This action might not be possible to undo. Are you sure you want to continue?
Login to Edit Ubuntu Documentation > Community Documentation > LDAPClientAuthentication
Conteúdos 1. Introduction 2. Installation 1. Quick Description 3. README 4. Configuration 1. Name Service 2. PAM 3. PAM: Stronger Passwords (Optional) 4. Notes for 7.10 and later 5. Host-based Authentication 1. libpam-ldap authentication 2. pam_filter authentication 6. Credits
This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see OpenLDAPServer. If you want Kerberos as well for single-sign-on (likely), see SingleSignOn. For authenticating on a Sun Java Enterprise System Directory Server, please consult the SunLDAPClientAuthentication page. For authenticating using a Mac OS X Leopard Server, consult the OSXLDAPClientAuthentication page. For version 7.10 and later, see bottom of page for another way of authentication. (auth-client-config).
If you have lookup failures on some accounts using libpam-ldap, try installing libpam-ldapd instead. Configuration will be via /etc/nslcd.conf
Install the following packages: libpam-ldap libnss-ldap nss-updatedb libnss-db. Note that you have to enable the universe repositories for this.
libpam-ldap to allows for authentication via LDAP. libnss-ldap provides account information (username, uid, groups, etc) via LDAP. That's why /etc/libnss-ldap.conf and /etc/pam_ldap.conf have such similar structures. During installation, you will be asked the following questions: The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com The distinguished name of the search base. For example dc=example,dc=com The LDAP version to use. You usually would choose 3 here. If your database requires logging in. You would usually choose no here. If you want to make configuration readable/writeable by owner only. A no should be the answer to this. A Dialog is displayed stating "it cannot manage nsswitch.conf automatically" just select OK. If you want the local root to be the database admin. You would usually choose yes here. Again If your database requires logging in. You would usually choose no here. Your root login account. For example: cn=manager,dc=example,dc=com Your root password. After, a dialog explaining the different encryption methods to specify the encryption method to use before sending your password. exop is usually a good choice. The above steps might vary a bit depending on the Ubuntu distribution used. When you want to restart the configuration you can
1 de 7
Configuration After the installation of the necessary packages you will need to configure the Name Service and PAM.so entry.ubuntu. First though.Debian: Be very careful when you use "sufficient pam_ldap. you can specify an alternate configuration file in /etc/pam.so" doesn't provide a valid "account" via the Name Service Switch (NSS). Thanks to Etienne Goyer for pointing this out.conf and /etc/pam. so root can still login # while LDAP is down.so config=/etc/pam_ldap.so account required pam_ldap. and /etc/pam_ldap. use something like the following: # Try local /etc/shadow first and skip LDAP on success account [success=1 default=ignore] pam_unix. check that root's password hasn't really expired. https://help. and check if everything is OK. Especially the host entry which doesn't accept URI.conf as libpam-ldap's configuration file and /etc/ldap.conf replace compat with files ldap for both the passwd and group entries so you get something like this: 2 de 7 23-11-2010 09:29 . you can make it so that it never expires by running sudo chage -E-1 root. use dpkg-reconfigure for both libpam-ldap and libnss-ldap packages.so account required pam_permit.conf for NSS. which overrides your LDAP configuration. auth [success=1 default=ignore] pam_unix. then make the above changes to your PAM configuration. Name Service In /etc/nsswitch. If the root password has expired. See LDAP-Permissions. just use "shadow: files". For PAM.so succeeds. When finished configuring you will need to double check the data in /etc/libnss-ldap.secret as the file to store the password of the rootbinddn.so The third line is needed.LDAPClientAuthentication . Run the command chage -l root.so If you discover that cron is suddenly not running root's crontab after getting LDAP running on your client machine. PAM segfaults! If you want to use the "pam_check_host_attr" feature. use something like the following construct: # Check local authentication first. then you may need to make these changes to /etc/nsswitch.so" in Debian's /etc/pam.d/common-* files: Some services can place other "required" PAM-modules after the includes. new one required.conf This would let you have two separate configurations: /etc/ldap.Community Ubuntu D..conf. Don't use "ldap" for "shadow" in /etc/nsswitch. so "success=1" can skip over one module and still has a module to jump to. As a workaround.. such as: auth sufficient pam_ldap.d/common-account.conf. and are getting messages in /var/log/syslog like Apr 7 10:17:01 localhost CRON: Authentication token is no longer valid. If separate configuration files for libnss-ldap and libpam-ldap are required.com/community/LDAPClientAut. Without that.so auth required pam_ldap. README This is taken from /usr/share/doc/libpam-ldap/README. If that wasn't the problem.d/common-* by adding a config=</path> argument to the pam_ldap.conf for PAM.txt for details about the required LDAP permissions.so use_first_pass auth required pam_permit. which should work for most configurations.. This file is shared with libnss-ldap. This can happen even though the root account is locked if for some reason in the past you unlocked and relocked the root account. Ubuntu uses /etc/ldap. which will be ignored if pam_ldap.. Better is to use the URI entries and comment out the host. make sure "pam_unix.
so account required pam_unix. To activate it you'll need to edit /etc/pam.d/nscd restart Now you can test the configuration: $ getent passwd or $ getent group You should see lines that look like they've come straight out of /etc/passwd. https://help..ldap Because the nscd daemon caches the lookup results.so Edit /etc/pam.so auth required pam_unix. check /etc/libnss-ldap. If not. If it's not there.conf has "bind_policy soft".d/common-password: 3 de 7 23-11-2010 09:29 .so nullok obscure min=4 max=8 md5 You can test if it's working using ssh (assuming nickf is a ldap user): ssh nickf@localhost PAM: Stronger Passwords (Optional) You might be interested in libpam-cracklib (see InstallingSoftware).d/common-password to look like this: password sufficient pam_ldap.com/community/LDAPClientAut.Community Ubuntu D. Edit /etc/pam.d/common-account to look like this: account sufficient pam_ldap. [*} It's also a good idea to shorten the timeouts there.d/common-auth to look like this: auth required pam_group. common-auth. They are located in /etc/pam. you need to restart it: $ /etc/init. If you do. see the pam(7) manpage..secret. If you save with a typo. Don't use sudo when editing this file or leave it open while testing..so use_first_pass auth sufficient pam_ldap.d.conf for typos.LDAPClientAuthentication . PAM There are four central files that control PAM's use of LDAP: common-account.so nullok_secure use_first_pass Edit /etc/pam..so password required pam_unix. These are the lines published by your LDAP server. don't forget to put that password into /etc/libnss-ldap. passwd: files ldap group: files ldap There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch. it could mean that you can't access your server anymore. the Name Service (NSS) side of the job is done. common-password and commonsession.ubuntu. If your setup requires a password to connect to the LDAP server. You should probably also make this change in /etc/pam_ldap.conf. BUG ALERT: Make sure /etc/libnss-ldap. For details. a nasty bug with udev can arise at boot-time.
so session required pam_mkhomedir.com/community/LDAPClientAut.. use libpam-ccreds to cache credentials locally. like this: session optional pam_foreground.. do /usr/sbin/nss_updatedb ldap [ $? -eq 0 ] && go=false [ "$go" == "true" ] && sleep 10 done rm $LOCK exit 0 Notes for 7.so Again.so PAM: Home directory creation (optional) Edit the common-session file again: session required pam_unix.10 and later There is a new tool since 7. PamCcredsHowto shows a much simpler way to run this daily.sh in /etc/cron.so use_authtok use_first_pass Edit /etc/pam.so retry=3 minlen=6 difok=3 password sufficient pam_ldap. you can use the nss-updatedb package to create a local database of the user names. you can test local groups using ssh (assuming nickf is a ldap user): ssh nickf@localhost Option: Caching Name Service directories In order to prevent network slowdown or outage from preventing user name lookup and thus login.so session sufficient pam_ldap.. password required pam_cracklib.so session required pam_unix. but if you want to run it every hour. then please use the code below. This can be particularly useful on laptops. Below is a script for running nss_updatedb hourly. There is now a meta-package ldap-auth-client which will install all the following required packages for an ldap client: auth-client-config ldap-auth-config libnss-ldap libpam-ldap 4 de 7 23-11-2010 09:29 .hourly/ and make it executable. Create a script called nssupdate. It should contain the following: #!/bin/bash LOCK=/var/run/auth-update. and in conjunction. https://help.d/common-session and add pam_ldap.so use_authtok password required pam_unix.cron [ "$1" != "0" ] && [ -f $LOCK ] && [ -d /proc/"$(cat $LOCK)" ] && exit 0 echo $$ > $LOCK RANGE=3600 [ "$1" != "" ] && RANGE=$1 SLEEP=$RANDOM [ "$RANGE" != "0" ] && let "SLEEP %= $RANGE" || SLEEP=0 sleep $SLEEP go=true while $go..10 to modify the pam and nsswitch files at once: AuthClientConfig. Please refer to PamCcredsHowto for complete instructions.so session optional pam_foreground.LDAPClientAuthentication .Community Ubuntu D.ubuntu.so skel=/etc/skel/ session optional pam_ldap.so.
