Configure Linux to authenticate against OpenLDAP

From Notes

Jump to: navigation, search

Contents

Install required packages

Install the following packages:

  • nss_ldap
  • pam_ldap
  • OpenLDAP

Configure your Linux hosts

Edit your /etc/ldap.conf file to reflect the following. Substitute your environment variables for the IP address, domain, and OU (Organizational Unit) structure below. This is where you tell your system where your LDAP directory is located and where to find user, host, and account information within that directory. 

/etc/ldap.conf

# Specify ldap server location
# If using RHEL/CentOS 3, you MUST use the host directive rather than the URI directive
URI ldap[s]://192.168.1.xx
base dc=example,dc=com

# The following settings ensure that root can always login and that the host will always boot
# even if the ldap server is running on this host.
timelimit 15
bind_timelimit 15
bind_policy soft
nss_initgroups_ignoreusers root,ldap

pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid

nss_base_passwd ou=People,dc=example,dc=com
nss_base_shadow ou=People,dc=example,dc=com
nss_base_group  ou=Group,dc=example,dc=com
nss_base_hosts  ou=Hosts,dc=example,dc=com

scope one

Please look at the man pages for nss_ldap, pam_ldap, and ldap.conf for more explanation for each of these parameters.

Configure your /etc/pam.d/system-auth file to reflect the following. This is where PAM allows authentication verification to be performed against your LDAP directory in addition to your passwd file. 

/etc/pam.d/system-auth

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so
auth       required     pam_nologin.so

account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_authtok use_first_pass
password   required     pam_deny.so

session    required     pam_limits.so
session    sufficient   pam_unix.so
session    sufficient   pam_ldap.so
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0066

Edit your /etc/nsswitch.conf to reflect the following. This file is where you tell your Linux host where to look for user, password, and group information. 

/etc/nsswitch.conf

passwd:      files ldap
shadow:      files ldap
group:       files ldap

With the above configuration, local accounts will be able to login without your LDAP server being available.

Verify functionality

You should now be able to login to your Linux hosts with your LDAP accounts. A good test is to restart nscd and run 'getent passwd', if all directory users are returned then your client is talking to your LDAP server.

Troubleshooting and Common Errors

Redhat Enterprise Linux 3 requires that the host directive be used in the /etc/ldap.conf rather than using URI when using ACLs on the userPassword attribute. Using URI somehow restricts the host's ability to perform an authenticated bind to the LDAP server. This is frustrating and I wasted 2 weeks troubleshooting to discover this trivial error. This is very unusual as RHEL 2.* and CentOS 2/3/4 all allow use of the URI directive.

Retrieved from "http://www.itsecureadmin.com/wiki/index.php/Configure_Linux_to_authenticate_against_OpenLDAP"
Personal tools