HomePage » Security » SecurityLDAP » SecurityLDAPLinux


Using LDAP for authentication on Linux

It's not easy for me but I've made some progress. I use OpenDS as LDAP server, and tested authentication with CentOS 5.5 and Ubuntu 10.04.

LDAP server

First I need a LDAP server. I used OpenDS because my company has some successful deployment with it. The installation is pretty straight forward and it comes with a GUI control panel (I think it's under $opends-home/bin/control-panel). Once the installation wizard finishes, it will ask you if you want to create an initial DN. I did it and I created a subdomain called "webservers". Under that domain, I created two users "admin" and "oper". I also created a couple of groups. The screenshot below illustrates the tree structure:

image

Initially, these users I created can only be seen with shelldap, that's because by default, opends does not add the "posixAccount" objectClass to these users. But shelldap gives you a quick way to confirm ldap is up and running, and that it can be queried:

shelldap --basedn dc=webservers,dc=comme,dc=ca --server 192.168.13.10
~ > list
cn=admin
cn=oper
cn=operators
cn=superusers


ObjectClass and attributes

One must add the posixAccount objectClass to each user as it is required for the later parts. The posixAccount objectClass does not require the attribute loginShell be filled in. Make sure that is entered as well.

Configuring Linux to use LDAP

Different distro has the same util. On Redhat, it's authconfig. On Ubuntu, it's ldap-auth-config. Once it is installed, run it once and it will configure your server to use LDAP for authentication. Now the config it generates does not work well for me - it's most likely due to some misconfigurations on my LDAP server. But that can be worked around by editing /etc/ldap.conf. Here is mine:

base dc=webservers,dc=comme,dc=ca
uri ldap://192.168.13.10/
ldap_version 2
pam_password md5


Notice I did not configure LDAPS so passwords are most likely transmitted in plaintext. You wouldn't want to do that in a production environment. Once that config is updated, it's committed to the system. No restart of anything is required.

Testing LDAP connection and authentication

To test that my Linux is now able to retrieve the uid / homedir / shell from LDAP server:

> getent passwd | grep admin
admin:*:10001:20001:admin:/home/admin:/bin/bash

> id oper
uid=10002(oper) gid=20001 groups=20001


Next thing is of course to try to login with the credentials on LDAP server. Now for some reason, authconfig did not take care of pam for me. So I had to add the followings to

On CentOS: /etc/pam.d/system-auth
system-auth
auth        sufficient  pam_ldap.so
account     sufficient  pam_ldap.so
password    sufficient  pam_ldap.so


On Ubuntu: /etc/pam.d/common-auth|account|password
respective file
auth        sufficient  pam_ldap.so
account     sufficient  pam_ldap.so
password    sufficient  pam_ldap.so


That works out for me on CentOS, but not on Ubuntu. The latter keeps saying my password is incorrect. I'll try to iron that out later on.

There are no comments on this page. [Add comment]

Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki