Linux Client LDAP support


© 2012 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later


    1. Introduction
    2. LDAP authentication and authorization
      1. The PADL Software Pty Ltd Software
      2. The nss-pam-ldapd Software
    3. LDAP test tools
    4. Connecting NSS to LDAP
    5. Connecting PAM to LDAP


This document assumes that you have a running LDAP server. It also uses LDAP to authenticate users, meaning that the user password is stored in LDAP. If you use e.g. Kerberos for this ignore the parts concerning the passwords.

LDAP authentication and authorization

Within the GNU/Linux system there are two places where authorization and authentication are done, not refering to flat files. There is PAM and there is NSS. To make them both behave well with LDAP one should pull in the right modules (libraries) to support LDAP. As of this writting (nov. 2012), there are two major projects that provide the right glue for LDAP support.

The PADL Software Pty Ltd Software

The software written by PADL Software Pty Ltd is probably the oldest implementation and well supported by all major Linux distributions. The software comes in two distinct packages:

Red Hat based systems provide a single package which contains both modules (nss_ldap). Both modules are compiled such that they use the same configuration file: /etc/ldap.conf.

Debian based systems provide two packages called libnss_ldap and libpam_ldap. In Debian each package uses its own configuration file, /etc/libnss_ldap.conf and /etc/libpam_ldap.conf respectively. In Ubuntu a single configuration file called /etc/ldap.conf is used.

The nss-pam-ldapd Software

The nss-pam-ldapd package comes as a single source package containing a and library and an nslcd name service caching daemon.

The nslcd server uses /etc/nslcd.conf for its configuration.

LDAP test tools

The LDAP tools as for example provided by OpenLDAP (like ldapsearch) have their own configuration file. This file is available as /etc/openldap/ldap.conf (Red Hat based systems) or as /etc/ldap/ldap.conf (Debian based systems).

Connecting NSS to LDAP

If you only want to use LDAP for authentication of users and to retreive their UIDs and GIDs, a simple change of /etc/nsswitch.conf is needed. If your file looks like this:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
Users and Groups are looked up throught LDAP (if all other configuration files are able to find the LDAP server of course).

A more complex variant, taken from the nss-pam-ldapd README:

# the following contain normal unix user and group information
passwd:         files ldap
group:          files ldap
shadow:         files ldap

# hostname lookups through ldap before dns
hosts:          files ldap dns
networks:       files ldap

# normal flat-file definitions
protocols:      files ldap
services:       files ldap
ethers:         files ldap
rpc:            files ldap
netgroup:       ldap

# whether alias lookups really use NSS depends on the mail server
aliases:        files ldap

Connecting PAM to LDAP

We do not only add LDAP usage to PAM, we also assume that users having a UID above 1000 are in LDAP and all others are in the default files (passwd, shadow, group). The password for the users in LDAP, is also placed in LDAP.

One extra feature supported is the fact that we need to be able to login to our servers with a normal unix account (root) when there is trouble with LDAP.

Let's start with the auth section:

auth		required
auth		optional delay=3000000
auth		requisite
auth       [success=ok ignore=ignore user_unknown=ignore default=die]
auth		required
auth		optional issue=/etc/issue
auth		optional

# We assume that UIDs above 1000 are in LDAP
# If LDAP fails we want to still be able to login through local accounts
auth            sufficient nullok
auth		requisite uid >= 1000 quiet
auth		sufficient use_first_pass
auth            required

Next we adjust the account section:

account		requisite
account		required

# If the user id is below 1000 end the account section, if LDAP failes
# we can still login with a local account
account         required
account		sufficient uid < 1000 quit
account	[default=bad success=ok user_unknown=ignore]
account         required

Then the session section:

session		required readenv=1 envfile=/etc/environment
session		required readenv=1 envfile=/etc/sysconfig/i18n
session		required
session		optional umask=0077
session		optional
session		optional
session		optional standard
session		required skel=/etc/skel/ umask=0022

session		required

And last the password section:

# This is NOT tested
# We need to set the password in LDAP
# Additional rules we might need:
# password    sufficient md5 obscure min=4 max=8 nullok try_first_pass
# password    sufficient

password	required retry=3 minlen=6 difok=3
password	sufficient use_authtok md5
password	required use_authtok
password        required