个人工具

“UbuntuHelp:LDAPClientAuthentication”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
第10行: 第10行:
  
 
Install the following packages: <code><nowiki>libpam-ldap libnss-ldap nss-updatedb</nowiki></code> (see InstallingSoftware). Note that you have to enable the universe repositories for this.
 
Install the following packages: <code><nowiki>libpam-ldap libnss-ldap nss-updatedb</nowiki></code> (see InstallingSoftware). Note that you have to enable the universe repositories for this.
 +
 +
libpam-ldap to allows for _authentication_ via LDAP. libnss-ldap allows _session_ information via LDAP. That's why /etc/libnss-ldap.conf /etc/pam_ldap.conf have such similar structures.
  
 
During installation, you will be asked the following questions:
 
During installation, you will be asked the following questions:
第42行: 第44行:
 
There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap
 
There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap
  
Now you can test the configuration by using the following line (substitute ''<someldapuser>'' with a user and ''<someldapgroup>'' with a group known by your LDAP server):
+
Now you can test the configuration:
 
<pre><nowiki>
 
<pre><nowiki>
$ getent passwd <someldapuser>
+
$ getent passwd
$ getent group <someldapgroup>
+
 
 +
or
 +
 
 +
$ getent group
 
</nowiki></pre>
 
</nowiki></pre>
  
If you get a response in both cases, your LDAP nsswitch.conf configuration is correct and all you need to do is to configure PAM.
+
You should see lines that look like they've come straight out of /etc/passwd. These are the lines 'published' by your LDAP server. If you do, the Name Service (NSS) side of the job is done. If not, check /etc/libnss-ldap.conf for typos.
  
If the user is in your LDAP and not locally, 1 online should be returned. If not:
+
If your setup requires a password to connect to the LDAP server, don't forget to put that password into /etc/libnss-ldap.secret.
** double check /etc/libnss-ldap.conf (e.g. use 'uri' instead of the 'host' entry)
+
 
** check the password in /etc/libnss-ldap.secret
+
''BUG ALERT:''
 +
Make sure /etc/libnss-ldap.conf has "bind_policy soft". If it's not there, a nasty bug with udev can arise at boot-time.
 +
 
 +
It's also a good idea to shorten the timeouts there.
 +
 
 +
Don't use sudo when editing this file or leave it open while testing. If you save with a typo, it could mean that you can't access your server anymore.
 +
 
 +
=== PAM ===
 +
Four central files control PAM's use of LDAP: common-account, common-auth, common-password and common-session. They're in /etc/pam.d.
 +
 
 +
For details, see the pam(7) manpage.
 +
 
 +
Edit '''/etc/pam.d/common-account''' to look like this:
  
There appears to be a bug in libnss-ldap which can create a rather nasty boot problem in udevd. If you do not enable a "soft" bind policy, booting can hang and authentication will not operate properly. Use the following command to edit the nss-ldap file:
 
 
<pre><nowiki>
 
<pre><nowiki>
$ sudo editor /etc/libnss-ldap.conf
+
account sufficient pam_ldap.so
 +
account required pam_unix.so
 
</nowiki></pre>
 
</nowiki></pre>
Add this line in the bind policy section:
+
 
 +
Edit '''/etc/pam.d/common-auth''' to look like this:
 +
 
 
<pre><nowiki>
 
<pre><nowiki>
bind_policy soft
+
auth sufficient pam_ldap.so
</nowiki></pre>  
+
auth required pam_unix.so nullok_secure use_first_pass
Also,  Make sure you have the correct ldap settings listed in this file. If not, you may have to change them too.
+
</nowiki></pre>
  
Some extra tips:
+
Edit '''/etc/pam.d/common-password''' to look like this:
* It is also good to set the timeouts lower.
+
 
* Don't use sudo when editing this file or leave it open while testing. If you save with a typo, it could mean that you can't access your server anymore.
+
<pre><nowiki>
 +
password sufficient pam_ldap.so
 +
password required pam_unix.so nullok obscure min=4 max=8 md5
 +
</nowiki></pre>
 +
 
 +
=== PAM: Stronger Passwords (Optional) ===
 +
You might be interested in ''libpam-cracklib'' (see InstallingSoftware).
 +
 
 +
To activate it you'll need to edit /etc/pam.d/common-password:
 +
 
 +
<pre><nowiki>
 +
password        required        pam_cracklib.so retry=3 minlen=6 difok=3
 +
password        sufficient      pam_ldap.so use_authtok
 +
password        required        pam_unix.so use_authtok use_first_pass
 +
</nowiki></pre>
 +
 
 +
Edit '''/etc/pam.d/common-session''' and add pam_ldap.so, like this:
 +
 
 +
<pre><nowiki>
 +
session optional pam_foreground.so
 +
session sufficient pam_ldap.so
 +
session required pam_unix.so
 +
</nowiki></pre>
 +
 
 +
=== PAM: Home directory creation (optional) ===
 +
Edit the ''common-session'' file again:
 +
 
 +
<pre><nowiki>
 +
session required        pam_unix.so
 +
session required        pam_mkhomedir.so skel=/etc/skel/
 +
session optional        pam_ldap.so
 +
session optional pam_foreground.so
 +
</nowiki></pre>
  
==== Caching Name Service directories (optional) ====
+
=== Option: Caching Name Service directories ===
  
 
[(Geert) This needs editing, I can't make it work.]
 
