“UbuntuHelp:LDAPClientAuthentication”的版本间的差异

2007年11月30日 (五) 20:03的版本

文章出处:

https://help.ubuntu.com/community/LDAPClientAuthentication

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

Introduction

This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see UbuntuHelp:OpenLDAPServer. For authenticating on a Sun Java Enterprise System Directory Server should consult the UbuntuHelp:SunLDAPClientAuthentication page.

Installation

Install the following packages: libpam-ldap libnss-ldap nss-updatedb (see InstallingSoftware). Note that you have to enable the universe repositories for this. libpam-ldap to allows for _authentication_ via LDAP. libnss-ldap allows _session_ information via LDAP. That's why /etc/libnss-ldap.conf /etc/pam_ldap.conf have such similar structures. During installation, you will be asked the following questions:

The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com
The distinguished name of the search base. For example dc=example,dc=com
The LDAP version to use. You usually would choose 3 here.
If your database requires logging in. You would usually choose no here.
If you want to make configuration readable/writeable by owner only. A no should be the answer to this.
A Dialog is displayed explaining it cannot manage nsswitch.conf automatically. Just select OK.
If you want the local root to be the database admin. You would usually choose yes here.
Again If your database requires logging in. You would usually choose no here.
Your root login account. For example: cn=manager,dc=example,dc=com
Your root password.
After, a dialog explaining the different encryption methods to specify the encryption method to use before sending your password. exop is usually a good choice.

The above steps might vary a bit depending on the Ubuntu distribution used. When you want to restart the configuration you can use dpkg-reconfigure for both libpam-ldap and libnss-ldap packages. When finished configuring you will need to double check the data in /etc/libnss-ldap.conf. Especially the 'host' entry which doesn't accept URI. Better is to use the 'uri' entries and comment out the 'host'.

Configuration

After the installation of the necessary packages you will need to configure the Name Service and PAM.

Name Service

In /etc/nsswitch.conf replace compat with files ldap for both the passwd and group entries so you get something like this:

passwd:         files ldap
group:          files ldap

There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap Now you can test the configuration:

$ getent passwd
or
$ getent group

You should see lines that look like they've come straight out of /etc/passwd. These are the lines 'published' by your LDAP server. If you do, the Name Service (NSS) side of the job is done. If not, check /etc/libnss-ldap.conf for typos. If your setup requires a password to connect to the LDAP server, don't forget to put that password into /etc/libnss-ldap.secret. BUG ALERT: Make sure /etc/libnss-ldap.conf has "bind_policy soft". If it's not there, a nasty bug with udev can arise at boot-time. It's also a good idea to shorten the timeouts there. Don't use sudo when editing this file or leave it open while testing. If you save with a typo, it could mean that you can't access your server anymore.

PAM

Four central files control PAM's use of LDAP: common-account, common-auth, common-password and common-session. They're in /etc/pam.d. For details, see the pam(7) manpage. Edit /etc/pam.d/common-account to look like this:

account	sufficient	pam_ldap.so
account	required	pam_unix.so

Edit /etc/pam.d/common-auth to look like this:

auth	sufficient	pam_ldap.so
auth	required	pam_unix.so nullok_secure use_first_pass

Edit /etc/pam.d/common-password to look like this:

password	sufficient	pam_ldap.so
password	required	pam_unix.so nullok obscure min=4 max=8 md5

PAM: Stronger Passwords (Optional)

You might be interested in libpam-cracklib (see InstallingSoftware). To activate it you'll need to edit /etc/pam.d/common-password:

password        required        pam_cracklib.so retry=3 minlen=6 difok=3
password        sufficient      pam_ldap.so use_authtok
password        required        pam_unix.so use_authtok use_first_pass

Edit /etc/pam.d/common-session and add pam_ldap.so, like this:

session	optional	pam_foreground.so
session	sufficient	pam_ldap.so
session	required	pam_unix.so

PAM: Home directory creation (optional)

Edit the common-session file again:

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/
session optional        pam_ldap.so
session	optional	pam_foreground.so

Option: Caching Name Service directories

[(Geert) This needs editing, I can't make it work.] [(Geert) nscd can be used, but didn't work either.] In order to prevent network slowdown or outage from preventing user name lookup and thus login, use the nss-updatedb package to create a local database of the user names. You first need to populate the database for the first time and then create a scheduled job to update the database at a random time each hour (the random time means that all clients are no hitting the LDAP server simultaneously for updates). Run:

