特殊:Badtitle/NS100:LDAPClientAuthentication
 |
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/LDAPClientAuthentication }} |
|
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/af | • {{#if: UbuntuHelp:LDAPClientAuthentication|Afrikaans| [[::LDAPClientAuthentication/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ar | • {{#if: UbuntuHelp:LDAPClientAuthentication|العربية| [[::LDAPClientAuthentication/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/az | • {{#if: UbuntuHelp:LDAPClientAuthentication|azərbaycanca| [[::LDAPClientAuthentication/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/bcc | • {{#if: UbuntuHelp:LDAPClientAuthentication|جهلسری بلوچی| [[::LDAPClientAuthentication/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/bg | • {{#if: UbuntuHelp:LDAPClientAuthentication|български| [[::LDAPClientAuthentication/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/br | • {{#if: UbuntuHelp:LDAPClientAuthentication|brezhoneg| [[::LDAPClientAuthentication/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ca | • {{#if: UbuntuHelp:LDAPClientAuthentication|català| [[::LDAPClientAuthentication/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/cs | • {{#if: UbuntuHelp:LDAPClientAuthentication|čeština| [[::LDAPClientAuthentication/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/de | • {{#if: UbuntuHelp:LDAPClientAuthentication|Deutsch| [[::LDAPClientAuthentication/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/el | • {{#if: UbuntuHelp:LDAPClientAuthentication|Ελληνικά| [[::LDAPClientAuthentication/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/es | • {{#if: UbuntuHelp:LDAPClientAuthentication|español| [[::LDAPClientAuthentication/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/fa | • {{#if: UbuntuHelp:LDAPClientAuthentication|فارسی| [[::LDAPClientAuthentication/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/fi | • {{#if: UbuntuHelp:LDAPClientAuthentication|suomi| [[::LDAPClientAuthentication/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/fr | • {{#if: UbuntuHelp:LDAPClientAuthentication|français| [[::LDAPClientAuthentication/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/gu | • {{#if: UbuntuHelp:LDAPClientAuthentication|ગુજરાતી| [[::LDAPClientAuthentication/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/he | • {{#if: UbuntuHelp:LDAPClientAuthentication|עברית| [[::LDAPClientAuthentication/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/hu | • {{#if: UbuntuHelp:LDAPClientAuthentication|magyar| [[::LDAPClientAuthentication/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/id | • {{#if: UbuntuHelp:LDAPClientAuthentication|Bahasa Indonesia| [[::LDAPClientAuthentication/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/it | • {{#if: UbuntuHelp:LDAPClientAuthentication|italiano| [[::LDAPClientAuthentication/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ja | • {{#if: UbuntuHelp:LDAPClientAuthentication|日本語| [[::LDAPClientAuthentication/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ko | • {{#if: UbuntuHelp:LDAPClientAuthentication|한국어| [[::LDAPClientAuthentication/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ksh | • {{#if: UbuntuHelp:LDAPClientAuthentication|Ripoarisch| [[::LDAPClientAuthentication/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/mr | • {{#if: UbuntuHelp:LDAPClientAuthentication|मराठी| [[::LDAPClientAuthentication/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ms | • {{#if: UbuntuHelp:LDAPClientAuthentication|Bahasa Melayu| [[::LDAPClientAuthentication/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/nl | • {{#if: UbuntuHelp:LDAPClientAuthentication|Nederlands| [[::LDAPClientAuthentication/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/no | • {{#if: UbuntuHelp:LDAPClientAuthentication|norsk| [[::LDAPClientAuthentication/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/oc | • {{#if: UbuntuHelp:LDAPClientAuthentication|occitan| [[::LDAPClientAuthentication/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/pl | • {{#if: UbuntuHelp:LDAPClientAuthentication|polski| [[::LDAPClientAuthentication/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/pt | • {{#if: UbuntuHelp:LDAPClientAuthentication|português| [[::LDAPClientAuthentication/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ro | • {{#if: UbuntuHelp:LDAPClientAuthentication|română| [[::LDAPClientAuthentication/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ru | • {{#if: UbuntuHelp:LDAPClientAuthentication|русский| [[::LDAPClientAuthentication/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/si | • {{#if: UbuntuHelp:LDAPClientAuthentication|සිංහල| [[::LDAPClientAuthentication/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/sq | • {{#if: UbuntuHelp:LDAPClientAuthentication|shqip| [[::LDAPClientAuthentication/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/sr | • {{#if: UbuntuHelp:LDAPClientAuthentication|српски / srpski| [[::LDAPClientAuthentication/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/sv | • {{#if: UbuntuHelp:LDAPClientAuthentication|svenska| [[::LDAPClientAuthentication/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/th | • {{#if: UbuntuHelp:LDAPClientAuthentication|ไทย| [[::LDAPClientAuthentication/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/tr | • {{#if: UbuntuHelp:LDAPClientAuthentication|Türkçe| [[::LDAPClientAuthentication/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/vi | • {{#if: UbuntuHelp:LDAPClientAuthentication|Tiếng Việt| [[::LDAPClientAuthentication/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/yue | • {{#if: UbuntuHelp:LDAPClientAuthentication|粵語| [[::LDAPClientAuthentication/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/zh | • {{#if: UbuntuHelp:LDAPClientAuthentication|中文| [[::LDAPClientAuthentication/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/zh-hans | • {{#if: UbuntuHelp:LDAPClientAuthentication|中文(简体)| [[::LDAPClientAuthentication/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/zh-hant | • {{#if: UbuntuHelp:LDAPClientAuthentication|中文(繁體)| [[::LDAPClientAuthentication/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:LDAPClientAuthentication|:LDAPClientAuthentication|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :LDAPClientAuthentication/zh | | {{#ifexist: LDAPClientAuthentication/zh | | {{#ifeq: {{#titleparts:LDAPClientAuthentication|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:LDAPClientAuthentication|1|-1|}} | zh | | }}
Introduction
This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see OpenLDAPServer. If you want Kerberos as well for single-sign-on (likely), see SingleSignOn. For authenticating on a Sun Java Enterprise System Directory Server should consult the SunLDAPClientAuthentication page. For authenticating using a Mac OS X Leopard Server consult the OSXLDAPClientAuthentication page. For 7.10 and laters, see bottom of page for another way of doing it (auth-client-config).
Installation
Install the following packages: libpam-ldap libnss-ldap nss-updatedb libnss-db (see InstallingSoftware). Note that you have to enable the universe repositories for this.
libpam-ldap to allows for _authentication_ via LDAP. libnss-ldap allows _session_ information via LDAP. That's why /etc/libnss-ldap.conf /etc/pam_ldap.conf have such similar structures.
During installation, you will be asked the following questions:
- The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com
- The distinguished name of the search base. For example dc=example,dc=com
- The LDAP version to use. You usually would choose 3 here.
- If your database requires logging in. You would usually choose no here.
- If you want to make configuration readable/writeable by owner only. A no should be the answer to this.
- A Dialog is displayed explaining it cannot manage nsswitch.conf automatically. Just select OK.
- If you want the local root to be the database admin. You would usually choose yes here.
- Again If your database requires logging in. You would usually choose no here.
- Your root login account. For example: cn=manager,dc=example,dc=com
- Your root password.
- After, a dialog explaining the different encryption methods to specify the encryption method to use before sending your password. exop is usually a good choice.
The above steps might vary a bit depending on the Ubuntu distribution used. When you want to restart the configuration you can use dpkg-reconfigure for both libpam-ldap and libnss-ldap packages.
When finished configuring you will need to double check the data in /etc/libnss-ldap.conf. Especially the 'host' entry which doesn't accept URI. Better is to use the 'uri' entries and comment out the 'host'.
Configuration
After the installation of the necessary packages you will need to configure the Name Service and PAM.
Name Service
In /etc/nsswitch.conf replace compat with files ldap for both the passwd and group entries so you get something like this:
passwd: files ldap group: files ldap
There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap Now you can test the configuration:
$ getent passwd or $ getent group
You should see lines that look like they've come straight out of /etc/passwd. These are the lines 'published' by your LDAP server. If you do, the Name Service (NSS) side of the job is done. If not, check /etc/libnss-ldap.conf for typos. If your setup requires a password to connect to the LDAP server, don't forget to put that password into /etc/libnss-ldap.secret. BUG ALERT: Make sure /etc/libnss-ldap.conf has "bind_policy soft". If it's not there, a nasty bug with udev can arise at boot-time. You should probably also make this change in /etc/pam_ldap.conf. It's also a good idea to shorten the timeouts there. Don't use sudo when editing this file or leave it open while testing. If you save with a typo, it could mean that you can't access your server anymore.
