English
Русский
NSS and PAM for LDAP
Table of Contents
1. LDAP client configuration
You can configure your OpenLDAP client and server as described in the relevant article. However, if your directory server is RHDS, the way you import the server security certificate changes and becomes:
cd /etc/dirsrv/slapd-webserver hash=`openssl x509 -noout -hash -in cacert.asc` cp -i cacert.asc /etc/openldap/cacerts/$hash.0 pk12util -d . -o ourdom-ldap-ca.p12 -n "CA certificate" -k pwdfile.txt openssl pkcs12 -in ourdom-ldap-ca.p12 -nokeys -out ourdom-ldap-ca.crt rm ourdom-ldap-ca.p12 mkdir -p /etc/pki/ldap mv ourdom-ldap-ca.crt /etc/pki/ldap cat /etc/pki/ldap/ourdom-ldap-ca.crt >> /etc/openldap/cacerts.pem
2. NSS in Redhat
The NSS-for-LDAP configuration file is /etc/ldap.conf
uri ldaps://server.ourdom.com:636 base dc=ourdom.com ldap_version 3 rootbinddn cn=root,dc=ourdom.com binddn cn=browse,dc=ourdom.com bindpw browse4ourdom timelimit 5 bind_timelimit 5 bind_policy soft idle_timelimit 3600 timeout 5 pam_lookup_policy no pam_password exop nss_base_passwd ou=users,dc=ourdom.com?one nss_base_shadow ou=users,dc=ourdom.com?one nss_base_group ou=groups,dc=ourdom.com?one #ssl start_tls ssl on tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts.pem tls_cacertdir /etc/openldap/cacerts tls_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP #tls_cert #tls_key #debug 255 #logdir /tmp/nsslogs
Store password of the LDAP root bind entry in /etc/ldap.secret. Prevent unauthorized access to this password:
chown root:root /etc/ldap.secret chmod 400 /etc/ldap.secret
Depending on your LDAP server of choice, user and group search bases can differ. For example, for RHDS:
nss_base_passwd ou=People,dc=ourdom,dc=com?one nss_base_group ou=Groups,dc=ourdom,dc=com?one
We must ensure that system users like "haldaemon" or "root" are never requested from LDAP, oterwise system boot can hang in various places, e.g. hang during message bus startup. Therefore, add a line like following line in /etc/ldap.conf:
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd, news,mailman,nscd,gdm,polkituser,rtkit,pulse
Also notice the binddn and bindpw configuration parameters. They describe how the NSS LDAP should connect to LDAP server when invoked from under non-root user. If you omit them, the library connects anonymously. Allowing anonymous access to the directory is bad because anybody from network might browse the directory. Using a real login account for browsing is not an option because anyone on the box can read /etc/ldap.conf and consequently obtains its password. As a solution you can create a special browsing account in the LDAP directory and record its credentials in binddn/bindpw.
Now enable LDAP for users and group in /etc/nsswitch.conf:
passwd: files ldap shadow: files ldap group: files ldap hosts: files dns .....
Now test your settings: try the following command both from under both root and non-root accounts:
getent passwd jsmith jsmith:x:201:201:John Smith:/home/jsmith:/bin/bash
3. PAM in Redhat
Edit /etc/pam.d/system.auth (diff):
auth sufficient pam_ldap.so use_first_pass account required pam_unix.so broken_shadow account [default=bad success=ok user_unknown=ignore] pam_ldap.so password sufficient pam_ldap.so use_authtok session optional pam_ldap.so
Some daemons needs a restart for the changes to take effect: Directory Server, SSH, CGP
4. Ubuntu NSS
Install NSS-LDAP and PAM-LDAP:
apt-get install -y libnss-ldap
(it will prompt you for some settings)
Copy LDAP server certificate to the client:
scp SRVIP:/etc/pki/ldap/ourdom-ldap-ca.crt /etc/ssl/
Configure /etc/ldap.conf:
uri ldaps://ldap.ourdom.com:636ssl onuri ldap://10.20.0.1:389 base dc=ourdom,dc=com rootbinddn cn=dirman timelimit 5 bind_timelimit 5 timeout 5 bind_policy soft idle_timelimit 600 nss_base_passwd ou=People,?one nss_base_shadow ou=People,?one nss_base_group ou=Groups,?one tls_cacertfile /etc/ssl/ourdom-ldap-ca.crt
1. Connecting via ldaps causes problems with DBUS on Ubuntu. Therefore we connect on insecure port 389 but via secure VPN (what about TLS?)2. LDAP host is specified via IP to save on DNS lookups3. Timeouts should be small or failing LDAP server will almost freeze logins
Ubuntu also adds:
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,
games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,
mail,man,messagebus,news,nx,oident,polkituser,proxy,pulse,
root,sshd,statd,support,sync,sys,syslog,uucp,www-data
Configure /etc/ldap.secret and /etc/nsswitch.conf like above.