$ sudo nss_updatedb ldap

nss_updatedb is storing the cache in /var/lib/misc/. Now you need to create a script to update the database randomly. Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following:

#!/bin/bash
LOCK=/var/run/auth-update.cron
[ "$1" != "0" ] && [ -f $LOCK ] && [ -d /proc/"$(cat $LOCK)" ] && exit 0
echo $$ > $LOCK
RANGE=3600
[ "$1" != "" ] && RANGE=$1
SLEEP=$RANDOM
[ "$RANGE" != "0" ] && let "SLEEP %= $RANGE" || SLEEP=0
sleep $SLEEP
go=true
while $go; do
	/usr/sbin/nss_updatedb ldap
	[ $? -eq 0 ] && go=false
	[ "$go" == "true" ] && sleep 10
done
rm $LOCK
exit 0

To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this:

passwd:         files ldap [NOTFOUND=return] db
group:          files ldap [NOTFOUND=return] db

This means:

look first in the local files (/etc/passwd and /etc/group)
if not found, use LDAP
when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
if the LDAP server was not reachable, proceed with using the cached data

Notes for Gutsy

There is a new tool in Gutsy to modify the pam and nsswitch files at once: AuthClientConfig. You can use that tool like so: sudo auth-client-config -a -p lac_ldap to reflect the changes handled on this page. Read more about it in this thread: http://ubuntuforums.org/showthread.php?t=597056

Credits

Most of the information used in this document was found on the following page:

http://mcwhirter.com.au/craige/blog/2006/Making-a-Debian-or-Ubuntu-Machine-an-LDAP-Authentication-Client

Some additional documentation I found here: http://www.gentoo.org/doc/en/ldap-howto.xml
pam(7) manpage
WheelDweller <[email protected]> is actively polishing this particular apple. :)