PAM
Four central files control PAM's use of LDAP: common-account, common-auth, common-password and common-session. They're in /etc/pam.d. For details, see the pam(7) manpage. Edit /etc/pam.d/common-account to look like this:
account sufficient pam_ldap.so account required pam_unix.so
Edit /etc/pam.d/common-auth to look like this:
auth required pam_group.so use_first_pass auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass
Edit /etc/pam.d/common-password to look like this:
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5
PAM: Stronger Passwords (Optional)
You might be interested in libpam-cracklib (see InstallingSoftware). To activate it you'll need to edit /etc/pam.d/common-password:
password required pam_cracklib.so retry=3 minlen=6 difok=3 password sufficient pam_ldap.so use_authtok password required pam_unix.so use_authtok use_first_pass
Edit /etc/pam.d/common-session and add pam_ldap.so, like this:
session optional pam_foreground.so session sufficient pam_ldap.so session required pam_unix.so
PAM: Home directory creation (optional)
Edit the common-session file again:
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so session optional pam_foreground.so
Option: Caching Name Service directories
In order to prevent network slowdown or outage from preventing user name lookup and thus login, you can use the nss-updatedb package to create a local database of the user names, and in conjunction, use libpam-ccreds to cache credentials locally. This can be particularly useful on laptops. Please refer to PamCcredsHowto for complete instructions. Below is a script for running nss_updatedb hourly. PamCcredsHowto shows a much simpler way to run this daily, but if you want to run it every hour, then please use the code below. Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following:
#!/bin/bash LOCK=/var/run/auth-update.cron [ "$1" != "0" ] && [ -f $LOCK ] && [ -d /proc/"$(cat $LOCK)" ] && exit 0 echo $$ > $LOCK RANGE=3600 [ "$1" != "" ] && RANGE=$1 SLEEP=$RANDOM [ "$RANGE" != "0" ] && let "SLEEP %= $RANGE" || SLEEP=0 sleep $SLEEP go=true while $go; do /usr/sbin/nss_updatedb ldap [ $? -eq 0 ] && go=false [ "$go" == "true" ] && sleep 10 done rm $LOCK exit 0
Notes for 7.10 and laters
- There is a new tool since 7.10 to modify the pam and nsswitch files at once: AuthClientConfig.
- There is now a meta-package ldap-auth-client which will install all the following required packages for an ldap client:<
>
auth-client-config ldap-auth-config libnss-ldap libpam-ldap
You can use that tool like so: sudo auth-client-config -a -p lac_ldap to reflect the changes handled on this page.* Read
more about it in this thread: http://ubuntuforums.org/showthread.php?t=597056
- If the lac_ldap option fails (as it did on my 8.10 system) the following settings were successful. These settings will also cause domain (ldap) users to become members of local groups so that local devices needing fuse, plugdev, scanner etc... membership will work properly. For example: If you are having problems with automounting of usb drives the pam_group.so option is likely your problem.
nano /etc/auth-client-config/profile.d/open_ldap
and paste the following into it:
[open_ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files ldap
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
#the following line (containing pam_group.so) must be placed before pam_ldap.so
#for ldap users to be placed in local groups such as fuse, plugdev, scanner, etc ...
auth required pam_group.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/
session required pam_unix.so
session optional pam_ldap.so
Now to activate that pam profile do the following:
auth-client-config -a -p open_ldap
To assign local groups to domain (ldap) users do the following:
nano /etc/security/group.conf
and add the following to the end of the file (note you can determine which groups to add to this line by logging in as a local user and using the 'groups' command):
*; *; *; Al0000-2400;audio,cdrom,floppy,plugdev,video,fuse,scanner,dip
You should now have local groups showing up for users logging in via gdm and ssh ('su username' did not give these groups on my system). Note that I did not have to edit the gdm, sshd, or login files in /etc/pam.d/ as they include a call to @include common-auth giving them the pam_group.so line in the proper order (before pam_ldap.so).
You can test local groups using ssh (assuming nickf is a ldap user):
ssh nickf@localhost
once you are logged in as a ldap user you can see your groups with the 'id' or 'groups' command
nickf@ubuntu-ltsp:~$ id uid=10178(nickf) gid=512(Domain Admins) groups=24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(scanner),107(fuse),512(Domain Admins),544(Administrators),10000(Teachers)
Credits
- Most of the information used in this document was found on the following page:
- Some additional documentation I found here: http://www.gentoo.org/doc/en/ldap-howto.xml
- pam(7) manpage
- WheelDweller <[email protected]> is actively polishing this particular apple. :)
