个人工具

UbuntuHelp:LDAPClientAuthentication

来自Ubuntu中文

Oneleaf讨论 | 贡献2007年5月14日 (一) 11:04的版本

跳转至: 导航, 搜索

Introduction

This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see UbuntuHelp:OpenLDAPServer.

For authenticating on a Sun Java Enterprise System Directory Server should consult the UbuntuHelp:SunLDAPClientAuthentication page.

Installation

Install the following packages: libpam-ldap libnss-ldap nss-updatedb (see InstallingSoftware). Note that you have to enable the universe repositories for this.

During installation, you will be asked the following questions:

  • The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com
  • The distinguished name of the search base. For example dc=example,dc=com
  • The LDAP version to use. You usually would choose 3 here.
  • If your database requires logging in. You would usually choose no here.
  • If you want to make configuration readable/writeable by owner only. A no should be the answer to this.
  • A Dialog is displayed explaining it cannot manage nsswitch.conf automatically. Just select OK.
  • If you want the local root to be the database admin. You would usually choose yes here.
  • Again If your database requires logging in. You would usually choose no here.
  • Your root login account. For example: cn=manager,dc=example,dc=com
  • Your root password.
  • After, a dialog explaining the different encryption methods to specify the encryption method to use before sending your password. exop is usually a good choice.

The above steps might vary a bit depending on the Ubuntu distribution used. When you want to restart the configuration you can use dpkg-reconfigure for both libpam-ldap and libnss-ldap packages.

When finished configuring you will need to double check the data in /etc/libnss-ldap.conf. Especially the 'host' entry which doesn't accept URI. Better is to use the 'uri' entries and comment out the 'host'.

Configuration

After the installation of the necessary packages you will need to configure the Name Service and PAM.

Name Service

In /etc/nsswitch.conf replace compat with files ldap for both the passwd and group entries so you get something like this:

passwd:         files ldap
group:          files ldap

There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap

Now you can test the configuration by using the following line (substitute <someldapuser> with a user and <someldapgroup> with a group known by your LDAP server):

$ getent passwd <someldapuser>
$ getent group <someldapgroup>

If you get a response in both cases, your LDAP nsswitch.conf configuration is correct and all you need to do is to configure PAM.

If the user is in your LDAP and not locally, 1 online should be returned. If not:

    • double check /etc/libnss-ldap.conf (e.g. use 'uri' instead of the 'host' entry)
    • check the password in /etc/libnss-ldap.secret

There appears to be a bug in libnss-ldap which can create a rather nasty boot problem in udevd. If you do not enable a "soft" bind policy, booting can hang and authentication will not operate properly. Use the following command to edit the nss-ldap file:

$ sudo editor /etc/libnss-ldap.conf

Add this line in the bind policy section:

bind_policy soft

Also, Make sure you have the correct ldap settings listed in this file. If not, you may have to change them too.

Some extra tips:

  • It is also good to set the timeouts lower.
  • Don't use sudo when editing this file or leave it open while testing. If you save with a typo, it could mean that you can't access your server anymore.

Caching Name Service directories (optional)

[(Geert) This needs editing, I can't make it work.] [(Geert) nscd can be used, but didn't work either.]

In order to prevent network slowdown or outage from preventing user name lookup and thus login, use the nss-updatedb package to create a local database of the user names. You first need to populate the database for the first time and then create a scheduled job to update the database at a random time each hour (the random time means that all clients are no hitting the LDAP server simultaneously for updates). Run:

$ sudo nss_updatedb ldap

nss_updatedb is storing the cache in /var/lib/misc/.

Now you need to create a script to update the database randomly.

Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following:


LOCK=/var/run/auth-update.cron

[ "$1" != "0" ] && [ -f $LOCK ] && [ -d /proc/"$(cat $LOCK)" ] && exit 0
echo $$ > $LOCK

RANGE=3600
[ "$1" != "" ] && RANGE=$1
SLEEP=$RANDOM
[ "$RANGE" != "0" ] && let "SLEEP %= $RANGE" || SLEEP=0

sleep $SLEEP

go=true
while $go; do
	/usr/sbin/nss_updatedb ldap
	[ $? -eq 0 ] && go=false
	[ "$go" == "true" ] && sleep 10
done

rm $LOCK

exit 0

To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this:

passwd:         files ldap [NOTFOUND=return] db
group:          files ldap [NOTFOUND=return] db

This means:

  • look first in the local files (/etc/passwd and /etc/group)
  • if not found, use LDAP
  • when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
  • if the LDAP server was not reachable, proceed with using the cached data

PAM

The PAM configuration is split in 4 files: common-account, common-auth, common-password and common-session. They are included in the other configuration files like login, ssh, ..

Edit /etc/pam.d/common-account and add pam_ldap.so, like this:

account	sufficient	pam_ldap.so
account	required	pam_unix.so

Edit /etc/pam.d/common-auth and add pam_ldap.so, like this:

auth	sufficient	pam_ldap.so
auth	required	pam_unix.so nullok_secure use_first_pass

Edit /etc/pam.d/common-password and add pam_ldap.so, like this:

password	sufficient	pam_ldap.so
password	required	pam_unix.so nullok obscure min=4 max=8 md5

Optionally, and not related to LDAP, if you want stronger passwords, you might be interested in libpam-cracklib (see InstallingSoftware).

To activate it you'll need to edit /etc/pam.d/common-password:

password        required        pam_cracklib.so retry=3 minlen=6 difok=3
password        sufficient      pam_ldap.so use_authtok nullok md5
password        required        pam_unix.so use_authtok use_first_pass

Edit /etc/pam.d/common-session and add pam_ldap.so, like this:

session	sufficient	pam_ldap.so
session	required	pam_unix.so

Handy is to automatically create the home directory at first logon. Edit the common-session file again:

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/
session optional        pam_ldap.so
session	optional	pam_foreground.so

Credits

  • Most of the information used in this document was found on the following page:

http://mcwhirter.com.au/craige/blog/2006/Making-a-Debian-or-Ubuntu-Machine-an-LDAP-Authentication-Client