Previously in article OpenLDAP Setup I showed how to setup and configure basic OpenLDAP server with basic directory structure. By using that OpenLDAP structure we can implement centralized PAM Authentication. This is very useful when maintaining large amount of servers.
To configure Ubuntu as OpenLDAP client for PAM Auth.
Basic Assumptions:
To configure Ubuntu as OpenLDAP client for PAM Auth.
Basic Assumptions:
- We will be using root account to install and configure OpenLDAP client for PAM Auth.
- We will be using "diglinux.com" as our Domain, as previously setup in OpenLDAP Server.
- Admin user for managing OpenLDAP structure will be "Admin".
- Password for Admin user will be "diglinux".
- OpenLDAP Server IP address is 192.168.1.1
- Internet is properly configured and working on the machine that we will be configuring OpenLDAP.
Installing OpenLDAP Client and Required Services
root@diglinux.com:~# apt-get install nss-updatedb libnss-ldap nscd libpam-ldap libpam-mkhomedir auth-client-config ldap-utils
All packaged play a different role in configuring OpenLDAP PAM Authentication. During installation of these packages, you will be asked some basic questions.
-----------------------------------------------------------------
1. LDAP server Uniform Resource Identifier:
-> ldap://192.168.1.1
2. Distinguished name of the search base:
-> dc=diglinux,dc=com
3. LDAP version to use:
-> Version 3
4. Make local root Database admin:
-> Yes
5. Does the LDAP database require login?
-> Yes
6. LDAP account for root:
-> cn=Admin,dc=diglinux,dc=com
7. LDAP root account password:
-> diglinux
8. Unprivileged database user:
-> cn=Admin,dc=diglinux,dc=com
9. Password for database login account:
-> diglinux
-----------------------------------------------------------------
Remember to change the settings as per the settings of your server, these settings we implemented on our OpenLDAP setup guide.
Once above settings are done you will need to edit file "/etc/ldap.conf"
Find
#bind_policy hard
and replace it with
bind_policy soft
Un-comment parameter
pam_password crypt
Save and exit this file.
Now execute this command, this command will add "LDAP" in /etc/nsswitch.conf , which tells where to look for credentials first.
root@diglinux.com:~# auth-client-config -t nss -p lac_ldap
Now we need to update the PAM Auth DB. For this execute this command
root@diglinux.com:~# pam-auth-update
Make sure you select "LDAP Authentication".
Final step is to restart some services.
root@diglinux.com:~# /etc/init.d/libnss-ldap restart && /etc/init.d/nscd restart
If everything goes without error, then you can authenticate PAM using OpenLDAP. To verify, create a user in OpenLDAP. Once user is created, issue below command to verify whether that user has been picked up by Linux or not
root@diglinux.com:~# getent passwd
This will show you a list of users present in system.
Till here you have a working OpenLDAP PAM Authentication. However an issue that can come is that user will not have their own home directory which is defined in OpenLDAP. PAM does provide a plugin that can dynamically create user home directory if not found.
We previously did the installation of this plugin, we only need to configure it. And it is very easy to configure.
For this we will need to create a plain text file "/usr/share/pam-configs/my_mkhomedir". Copy and Paste below lines in this file and then save and exit
#------------------------------------
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
#------------------------------------
Do not copy the "----" lines. Once done now we have to update PAM. This will be done using below command.
root@diglinux.com:~# pam-auth-update
Here you will now see "activate mkhomedir", make sure this is checked.
If everything goes without errors, you will have a 100% working OpenLDAP PAM Authentication.
