service caching daemon.

The nslcd server uses /etc/nslcd.conf for its configuration.

LDAP test tools

The LDAP tools as for example provided by OpenLDAP (like ldapsearch) have their own configuration file. This file is available as /etc/openldap/ldap.conf (Red Hat based systems) or as /etc/ldap/ldap.conf (Debian based systems).

Connecting NSS to LDAP

If you only want to use LDAP for authentication of users and to retreive their UIDs and GIDs, a simple change of /etc/nsswitch.conf is needed. If your file looks like this:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
Users and Groups are looked up throught LDAP (if all other configuration files are able to find the LDAP server of course).

A more complex variant, taken from the nss-pam-ldapd README:

# the following contain normal unix user and group information
passwd:         files ldap
group:          files ldap
shadow:         files ldap

# hostname lookups through ldap before dns
hosts:          files ldap dns
networks:       files ldap

# normal flat-file definitions
protocols:      files ldap
services:       files ldap
ethers:         files ldap
rpc:            files ldap
netgroup:       ldap

# whether alias lookups really use NSS depends on the mail server
aliases:        files ldap

Connecting PAM to LDAP

We do not only add LDAP usage to PAM, we also assume that users having a UID above 1000 are in LDAP and all others are in the default files (passwd, shadow, group). The password for the users in LDAP, is also placed in LDAP.

One extra feature supported is the fact that we need to be able to login to our servers with a normal unix account (root) when there is trouble with LDAP.

Let's start with the auth section:

auth		required	pam_env.so
auth		optional	pam_faildelay.so delay=3000000
auth		requisite	pam_nologin.so
auth       [success=ok ignore=ignore user_unknown=ignore default=die]  pam_securetty.so
auth		required	pam_shells.so
auth		optional	pam_issue.so issue=/etc/issue
auth		optional	pam_group.so

# We assume that UIDs above 1000 are in LDAP
# If LDAP fails we want to still be able to login through local accounts
auth            sufficient      pam_unix.so nullok
auth		requisite	pam_succeed_if.so uid >= 1000 quiet
auth		sufficient	pam_ldap.so use_first_pass
auth            required        pam_deny.so

Next we adjust the account section:

account		requisite	pam_time.so
account		required	pam_access.so

# If the user id is below 1000 end the account section, if LDAP failes
# we can still login with a local account
account         required        pam_unix.so
account		sufficient	pam_succeed_if.so uid < 1000 quit
account	[default=bad success=ok user_unknown=ignore] pam_ldap.so
account         required        pam_permit.so

Then the session section:

session		required	pam_env.so readenv=1 envfile=/etc/environment
session		required	pam_env.so readenv=1 envfile=/etc/sysconfig/i18n
session		required	pam_limits.so
session		optional	pam_umask.so umask=0077
session		optional	pam_lastlog.so
session		optional	pam_motd.so
session		optional	pam_mail.so standard
session		required	pam_mkhomedir.so skel=/etc/skel/ umask=0022

session		required	pam_unix.so

And last the password section:

# This is NOT tested
# We need pam_ldap.so to set the password in LDAP
# Additional rules we might need:
# password    sufficient    pam_unix.so md5 obscure min=4 max=8 nullok try_first_pass
# password    sufficient    pam_ldap.so

password	required	pam_cracklib.so retry=3 minlen=6 difok=3
password	sufficient	pam_unix.so use_authtok md5
password	required	pam_ldap.so use_authtok
password        required        pam_deny.so