Introduction

This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see OpenLDAPServer.

If you want Kerberos as well for single-sign-on (likely), see SingleSignOn. This configuration has been tested with Ubuntu 10.04 LTS and works transparently with pam_krb5.

For authenticating on a Sun Java Enterprise System Directory Server, please consult the SunLDAPClientAuthentication page.

For authenticating using a Mac OS X Leopard Server, consult the OSXLDAPClientAuthentication page.

LDAP Client Authentication

On Ubuntu 7.10 systems and newer use the auth-client-config and pam-auth-update tools to modify all necessary pam and nsswitch configuration files (see Credits and AuthClientConfig). Also, you are recommended to install nscd in order to avoid some of the issues described in the Troubleshooting section at the end of this document. The meta-package called ldap-auth-client will install all required packages for an ldap client (auth-client-config, ldap-auth-config, libnss-ldap and libpam-ldap):

sudo apt-get install ldap-auth-client nscd

Setup /etc/nsswitch.conf to use ldap lookups by running:

sudo auth-client-config -t nss -p lac_ldap

On 10.04 systems this lac_ldap configuration can be found in /etc/auth-client-config/profile.d/ldap-auth-config and comes with the ldap-auth-config package. On older systems you could create it like this:

[lac_ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis

Automatically create home folders

In order to get the pam_mkhomedir module working you could create a file like /usr/share/pam-configs/my_mkhomedir:

Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

and activate it by running pam-auth-update. This roughly equals editing /etc/pam.d/common-session by hand and adding the following line before any pam_ldap and pam_krb5 settings:

session required        pam_mkhomedir.so umask=0022 skel=/etc/skel

Assign local groups to users

To assign local groups to a domain (ldap) user do the following edit /etc/security/group.conf and add something like the following to it (log in as a local user and run the groups command to verify what to add):

*;*;*;Al0000-2400;audio,cdrom,dialout,floppy

In order to get the pam_group module working you could create a file like /usr/share/pam-configs/my_groups:

Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
        required                        pam_group.so use_first_pass

and activate it by running pam-auth-update. This roughly equals editing /etc/pam.d/common-auth by hand and adding the following line before any pam_ldap and pam_krb5 settings:

auth    required     pam_group.so use_first_pass

You should now have local groups showing up for users logging in via gdm and ssh and can verify this by executing id or groups.

Finalize

Just to make sure everything works, run the following:

pam-auth-update
/etc/init.d/nscd restart

LDAP Host Access Authorization

Host based authentication allows you to restrict who can log into a machine that uses LDAP for authentication. Basically you add an attribute to each LDAP user's record that includes hostnames that they are allowed to log in to. Each client system then checks this field against its own hostname and either allows or denies login based upon the attribute field.

There are different methods to enforce host-based authentication:

  • using pam_check_host_attr authentication in /etc/ldap.conf

  • using pam_filter authentication in /etc/ldap.conf

  • using nss_base_<map> authentication in /etc/ldap.conf (recommended)

pam_check_host_attr (limited)

Warning: depending on your configuration, host-based authentication will always succeed. For additional information see /usr/share/doc/libpam-ldap/ and man nss_ldap (does not support the pam_filter configuration).

Using the pam_check_host_attr directive to enforce host authentication has the effect that users are explicitly informed they are not permitted to access the host with an error message: Access denied for this host.

Libpam-ldap requires that you use the host attribute. The package documentation includes a schema which provides this attribute, located at /etc/ldap/schema/ldapns.schema, which can be added to slapd.conf if needed. You can populate that attribute creating an LDIF file your_file.ldif:

dn: uid=user_to_change,ou=Users,dc=example,dc=com
changetype: modify
add: host
host: thehostname

The hostname should match the output from the hostname command. When in doubt, check the slapd logs on the server. Make the change using:

ldapmodify -H ldaps://ldapserver -D "cn=admin,dc=example,dc=com" -x -W -f your_file.ldif

On the client side, simply modify /etc/ldap.conf (or other appropriate configuration file as defined in pam.d) to include the line:

pam_check_host_attr yes

pam_filter (limited)

Warning: depending on your configuration, host-based authentication will always succeed. For additional information see /usr/share/doc/libpam-ldap/ and man nss_ldap (does not support the pam_filter configuration).

Using the pam_filter directive in /etc/ldap.conf it is possible to enforce PAM to only access accounts with attributes of our choosing. Users who are not permitted access to the host will receive no error, instead PAM responds as if they have entered an incorrect password.

If we want to use the host attribute, we can add the schema located at /etc/ldap/schema/ldapns.schema and create a filter which matches thehostname or * in /etc/ldap.conf:

pam_filter |(host=thehostname)(host=\*)

Another example using GOsa's accessTo and trustModel attributes would look like the following:

pam_filter |(&(accessTo=thehostname)(trustModel=byhost))(trustModel=fullaccess)

nss_base_<map> (recommended)

Using the nss_base_<map> directives in /etc/ldap.conf has all the advantages as using the pam_filter directive, but should also work with nss_ldap.

If we want to use the host attribute, we can add the schema located at /etc/ldap/schema/ldapns.schema and create filters which match thehostname or * in /etc/ldap.conf:

nss_base_passwd ou=Users,dc=example,dc=com?one?|(host=thehostname)(host=\*)
nss_base_shadow ou=Users,dc=example,dc=com?one?|(host=thehostname)(host=\*)
nss_base_group  ou=Groups,dc=example,dc=com?one

Troubleshooting

  • If you have lookup failures on some accounts using libpam-ldap, try installing libpam-ldapd instead (to be configured via /etc/nslcd.conf).

  • If you get setreuid errors like sudo: setreuid(ROOT_UID, user_uid): Operation not permitted, then have a look at this bug report for libcrypt. A simple workaround is installing nscd.

  • Information about why pam_filter will NOT always work, while nss_base_<map> should, can be found in this forum

  • You can verify your LDAP information using the following commands

    $ id
    $ id YOURUSERNAME (will not show additional groups)
    
    $ getent passwd
    $ getent shadow
    $ getent group
  • An old bug alert on this site states: make sure /etc/libnss-ldap.conf and /etc/pam_ldap.conf has bind_policy soft. If not, you risk running into udev-issues at boot-time.

Credits

  • some of the information used in this document was found on this page.

  • pam(7) manpage
  • nss_ldap(5) manpage
  • auth-client-config(8) manpage
  • pam-auth-update(8) manpage


An alternate directory server authentication HOWTO KRB5+LDAP Authentication

LDAPClientAuthentication (last edited 2011-08-28 17:20:07 by warren-madtechsupport)