[(Geert) This needs editing, I can't make it work.]
第80行: 第131行:
 
nss_updatedb is storing the cache in /var/lib/misc/.
 
nss_updatedb is storing the cache in /var/lib/misc/.
  
Now you need to create a script to update the database randomly.  
+
Now you need to create a script to update the database randomly.
  
 
Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following:
 
Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following:
第122行: 第173行:
 
* when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
 
* when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
 
* if the LDAP server was not reachable, proceed with using the cached data
 
* if the LDAP server was not reachable, proceed with using the cached data
 
+
=== Notes for Gutsy ===
=== PAM ===
+
* There is a new tool in Gutsy to modify the pam and nsswitch files at once: [https://wiki.ubuntu.com/AuthClientConfig AuthClientConfig]. You can use that tool like so: <code><nowiki>sudo auth-client-config -a -p lac_ldap</nowiki></code> to reflect the changes handled on this page. Read more about it in this thread: http://ubuntuforums.org/showthread.php?t=597056
 
+
=== Credits ===
The PAM configuration is split in 4 files: common-account, common-auth, common-password and common-session. They are included in the other configuration files like login, ssh, ..
+
* Most of the information used in this document was found on the following page:
 
+
Edit '''/etc/pam.d/common-account''' and add pam_ldap.so, like this:
+
<pre><nowiki>
+
account sufficient pam_ldap.so
+
account required pam_unix.so
+
</nowiki></pre>
+
 
+
Edit '''/etc/pam.d/common-auth''' and add pam_ldap.so, like this:
+
 
+
<pre><nowiki>
+
auth sufficient pam_ldap.so
+
auth required pam_unix.so nullok_secure use_first_pass
+
</nowiki></pre>
+
 
+
Edit '''/etc/pam.d/common-password''' and add pam_ldap.so, like this:
+
 
+
<pre><nowiki>
+
password sufficient pam_ldap.so
+
password required pam_unix.so nullok obscure min=4 max=8 md5
+
</nowiki></pre>
+
 
+
Optionally, and not related to LDAP, if you want stronger passwords, you might be interested in ''libpam-cracklib'' (see InstallingSoftware).
+
 
+
To activate it you'll need to edit /etc/pam.d/common-password:
+
 
+
<pre><nowiki>
+
password        required        pam_cracklib.so retry=3 minlen=6 difok=3
+
password        sufficient      pam_ldap.so use_authtok nullok md5
+
password        required        pam_unix.so use_authtok use_first_pass
+
</nowiki></pre>
+
 
+
Edit '''/etc/pam.d/common-session''' and add pam_ldap.so, like this:
+
 
+
<pre><nowiki>
+
session sufficient pam_ldap.so
+
session required pam_unix.so
+
</nowiki></pre>
+
 
+
Handy is to automatically create the home directory at first logon. Edit the ''common-session'' file again:
+
 
+
<pre><nowiki>
+
session required        pam_unix.so
+
session required        pam_mkhomedir.so skel=/etc/skel/
+
session optional        pam_ldap.so
+
session optional pam_foreground.so
+
</nowiki></pre>
+
 
+
== Credits ==
+
* Most of the information used in this document was found on the following page:  
+
 
http://mcwhirter.com.au/craige/blog/2006/Making-a-Debian-or-Ubuntu-Machine-an-LDAP-Authentication-Client
 
http://mcwhirter.com.au/craige/blog/2006/Making-a-Debian-or-Ubuntu-Machine-an-LDAP-Authentication-Client
 
* Some additional documentation I found here: http://www.gentoo.org/doc/en/ldap-howto.xml
 
* Some additional documentation I found here: http://www.gentoo.org/doc/en/ldap-howto.xml
 +
* pam(7) manpage
 +
* WheelDweller <[email protected]> is actively polishing this particular apple.  :)
  
 
----
 
----

2007年11月22日 (四) 13:22的版本

Introduction

This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see UbuntuHelp:OpenLDAPServer.

For authenticating on a Sun Java Enterprise System Directory Server should consult the UbuntuHelp:SunLDAPClientAuthentication page.

Installation

Install the following packages: libpam-ldap libnss-ldap nss-updatedb (see InstallingSoftware). Note that you have to enable the universe repositories for this.

libpam-ldap to allows for _authentication_ via LDAP. libnss-ldap allows _session_ information via LDAP. That's why /etc/libnss-ldap.conf /etc/pam_ldap.conf have such similar structures.

