LDAP is a directory server technology that allows information such as usernames and passwords for an entire site to be stored on a central server. This whitepapers describes how to set up a Linux workstation to use an LDAP server for user information and authentication.
Before proceeding, you will need a working LDAP server which can provide you with user information. If you need to set one up, consult our OpenLDAP whitepaper for instructions.
User information consists of such data as mappings between user id numbers and user names (used, for example, by ls -l), or home directory locations (used, for example, by cd ~). Lookups of such information are handled by the name service subsystem, configured in the file /etc/nsswitch.conf. Authentication (password checking), on the other hand, is handled by the PAM (plugable authentication module) subsystem, configured in the /etc/pam.d/ directory. While these two subsystems can (in fact must) be configured seperately, you will likely want both to use LDAP.
Begin by installing the shared library code necessary for the name service to use ldap.
# apt-get install libnss-ldap
Next, open the /etc/nsswitch.conf file, and tell the name service subsystem to use LDAP to obtain user information.
passwd: files ldap group: files ldap shadow: files ldap
Finally, you need to tell then name service subsystem how to talk to your LDAP server. This is done in the file /etc/libnss-ldap.conf.
uri ldap://ldap.example.com/ ldap://ldap-backup.example.com/ base dc=example, dc=org
nss-ldap expects accounts to be objects with the following attributes: uid, uidNumber, gidNumber, homeDirectory, and loginShell. These attributes are allowed by the objectClass posixAccount.
There is a simple way to verify that your name service subsystem is using your LDAP server as instructed. Assign a file to be owned by a user that exists only in the LDAP database, not in /etc/passwd. If an ls -l correctly shows the username, then the name service subsystem is consulting the LDAP database; if it just shows the user number, something is wrong. For example, if the user john, with user number 1001, exists only in LDAP, we can try
# touch /tmp/test # chown 1001 /tmp/test # ls -l /tmp/test -rw-r----- 1 john users 0 Jan 1 12:00 test
Next we configure the PAM subsystem to use LDAP for passwords. Begin by installing the necessary PAM module.
# apt-get install libpam-ldap
uri ldaps://ldap.example.com/ base dc=example,dc=com pam_password exop
pam-ldap assumes accounts to be ojbects with the following attributes: uid and userPassword. The attributes are allowed by the objectClass posixAccount.
We are now ready to configure individual services to use the LDAP server for password checking. Each service that uses PAM for authentication has its own configuration file /etc/pam.d/service. To configure a service to use LDAP for password-checking, you must modify its PAM configuration file.
To avoid an in-depth explanation of PAM, we will content ourselves with a few examples. Consider first the login program, which handles logins from the text console. A typical PAM stack which checks passwords both in /etc/passwd and in the LDAP database follows.
auth required pam_nologin.so auth sufficient pam_ldap.so auth sufficient pam_unix.so shadow use_first_pass auth required pam_deny.so
account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so
Some applications not only authenticate passwords, but can also be used to change them. The prototypical example is of course passwd, the standard password-changing utility. Such programs can be configured to use LDAP by modifying their password stack.
password required pam_cracklib.so password sufficient pam_ldap.so password sufficient pam_unix.so password required pam_deny.so
One convienient application of pam-ldap is to set up "black box" servers that can authenticate users for a particular service without having an account on the machine at all. Services such as netatalk, (Cyrus) imap, and (Postfix) smtp use PAM. By configuring their PAM stacks to use LDAP, while leaving LDAP out of the PAM stacks of services such as login and ssh, you can easily create a "black box" server.
To keep your computers from pounding your LDAP server every time a command such as ls -l /home is issued on a computer in your organization, it is a good idea to configure your workstations to cache some user data. As long as the data in the cache is sufficiently fresh, the workstations use in instead of asking your LDAP server again. The name server caching daemon (nscd) accomplishes exactly this task.
To install nscd on Debian, just
# apt-get install nscd
The configuration file for nscd is /etc/nscd.conf.
enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes