Configure OpenLDAP Client for PAM Authentication in Ubnutu

Previously in article OpenLDAP Setup I showed how to setup and configure basic OpenLDAP server with basic directory structure. By using that OpenLDAP structure we can implement centralized PAM Authentication. This is very useful when maintaining large amount of servers.

To configure Ubuntu as OpenLDAP client for PAM Auth.


Basic Assumptions:

1. We will be using root account to install and configure OpenLDAP client for PAM Auth.
2. We will be using "diglinux.com" as our Domain, as previously setup in OpenLDAP Server.
3. Admin user for managing OpenLDAP structure will be "Admin".
4. Password for Admin user will be "diglinux".
5. OpenLDAP Server IP address is 192.168.1.1
6. Internet is properly configured and working on the machine that we will be configuring OpenLDAP.

Installing OpenLDAP Client and Required Services

root@diglinux.com:~# apt-get install nss-updatedb libnss-ldap nscd libpam-ldap libpam-mkhomedir auth-client-config ldap-utils

All packaged play a different role in configuring OpenLDAP PAM Authentication. During installation of these packages, you will be asked some basic questions.

-----------------------------------------------------------------

1.  LDAP server Uniform Resource Identifier:

-> ldap://192.168.1.1

2. Distinguished name of the search base:

-> dc=diglinux,dc=com

3.  LDAP version to use:

-> Version 3

4.  Make local root Database admin:

-> Yes

5. Does the LDAP database require login?

-> Yes

6.  LDAP account for root:

-> cn=Admin,dc=diglinux,dc=com

7.  LDAP root account password:

-> diglinux

8. Unprivileged database user:

-> cn=Admin,dc=diglinux,dc=com

9. Password for database login account:

-> diglinux

-----------------------------------------------------------------

Remember to change the settings as per the settings of your server, these settings we implemented on our OpenLDAP setup guide.

Once above settings are done you will need to edit file "/etc/ldap.conf"

Find

#bind_policy hard

and  replace it with

bind_policy soft

Un-comment parameter 

pam_password crypt

Save and exit this file.

Now execute this command, this command will add "LDAP" in /etc/nsswitch.conf , which tells where to look for credentials first.

root@diglinux.com:~# auth-client-config -t nss -p lac_ldap

Now we need to update the PAM Auth DB. For this execute this command

root@diglinux.com:~# pam-auth-update

Make sure you select "LDAP Authentication".

Final step is to restart some services.

root@diglinux.com:~# /etc/init.d/libnss-ldap restart && /etc/init.d/nscd restart

If everything goes without error, then you can authenticate PAM using OpenLDAP. To verify, create a user in OpenLDAP. Once user is created, issue below command to verify whether that user has been picked up by Linux or not

root@diglinux.com:~#  getent passwd

This will show you a list of users present in system.

Till here you have a working OpenLDAP PAM Authentication. However an issue that can come is that user will not have their own home directory which is defined in OpenLDAP. PAM does provide a plugin that can dynamically create user home directory if not found.

We previously did the installation of this plugin, we only need to configure it. And it is very easy to configure.

For this we will need to create a plain text file "/usr/share/pam-configs/my_mkhomedir". Copy and Paste below lines in this file and then save and exit

#------------------------------------

Name: activate mkhomedir

Default: yes

Priority: 900

Session-Type: Additional

Session:

        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

#------------------------------------

Do not copy the "----" lines. Once done now we have to update PAM. This will be done using below command.

root@diglinux.com:~# pam-auth-update

Here you will now see "activate mkhomedir", make sure this is checked.

If everything goes without errors, you will have a 100% working OpenLDAP PAM Authentication.

DigLinux on G+

DigLinux on G+on

DigLinux has officially launched its Google+ Page, DigLinux will now regularly be updated. And we hope to bring on more authors to this platform.

OpenLDAP Setup on Ubunut 10.04.2

In this article I will be covering how to install and configure basic OpenLDAP. Many people have asked me regarding this and yes there are many tutorials available on internet. No one is bound to use or follow this article.

I have tried to make things as easy as possible in covering all aspects of this subject.

Lets Start...

Basic Assumptions:

1. We will be using freshly installed Ubuntu Server 10.04.2 LTS.
2. We will be using root account to install and configure OpenLDAP and related services.
3. We will be using "diglinux.com" as our Domain.
4. Admin user for managing OpenLDAP structure will be "Admin".
5. Password for Admin user will be "diglinux".
6. Internet is properly configured and working on the machine that we will be configuring OpenLDAP.

