LDAP, PAM and NSS
© 2012 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later
This document assumes that you have a running LDAP server. It also uses LDAP to authenticate users, meaning that the user password is stored in LDAP. If you use e.g. Kerberos for this ignore the parts concerning the passwords.
Within the GNU/Linux system there are two places where authorization and authentication are done, not refering to flat files. There is PAM and there is NSS. To make them both behave well with LDAP one should pull in the right modules (libraries) to support LDAP. As of this writting (nov. 2012), there are two major projects that provide the right glue for LDAP support.
The software written by PADL Software Pty Ltd is probably the oldest implementation and well supported by all major Linux distributions. The software comes in two distinct packages:
Red Hat based systems provide a single package which contains both modules (nss_ldap). Both modules are compiled such that they use the same configuration file: /etc/ldap.conf.
Debian based systems provide two packages called libnss_ldap and libpam_ldap. In Debian each package uses its own configuration file, /etc/libnss_ldap.conf and /etc/libpam_ldap.conf respectively. In Ubuntu a single configuration file called /etc/ldap.conf is used.
The nss-pam-ldapd package comes as a single source package containing a pam_ldap.so and libnss_ldap.so library and an nslcd name service caching daemon.
The nslcd server uses /etc/nslcd.conf for its configuration.
The LDAP tools as for example provided by OpenLDAP (like ldapsearch) have their own configuration file. This file is available as /etc/openldap/ldap.conf (Red Hat based systems) or as /etc/ldap/ldap.conf (Debian based systems).
If you only want to use LDAP for authentication of users and to retreive their UIDs and GIDs, a simple change of /etc/nsswitch.conf is needed. If your file looks like this:
passwd: files ldap group: files ldap shadow: files ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nisUsers and Groups are looked up throught LDAP (if all other configuration files are able to find the LDAP server of course).
A more complex variant, taken from the nss-pam-ldapd README:
# the following contain normal unix user and group information passwd: files ldap group: files ldap shadow: files ldap # hostname lookups through ldap before dns hosts: files ldap dns networks: files ldap # normal flat-file definitions protocols: files ldap services: files ldap ethers: files ldap rpc: files ldap netgroup: ldap # whether alias lookups really use NSS depends on the mail server aliases: files ldap
We do not only add LDAP usage to PAM, we also assume that users having a UID above 1000 are in LDAP and all others are in the default files (passwd, shadow, group). The password for the users in LDAP, is also placed in LDAP.
One extra feature supported is the fact that we need to be able to login to our servers with a normal unix account (root) when there is trouble with LDAP.
Let's start with the auth section:
auth required pam_env.so auth optional pam_faildelay.so delay=3000000 auth requisite pam_nologin.so auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so auth required pam_shells.so auth optional pam_issue.so issue=/etc/issue auth optional pam_group.so # We assume that UIDs above 1000 are in LDAP # If LDAP fails we want to still be able to login through local accounts auth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
Next we adjust the account section:
account requisite pam_time.so account required pam_access.so # If the user id is below 1000 end the account section, if LDAP failes # we can still login with a local account account required pam_unix.so account sufficient pam_succeed_if.so uid < 1000 quit account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
Then the session section:
session required pam_env.so readenv=1 envfile=/etc/environment session required pam_env.so readenv=1 envfile=/etc/sysconfig/i18n session required pam_limits.so session optional pam_umask.so umask=0077 session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_unix.so
And last the password section:
# This is NOT tested # We need pam_ldap.so to set the password in LDAP # Additional rules we might need: # password sufficient pam_unix.so md5 obscure min=4 max=8 nullok try_first_pass # password sufficient pam_ldap.so password required pam_cracklib.so retry=3 minlen=6 difok=3 password sufficient pam_unix.so use_authtok md5 password required pam_ldap.so use_authtok password required pam_deny.so