5. Ubuntu PAM
I use two methods to configure LDAP PAM in Ubuntu. The first one is as follows.
Edit /etc/pam.d/common-account:
account sufficient pam_ldap.so account required pam_unix.so
Edit /etc/pam.d/common-auth:
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass
Edit /etc/pam.d/common-password:
password sufficient pam_ldap.so password required pam_unix.so nullok obscure md5
However, there is another way to configure LDAP PAM in Ubuntu which leads to faster login time:
- /etc/pam.d/common-auth:
auth sufficient pam_unix.so nullok_secure auth required pam_ldap.so use_first_pass
Faster for local logins, because LDAP is checked only for non-local accounts.- /etc/pam.d/common-account:
account required pam_unix.so
pam_ldap supports account filtering, e.g., based on host or time, ony when it is explicitly requiested. we do not want it from LDAP so pam_ldap is completely removed here- /etc/pam.d/common-password:
password sufficient pam_unix.so nullok obscure md5 password required pam_ldap.so
Again, LDAP will be contacted only if user is not found locally- /etc/pam.d/common-session:
password required pam_unix.so
pam_ldap does not support PAM sessions, so we drop it here completely6. Troubleshooting
Now getent passwd and getent group should work as expected.
Note: The use_first_pass keyword prevents from duplicate password requests.
If not, create the /tmp/nsslogs directory and add/uncomment the following lines in the /etc/ldap.conf file:
debug 255 logdir /tmp/nsslogs
Then do getent passwd and analyze the logs.To troubleshoot PAM, add the debug argument in the pam_ldap.so lines.
7. Tuning RedHat Directory Server
If your LDAP server is RHDS, and you want to use SetPassword LDAP method (use_set_password=1 in userman.ini), you have to tell the server about the preferred password encryption method as follows:
- Management Console / Servers and Applications / Server Group / Directory Server / Open
- Directory Server / Directory / ourdom / People
- Right-click and choose Manage password policy / for subtree
-
In the Subtree Password Policy dialog:
- Check Create subtree level password policy
- Check User may change password
- Choose Password never expires
- Uncheck Check password syntax
- Set Password encryption = MD5 hash algorithm (or choose your preferred method)
- Press Save, Close
- Close all windows
8. NSCD
This section applies to both Redhat and Ubuntu.
Default NSCD retention values are too tough and lead to confusion.Modify /etc/nscd.conf and set retention to 1 minute:
#positive-time-to-live passwd 600 positive-time-to-live passwd 60 #positive-time-to-live group 3600 positive-time-to-live group 60 #positive-time-to-live hosts 3600 positive-time-to-live hosts 60
Now clear NSCD cache and restart the daemon:
rm -f /var/{cache,db}/nscd/*
/etc/init.d/nscd restart
NSCD has problems with DNS too.
Attachments
Bookmark this post on:
- Visit NSLCd: better alternative to NSS-PAM-LDAP from PADL
- Visit NSLCd package for Ubuntu
- Visit NSLCd RPM package for CentOS 5
- Visit NSLCd source RPM for RHEL 6
- Visit IPA client design overview
- Visit SSSD - daemon for remote authentication (Fedora wiki)
- Visit NetUsher design
- Visit Startup hangs on MessageBus if LDAP is enabled
Comments
Post new comment