During installation, you will be asked the following questions:

  • The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com
  • The distinguished name of the search base. For example dc=example,dc=com
  • The LDAP version to use. You usually would choose 3 here.
  • If your database requires logging in. You would usually choose no here.
  • If you want to make configuration readable/writeable by owner only. A no should be the answer to this.
  • A Dialog is displayed explaining it cannot manage nsswitch.conf automatically. Just select OK.
  • If you want the local root to be the database admin. You would usually choose yes here.
  • Again If your database requires logging in. You would usually choose no here.
  • Your root login account. For example: cn=manager,dc=example,dc=com
  • Your root password.
  • After, a dialog explaining the different encryption methods to specify the encryption method to use before sending your password. exop is usually a good choice.

The above steps might vary a bit depending on the Ubuntu distribution used. When you want to restart the configuration you can use dpkg-reconfigure for both libpam-ldap and libnss-ldap packages.

When finished configuring you will need to double check the data in /etc/libnss-ldap.conf. Especially the 'host' entry which doesn't accept URI. Better is to use the 'uri' entries and comment out the 'host'.

Configuration

After the installation of the necessary packages you will need to configure the Name Service and PAM.

Name Service

In /etc/nsswitch.conf replace compat with files ldap for both the passwd and group entries so you get something like this:

passwd:         files ldap
group:          files ldap

There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap

Now you can test the configuration:

$ getent passwd

or

$ getent group

You should see lines that look like they've come straight out of /etc/passwd. These are the lines 'published' by your LDAP server. If you do, the Name Service (NSS) side of the job is done. If not, check /etc/libnss-ldap.conf for typos.

If your setup requires a password to connect to the LDAP server, don't forget to put that password into /etc/libnss-ldap.secret.

BUG ALERT: Make sure /etc/libnss-ldap.conf has "bind_policy soft". If it's not there, a nasty bug with udev can arise at boot-time.

It's also a good idea to shorten the timeouts there.

Don't use sudo when editing this file or leave it open while testing. If you save with a typo, it could mean that you can't access your server anymore.

PAM

Four central files control PAM's use of LDAP: common-account, common-auth, common-password and common-session. They're in /etc/pam.d.

For details, see the pam(7) manpage.

Edit /etc/pam.d/common-account to look like this:

account	sufficient	pam_ldap.so
account	required	pam_unix.so

Edit /etc/pam.d/common-auth to look like this:

auth	sufficient	pam_ldap.so
auth	required	pam_unix.so nullok_secure use_first_pass

Edit /etc/pam.d/common-password to look like this:

password	sufficient	pam_ldap.so
password	required	pam_unix.so nullok obscure min=4 max=8 md5

PAM: Stronger Passwords (Optional)

You might be interested in libpam-cracklib (see InstallingSoftware).

To activate it you'll need to edit /etc/pam.d/common-password:

password        required        pam_cracklib.so retry=3 minlen=6 difok=3
password        sufficient      pam_ldap.so use_authtok
password        required        pam_unix.so use_authtok use_first_pass

Edit /etc/pam.d/common-session and add pam_ldap.so, like this:

session	optional	pam_foreground.so
session	sufficient	pam_ldap.so
session	required	pam_unix.so

PAM: Home directory creation (optional)

Edit the common-session file again:

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/
session optional        pam_ldap.so
session	optional	pam_foreground.so

Option: Caching Name Service directories

[(Geert) This needs editing, I can't make it work.] [(Geert) nscd can be used, but didn't work either.]

In order to prevent network slowdown or outage from preventing user name lookup and thus login, use the nss-updatedb package to create a local database of the user names. You first need to populate the database for the first time and then create a scheduled job to update the database at a random time each hour (the random time means that all clients are no hitting the LDAP server simultaneously for updates). Run:

$ sudo nss_updatedb ldap

nss_updatedb is storing the cache in /var/lib/misc/.

Now you need to create a script to update the database randomly.

Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following:

#!/bin/bash

LOCK=/var/run/auth-update.cron

[ "$1" != "0" ] && [ -f $LOCK ] && [ -d /proc/"$(cat $LOCK)" ] && exit 0
echo $$ > $LOCK

RANGE=3600
[ "$1" != "" ] && RANGE=$1
SLEEP=$RANDOM
[ "$RANGE" != "0" ] && let "SLEEP %= $RANGE" || SLEEP=0

sleep $SLEEP

go=true
while $go; do
	/usr/sbin/nss_updatedb ldap
	[ $? -eq 0 ] && go=false
	[ "$go" == "true" ] && sleep 10
done

rm $LOCK

exit 0

To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this:

passwd:         files ldap [NOTFOUND=return] db
group:          files ldap [NOTFOUND=return] db

This means:

  • look first in the local files (/etc/passwd and /etc/group)
  • if not found, use LDAP
  • when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
  • if the LDAP server was not reachable, proceed with using the cached data

Notes for Gutsy

Credits

  • Most of the information used in this document was found on the following page:

http://mcwhirter.com.au/craige/blog/2006/Making-a-Debian-or-Ubuntu-Machine-an-LDAP-Authentication-Client