@@ 第2行： / 第2行： @@
 {{Languages|UbuntuHelp:LDAPClientAuthentication}}
 == Introduction ==
 This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see [[UbuntuHelp:OpenLDAPServer]].
 For authenticating on a Sun Java Enterprise System Directory Server should consult the [[UbuntuHelp:SunLDAPClientAuthentication]] page.
 == Installation ==
 Install the following packages: <code><nowiki>libpam-ldap libnss-ldap nss-updatedb</nowiki></code> (see InstallingSoftware). Note that you have to enable the universe repositories for this.
 libpam-ldap to allows for _authentication_ via LDAP. libnss-ldap allows _session_ information via LDAP. That's why /etc/libnss-ldap.conf /etc/pam_ldap.conf have such similar structures.
 During installation, you will be asked the following questions:
 * '''The address of the LDAP server used'''. You can also use a fully qualified domain name here. For example: ''ldap.example.com''
@@ 第25行： / 第19行： @@
 * '''Your root password'''.
 * After, a dialog explaining the different encryption methods to specify the '''encryption method to use before sending your password'''. ''exop'' is usually a good choice.
 The above steps might vary a bit depending on the Ubuntu distribution used. When you want to restart the configuration you can use <code><nowiki>dpkg-reconfigure</nowiki></code> for both libpam-ldap and libnss-ldap packages.
 When finished configuring you will need to double check the data in /etc/libnss-ldap.conf. Especially the 'host' entry which doesn't accept URI. Better is to use the 'uri' entries and comment out the 'host'.
 == Configuration ==
 After the installation of the necessary packages you will need to configure the '''Name Service''' and '''PAM'''.
 === Name Service ===
 In ''/etc/nsswitch.conf'' replace ''compat'' with ''files ldap'' for both the passwd and group entries so you get something like this:
 <pre><nowiki>
@@ 第41行： / 第29行： @@
 group:          files ldap
 </nowiki></pre>
 There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap
 Now you can test the configuration:
 <pre><nowiki>
 $ getent passwd
 or
 $ getent group
 </nowiki></pre>
 You should see lines that look like they've come straight out of /etc/passwd. These are the lines 'published' by your LDAP server. If you do, the Name Service (NSS) side of the job is done. If not, check /etc/libnss-ldap.conf for typos.
 If your setup requires a password to connect to the LDAP server, don't forget to put that password into /etc/libnss-ldap.secret.
 ''BUG ALERT:''
 Make sure /etc/libnss-ldap.conf has "bind_policy soft". If it's not there, a nasty bug with udev can arise at boot-time.
 It's also a good idea to shorten the timeouts there.
 Don't use sudo when editing this file or leave it open while testing. If you save with a typo, it could mean that you can't access your server anymore.
 === PAM ===
 Four central files control PAM's use of LDAP: common-account, common-auth, common-password and common-session. They're in /etc/pam.d.
 For details, see the pam(7) manpage.
 Edit '''/etc/pam.d/common-account''' to look like this:
 <pre><nowiki>
 account sufficient pam_ldap.so
 account required pam_unix.so
 </nowiki></pre>
 Edit '''/etc/pam.d/common-auth''' to look like this:
 <pre><nowiki>
 auth sufficient pam_ldap.so
 auth required pam_unix.so nullok_secure use_first_pass
 </nowiki></pre>
 Edit '''/etc/pam.d/common-password''' to look like this:
 <pre><nowiki>
 password sufficient pam_ldap.so
 password required pam_unix.so nullok obscure min=4 max=8 md5
 </nowiki></pre>
 === PAM: Stronger Passwords (Optional) ===
 You might be interested in ''libpam-cracklib'' (see InstallingSoftware).
 To activate it you'll need to edit /etc/pam.d/common-password:
 <pre><nowiki>
 password        required        pam_cracklib.so retry=3 minlen=6 difok=3
@@ 第100行： / 第68行： @@
 password        required        pam_unix.so use_authtok use_first_pass
 </nowiki></pre>
 Edit '''/etc/pam.d/common-session''' and add pam_ldap.so, like this:
 <pre><nowiki>
 session optional pam_foreground.so
@@ 第108行： / 第74行： @@
 session required pam_unix.so
 </nowiki></pre>
 === PAM: Home directory creation (optional) ===
 Edit the ''common-session'' file again:
 <pre><nowiki>
 session required        pam_unix.so
@@ 第118行： / 第82行： @@
 session optional pam_foreground.so
 </nowiki></pre>
 === Option: Caching Name Service directories ===
 [(Geert) This needs editing, I can't make it work.]
 [(Geert) nscd can be used, but didn't work either.]
 In order to prevent network slowdown or outage from preventing user name lookup and thus login, use the nss-updatedb package to create a local database of the user names. You first need to populate the database for the first time and then create a scheduled job to update the database at a random time each hour (the random time means that all clients are no hitting the LDAP server simultaneously for updates). Run:
 <pre><nowiki>
 $ sudo nss_updatedb ldap
 </nowiki></pre>
 nss_updatedb is storing the cache in /var/lib/misc/.
 Now you need to create a script to update the database randomly.
 Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following:
 <pre><nowiki>
 #!/bin/bash
 LOCK=/var/run/auth-update.cron
 [ "$1" != "0" ] && [ -f $LOCK ] && [ -d /proc/"$(cat $LOCK)" ] && exit 0
 echo $$ > $LOCK
 RANGE=3600
 [ "$1" != "" ] && RANGE=$1
 SLEEP=$RANDOM
 [ "$RANGE" != "0" ] && let "SLEEP %= $RANGE" || SLEEP=0
 sleep $SLEEP
 go=true
 while $go; do
@@ 第155行： / 第108行： @@
  [ "$go" == "true" ] && sleep 10
 done
 rm $LOCK
 exit 0
 </nowiki></pre>
 To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this:
 <pre><nowiki>
 passwd:        files ldap [NOTFOUND=return] db
 group:          files ldap [NOTFOUND=return] db
 </nowiki></pre>
 This means:
 * look first in the local files (/etc/passwd and /etc/group)
@@ 第181行： / 第129行： @@
 * pam(7) manpage
 * WheelDweller <[email protected]> is actively polishing this particular apple.  :)
 ----
 [[category:CategoryCleanup]]
 [[category:UbuntuHelp]]

个人工具

“UbuntuHelp:LDAPClientAuthentication”的版本间的差异 - Ubuntu中文

搜索

导航

编辑

工具