Step1: Installing OpenLDAP

root@diglinux.com:~# apt-get update

root@diglinux.com:~# apt-get install slapd ldap-utils

Package "slapd" is used to install OpenLDAP on Ubuntu and package "ldap-utils" installs some useful scripts to play around with LDAP without restarting LDAP server.

Step2: Importing Basic LDAP Schema

root@diglinux.com:~# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
root@diglinux.com:~# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
root@diglinux.com:~# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
root@diglinux.com:~# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif

By default OpenLDAP comes with some basic predefined data types, by importing these schemas we add more data types are more often used.

Step3: Creating Basic Backend OpenLDAP Structure

Here we will be creating the basic back-end structure for out OpenLDAP Server.
First we will create a file, you can name it what ever you want, here I will name it as "diglinux.backend.ldif"

root@diglinux.com:~# vim diglinux.backend.ldif

Now copy and paste below lines in this file. Make sure that you replace "diglinux" with your domain and password with the password that you want to set.
--------------------------------------------------------------------------------------------------

# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb

# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=diglinux,dc=com
olcRootDN: cn=Admin,dc=diglinux,dc=com
olcRootPW: diglinux
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Admin,dc=diglinux,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Admin,dc=diglinux,dc=com" write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
################################
# Modifications
################################

dn: cn=config
changetype: modify

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=Admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: diglinux

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

--------------------------------------------------------------------------------------------------

Once this file is created, you will need to import this in LDAP to create basic structure and add LDAP Admin User.

root@diglinux.com:~# ldapadd -Y EXTERNAL -H ldapi:/// -f  diglinux.backend.ldif

Step4: Creating Basic OU Structure

Here we will be creating two basic OU's. This is pretty much like default in OpenLDAP, almost all tutorials on internet plays around with the same OU's.
You can change them as per your needs, but remember whatever you create here, you should have a good idea what you are doing.

We will create a file, you can name it what ever you want, here I will name it as "diglinux.ou.ldif"


Now copy and paste below lines in this file. Make sure that you replace "diglinux" with your domain and password with the password that you want to set.
--------------------------------------------------------------------------------------------------

# Tree root

dn: dc=diglinux,dc=com

objectClass: dcObject

objectclass: organization

o: diglinux

dc: diglinux

description: Tree root

# Creating Admin User

dn: cn=Admin,dc=diglinux,dc=com

objectClass: simpleSecurityObject

objectClass: organizationalRole

cn: admin

userPassword: diglinux

description: LDAP administrator

# Creating an OU named "people"

dn: ou=people,dc=diglinux,dc=com

ou: people

objectClass: organizationalUnit

objectClass: top

# Creating an OU named "groups"

dn: ou=groups,dc=diglinux,dc=com

ou: groups

objectClass: organizationalUnit

objectClass: top

#Adding a test user name "diglinux"

dn: uid=diglinux,ou=people,dc=diglinux,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

uid: diglinux

sn: com

givenName: DigLinux

cn: DigLinux

displayName: DigLinux

uidNumber: 1002

gidNumber: 1000

userPassword: diglinux

gecos: DigLinux

loginShell: /bin/bash

homeDirectory: /home/diglinux

shadowExpire: -1

shadowFlag: 0

shadowWarning: 7

shadowMin: 8

shadowMax: 999999

shadowLastChange: 10877

mail: info@diglinux.com

postalCode: 31000

l: Karachi

o: diglinux

mobile: +92 123 1234567

homePhone: +92 123 1234567

title: System Administrator

postalAddress:

initials: DL

--------------------------------------------------------------------------------------------------

Make sure that you make required changes in this file. Once all changes are done, save and exit.

Now its time to import these settings.

root@diglinux.com:~# ldapadd -x -D "cn=Admin,dc=diglinux,dc=com" -W -f  diglinux.backend.ldif

Once you execute this command, this will ask for a password. And in our backend file we set the password as "diglinux", if you have changed the password, you will need to enter the same password here.

Now if everything goes fine and without any errors, you should have a running OpenLDAP server with basic structure.

You can verify this by using JXplorer a free windows based utility for managing OpenLDAP. This application can be downloaded from http://www.jxplorer.org/

Below is the snapshot of JXplorer connection settings to connect to LDAP server.

JXplorer Connection Settings