Make pam_ldap.so sufficient at the top of each section, except in the session section, where we make it optional. This file is included in most of the other files in pam.d, so changes here propagate nicely. When adding your pam_ldap.so lines, do not change the relative order of the other lines without good reason! Simply insert LDAP within the chain.įirst edit /etc/pam.d/system-auth. Sufficient lines will sometimes "short circuit" and skip the rest of the section, so the rule of thumb for auth, password, and account is sufficient lines before required, but after required lines for the session section optional can almost always go at the end. Note: Each facility (auth, session, password, account) forms a separate chain and the order matters. You might also want the upstream documentation for nss-pam-ldapd. For more details about configuring pam, the Red Hat Documentation is quite good. Arch moving to pambase has helped decrease the amount of edits required. The basic rule of thumb for PAM configuration is to include pam_ldap.so wherever pam_unix.so is included. You now should see your LDAP users when running getent passwd on the client. Make sure you change the permission of your /etc/nf to 0600 for nslcd to start properly. We need to add the ldap directive to the passwd, group and shadow databases, so be sure your file looks like this:Įdit /etc/nf and change the base and uri lines to fit your ldap server setup.Įdit the binddn and the bindpw if your LDAP server requires a password. It tells NSS which sources to use for which system databases. For example, /etc/passwd is a file type source for the passwd database, which stores the user accounts.Įdit /etc/nf which is the central configuration file for NSS. NSS is a system facility which manages different sources as configuration databases. Make sure you can query the server with ldapsearch.ĭepending on your target, choose either online-only or online and offline authentication. Install the OpenLDAP client as described in OpenLDAP. Note: You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's openldap-migrationtools AUR. Group_joe.ldif dn: cn=joe,ou=Group,dc=example,dc=org $ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f user_joe.ldif The xxxxxxxxxx in the userPassword entry should be replaced with the value in /etc/shadow or use the slappasswd command. PostalAddress: AddressLine1$AddressLine2$AddressLine3 User_joe.ldif dn: uid=johndoe,ou=People,dc=example,dc=org $ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)' $ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif Import it on database number 0 (cn=config):Ĭreate a temporary file called base.ldif with the following text. Note: Alter the domain components "example" and "org" to your needs dn: olcDatabase=to * by self read by dn.base="cn=Manager,dc=example,dc=org" write by * read To make sure that no-one can read the (encrypted) passwords from the LDAP server, but still allowing users to edit some of their own select attributes (such as own password and photo), create the temporary LDIF allowpwchange.ldif After you have completed that, return here. Install the OpenLDAP server and configure the server and client. So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd, shadow and other configuration databases and then configure PAM to use these sources to authenticate its users. PAM (which stands for Pluggable Authentication Modules) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins. For example, /etc/passwd is a file type source for the passwd database. NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the second part. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. The first part deals with how to setup an OpenLDAP server that hosts the authentication directory. in a lab environment where central authentication is desired). This LDAP directory can be either local (installed on the same computer) or network (e.g. This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |