“UbuntuHelp:LDAPClientAuthentication”的版本间的差异
来自Ubuntu中文
小 (New page: {{From|https://help.ubuntu.com/community/LDAPClientAuthentication}} {{Languages|php5}} == Introduction == This page is intended for anyone who wants to enable an Ubuntu client to authenti...) |
小 |
||
| 第38行: | 第38行: | ||
passwd: files ldap | passwd: files ldap | ||
group: files ldap | group: files ldap | ||
| − | </nowiki></ | + | </nowiki></pre> |
There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap | There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap | ||
| 第46行: | 第46行: | ||
$ getent passwd <someldapuser> | $ getent passwd <someldapuser> | ||
$ getent group <someldapgroup> | $ getent group <someldapgroup> | ||
| − | </nowiki></ | + | </nowiki></pre> |
If you get a response in both cases, your LDAP nsswitch.conf configuration is correct and all you need to do is to configure PAM. | If you get a response in both cases, your LDAP nsswitch.conf configuration is correct and all you need to do is to configure PAM. | ||
| 第57行: | 第57行: | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo editor /etc/libnss-ldap.conf | $ sudo editor /etc/libnss-ldap.conf | ||
| − | </nowiki></ | + | </nowiki></pre> |
Add this line in the bind policy section: | Add this line in the bind policy section: | ||
<pre><nowiki> | <pre><nowiki> | ||
bind_policy soft | bind_policy soft | ||
| − | </nowiki></ | + | </nowiki></pre> |
Also, Make sure you have the correct ldap settings listed in this file. If not, you may have to change them too. | Also, Make sure you have the correct ldap settings listed in this file. If not, you may have to change them too. | ||
| 第76行: | 第76行: | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo nss_updatedb ldap | $ sudo nss_updatedb ldap | ||
| − | </nowiki></ | + | </nowiki></pre> |
nss_updatedb is storing the cache in /var/lib/misc/. | nss_updatedb is storing the cache in /var/lib/misc/. | ||
| 第108行: | 第108行: | ||
exit 0 | exit 0 | ||
| − | </nowiki></ | + | </nowiki></pre> |
To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this: | To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this: | ||
| 第115行: | 第115行: | ||
passwd: files ldap [NOTFOUND=return] db | passwd: files ldap [NOTFOUND=return] db | ||
group: files ldap [NOTFOUND=return] db | group: files ldap [NOTFOUND=return] db | ||
| − | </nowiki></ | + | </nowiki></pre> |
This means: | This means: | ||
| 第131行: | 第131行: | ||
account sufficient pam_ldap.so | account sufficient pam_ldap.so | ||
account required pam_unix.so | account required pam_unix.so | ||
| − | </nowiki></ | + | </nowiki></pre> |
Edit '''/etc/pam.d/common-auth''' and add pam_ldap.so, like this: | Edit '''/etc/pam.d/common-auth''' and add pam_ldap.so, like this: | ||
| 第138行: | 第138行: | ||
auth sufficient pam_ldap.so | auth sufficient pam_ldap.so | ||
auth required pam_unix.so nullok_secure use_first_pass | auth required pam_unix.so nullok_secure use_first_pass | ||
| − | </nowiki></ | + | </nowiki></pre> |
Edit '''/etc/pam.d/common-password''' and add pam_ldap.so, like this: | Edit '''/etc/pam.d/common-password''' and add pam_ldap.so, like this: | ||
| 第145行: | 第145行: | ||
password sufficient pam_ldap.so | password sufficient pam_ldap.so | ||
password required pam_unix.so nullok obscure min=4 max=8 md5 | password required pam_unix.so nullok obscure min=4 max=8 md5 | ||
| − | </nowiki></ | + | </nowiki></pre> |
Optionally, and not related to LDAP, if you want stronger passwords, you might be interested in ''libpam-cracklib'' (see InstallingSoftware). | Optionally, and not related to LDAP, if you want stronger passwords, you might be interested in ''libpam-cracklib'' (see InstallingSoftware). | ||
| 第155行: | 第155行: | ||
password sufficient pam_ldap.so use_authtok nullok md5 | password sufficient pam_ldap.so use_authtok nullok md5 | ||
password required pam_unix.so use_authtok use_first_pass | password required pam_unix.so use_authtok use_first_pass | ||
| − | </nowiki></ | + | </nowiki></pre> |
Edit '''/etc/pam.d/common-session''' and add pam_ldap.so, like this: | Edit '''/etc/pam.d/common-session''' and add pam_ldap.so, like this: | ||
| 第162行: | 第162行: | ||
session sufficient pam_ldap.so | session sufficient pam_ldap.so | ||
session required pam_unix.so | session required pam_unix.so | ||
| − | </nowiki></ | + | </nowiki></pre> |
Handy is to automatically create the home directory at first logon. Edit the ''common-session'' file again: | Handy is to automatically create the home directory at first logon. Edit the ''common-session'' file again: | ||
| 第171行: | 第171行: | ||
session optional pam_ldap.so | session optional pam_ldap.so | ||
session optional pam_foreground.so | session optional pam_foreground.so | ||
| − | </nowiki></ | + | </nowiki></pre> |
== Credits == | == Credits == | ||
2007年5月13日 (日) 12:33的版本
目录
Introduction
This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see UbuntuHelp:OpenLDAPServer.
For authenticating on a Sun Java Enterprise System Directory Server should consult the UbuntuHelp:SunLDAPClientAuthentication page.
Installation
Install the following packages: libpam-ldap libnss-ldap nss-updatedb (see InstallingSoftware). Note that you have to enable the universe repositories for this.
During installation, you will be asked the following questions:
- The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com
- The distinguished name of the search base. For example dc=example,dc=com
- The LDAP version to use. You usually would choose 3 here.
- If your database requires logging in. You would usually choose no here.
- If you want to make configuration readable/writeable by owner only. A no should be the answer to this.
- A Dialog is displayed explaining it cannot manage nsswitch.conf automatically. Just select OK.
- If you want the local root to be the database admin. You would usually choose yes here.
- Again If your database requires logging in. You would usually choose no here.
- Your root login account. For example: cn=manager,dc=example,dc=com
- Your root password.
- After, a dialog explaining the different encryption methods to specify the encryption method to use before sending your password. exop is usually a good choice.
The above steps might vary a bit depending on the Ubuntu distribution used. When you want to restart the configuration you can use dpkg-reconfigure for both libpam-ldap and libnss-ldap packages.
When finished configuring you will need to double check the data in /etc/libnss-ldap.conf. Especially the 'host' entry which doesn't accept URI. Better is to use the 'uri' entries and comment out the 'host'.
Configuration
After the installation of the necessary packages you will need to configure the Name Service and PAM.
Name Service
In /etc/nsswitch.conf replace compat with files ldap for both the passwd and group entries so you get something like this:
passwd: files ldap group: files ldap
There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap
Now you can test the configuration by using the following line (substitute <someldapuser> with a user and <someldapgroup> with a group known by your LDAP server):
$ getent passwd <someldapuser> $ getent group <someldapgroup>
If you get a response in both cases, your LDAP nsswitch.conf configuration is correct and all you need to do is to configure PAM.
If the user is in your LDAP and not locally, 1 online should be returned. If not:
- double check /etc/libnss-ldap.conf (e.g. use 'uri' instead of the 'host' entry)
- check the password in /etc/libnss-ldap.secret
There appears to be a bug in libnss-ldap which can create a rather nasty boot problem in udevd. If you do not enable a "soft" bind policy, booting can hang and authentication will not operate properly. Use the following command to edit the nss-ldap file:
$ sudo editor /etc/libnss-ldap.conf
Add this line in the bind policy section:
bind_policy soft
Also, Make sure you have the correct ldap settings listed in this file. If not, you may have to change them too.
Some extra tips:
- It is also good to set the timeouts lower.
- Don't use sudo when editing this file or leave it open while testing. If you save with a typo, it could mean that you can't access your server anymore.
Caching Name Service directories (optional)
[(Geert) This needs editing, I can't make it work.] [(Geert) nscd can be used, but didn't work either.]
In order to prevent network slowdown or outage from preventing user name lookup and thus login, use the nss-updatedb package to create a local database of the user names. You first need to populate the database for the first time and then create a scheduled job to update the database at a random time each hour (the random time means that all clients are no hitting the LDAP server simultaneously for updates). Run:
$ sudo nss_updatedb ldap
nss_updatedb is storing the cache in /var/lib/misc/.
Now you need to create a script to update the database randomly.
Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following:
#!/bin/bash LOCK=/var/run/auth-update.cron [ "$1" != "0" ] && [ -f $LOCK ] && [ -d /proc/"$(cat $LOCK)" ] && exit 0 echo $$ > $LOCK RANGE=3600 [ "$1" != "" ] && RANGE=$1 SLEEP=$RANDOM [ "$RANGE" != "0" ] && let "SLEEP %= $RANGE" || SLEEP=0 sleep $SLEEP go=true while $go; do /usr/sbin/nss_updatedb ldap [ $? -eq 0 ] && go=false [ "$go" == "true" ] && sleep 10 done rm $LOCK exit 0
To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this:
passwd: files ldap [NOTFOUND=return] db group: files ldap [NOTFOUND=return] db
This means:
- look first in the local files (/etc/passwd and /etc/group)
- if not found, use LDAP
- when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
- if the LDAP server was not reachable, proceed with using the cached data
PAM
The PAM configuration is split in 4 files: common-account, common-auth, common-password and common-session. They are included in the other configuration files like login, ssh, ..
Edit /etc/pam.d/common-account and add pam_ldap.so, like this:
account sufficient pam_ldap.so account required pam_unix.so
Edit /etc/pam.d/common-auth and add pam_ldap.so, like this:
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass
Edit /etc/pam.d/common-password and add pam_ldap.so, like this:
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5
Optionally, and not related to LDAP, if you want stronger passwords, you might be interested in libpam-cracklib (see InstallingSoftware).
To activate it you'll need to edit /etc/pam.d/common-password:
password required pam_cracklib.so retry=3 minlen=6 difok=3 password sufficient pam_ldap.so use_authtok nullok md5 password required pam_unix.so use_authtok use_first_pass
Edit /etc/pam.d/common-session and add pam_ldap.so, like this:
session sufficient pam_ldap.so session required pam_unix.so
Handy is to automatically create the home directory at first logon. Edit the common-session file again:
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so session optional pam_foreground.so
Credits
- Most of the information used in this document was found on the following page:
- Some additional documentation I found here: http://www.gentoo.org/doc/en/ldap-howto.xml
CategoryCleanup
