Using LDAP for Authentication

From Antiflux Wiki

Jump to: navigation, search

Contents

Migrating the User Database

The migrationtools package will generate LDIF files based on information in /etc/shadow and /etc/passwd. The ldapadd command can be used to import these files into the database. The migrationtools utilities may include certain Kerberos-related attributes in the LDIF fields that slapd may not understand. These should be removed before importing the LDIF files, or else ldapadd will give an error.

cd /usr/share/migrationtools
./migrate_passwd.pl /etc/passwd | egrep -vi "krb|kerb" > /tmp/users.ldif
./migrate_group.pl /etc/group > /tmp/groups.ldif
ldapadd -D "cn=admin,dc=example,dc=com" -W -x -f /tmp/users.ldif
ldapadd -D "cn=admin,dc=example,dc=com" -W -x -f /tmp/groups.ldif
rm /tmp/groups.ldif /tmp/users.ldif

LDAP and NSS

To configure NSS to use LDAP for directory lookups, add the following to /etc/nsswitch.conf

passwd: ldap files
group: ldap files
shadow: ldap files


LDAP and PAM

Add the following to /etc/pam_ldap.conf to tell the pam_ldap module how to access the user directory over LDAP. This assumes the LDAP server is on localhost.

host 127.0.0.1
base ou=People,dc=example,dc=com
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
pam_password exop

pam_password controls the hashing function used when changing passwords. The exop (extended operation) option is recommended, as then password are hashed using MD5 or SHA or whatever slapd is set up to use.

Add the following to the common files in /etc/pam.d in order to configure PAM to use LDAP in conjunction with /etc/passwd and /etc/shadow. This setup assumes that users exist in both /etc/shadow|passwd and in the LDAP directory. It may not be appropriate when only system users (such as root) exist in /etc/passwd and regular users exist only in the LDAP directory.

For /etc/pam.d/common-account:

account [success=1 default=ignore] pam_ldap.so
account required pam_unix.so use_first_pass
account required pam_permit.so

For /etc/pam.d/comment-auth:

auth [success=1 default=ignore] pam_ldap.so
auth required pam_unix.so try_first_pass
auth required pam_permit.so

For /etc/pam.d/common-password:

password required pam_ldap.so ignore_unknown_user
password optional pam_unix.so nullok obscure min=6 md5 try_first_pass

LDAP and SSL

Add the following to slapd.conf to configure slapd to use TLS.

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ssl/certs/hostname.crt
TLSCertificateKeyFile /etc/ssl/private/hostname.key
TLSCACertificateFile /etc/ssl/CA/cacert.pem
TLSVerifyClient demand

TLSCertificateFile contains the server certificate used by slapd. TLSCertificateKeyFile contains the server key. TLSCACertificateFile contains the CA certificate which signed both server and client certificates. TLSVerifyClient determines how forgiving slapd should be with clients who provide faulty certificates - demand is the strongest form of verification.

You will also need to configure slapd to serve on port 636 (ldaps) as well as port 389 (ldap). Adding the following line to /etc/default/slapd will configure slapd to only listen on port 389 on localhost but accept connections on port 636 on all interfaces.

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:///"

LDAP clients will need to know the location of the CA certificate file in order to verify the server's identity. Add the following to /etc/ldap/ldap.conf:

TLS_CACERT /etc/ssl/antiflux/cacert.pem
TLS_REQCERT demand

Personal tools