auth required pam_group.so account sufficient pam_ldap.so use_first_pass auth sufficient pam_ldap.46(plugdev)..fuse. or login files in /etc/pam. scanner.29(audio).so).so pam_session=session required pam_limits.so line in the proper order (before pam_ldap. etc ..dip You should now have local groups showing up for users logging in via gdm and ssh ('su username' did not give these groups on my system). Note that I did not have to edit the gdm.so likeauth nullok #the following line (containing pam_group.so) must be placed before pam_ldap. sshd.104(scanner).. For example: If you are having problems with automounting of usb drives the pam_group. * Read more about it in this thread: http://ubuntuforums. membership will work properly.30(dip). plugdev..so pam_password=password sufficient pam_unix. You can use that tool by running: sudo auth-client-config -a -p lac_ldap to reflect the changes handled on this page.so Now to activate that pam profile run the following command: auth-client-config -a -p open_ldap To assign local groups to domain (ldap) users do the following: Using your favorite text editor.scanner.44(video).so session optional pam_ldap.floppy. *.LDAPClientAuthentication .so skel=/etc/skel/ session required pam_unix.so use_first_pass auth required pam_deny.plugdev.so account required pam_deny.10000(Teachers) 5 de 7 23-11-2010 09:29 .ubuntu.25(floppy).cdrom.so #for ldap users to be placed in local groups such as fuse.Community Ubuntu D. Al0000-2400.107(fuse).php?t=597056 *If the lac_ldap option fails (as it did on my 8.org/showthread. Using your favorite text editor.com/community/LDAPClientAut.10 system) the following settings were successful.so nullok md5 shadow password sufficient pam_ldap.so option is likely your problem. https://help. edit the following config: /etc/security/group.video. edit the following config: /etc/auth-client-config/profile.conf and add the following to the end of the file (note you can determine which groups to add to this line by logging in as a local user and using the 'groups' command): *..d/ as they include a call to @include common-auth giving them the pam_group. plugdev.so pam_account=account sufficient pam_unix.so session required pam_mkhomedir.so use_first_pass password required pam_deny. *..audio.so auth sufficient pam_unix..d/open_ldap and paste the following into it: [open_ldap] nss_passwd=passwd: files ldap nss_group=group: files ldap nss_shadow=shadow: files ldap nss_netgroup=netgroup: files ldap pam_auth=auth required pam_env.512(Domain Admins). You can test local groups using ssh (assuming nickf is a ldap user): ssh nickf@localhost once you are logged in as a ldap user you can see your groups with the 'id' or 'groups' command nickf@ubuntu-ltsp:~$ id uid=10178(nickf) gid=512(Domain Admins) groups=24(cdrom). These settings will also cause domain (ldap) users to become members of local groups so that local devices needing fuse.544(Administrators).. scanner etc.
.Community Ubuntu D. An example using the libpam-ldap host attribute.ldif On the client side. instead PAM responds as if they have entered an incorrect password.. The package documentation includes a schema which provides this attribute.conf should *not* contain "ldap" in the "shadow" entry. simply modify /etc/ldap. Any idea? (I apologize for the misuse of the wiki): ??? Credits Some of the information used in this document was found on this page.dc=example.conf (or other appropriate configuration file as defined in pam.. pam_filter authentication Using the pam_filter directive in /etc/ldap. There are two methods to enforce host-based authentication. we can create a filter which matches thehostname or * in /etc/ldap. which can be added to slapd.schema. Host-based Authentication Host based authentication allows you to restrict who can log into a machine that uses LDAP for authentication.conf if needed.dc=com" -x -W -f your_file. Make the change using: ldapmodify -H ldaps://ldapserver -D "cn=admin.com/community/LDAPClientAut.LDAPClientAuthentication .ubuntu. To populate that attribute. you can use a web tool such as phpldapadmin.. https://help. or host-based authentication will always succeed.dc=example.conf it is possible to enforce PAM to only access accounts with attributes of our choosing. Libpam-ldap requires that you use the host attribute. See /usr/share/doc/libpam-ldap/ for additional information. located at /usr/share/doc/libpam-ldap/ldapns.ou=Users.. Users who are not permitted access to the host will receive no error. the second method is to use an LDAP pam_filter.conf: pam_filter |(host=thehostname)(host=\*) Another example using Gosa's accessTo and trustModel attributes would look like the following: pam_filter |(&(accessTo=thehostname)(trustModel=byhost))(trustModel=fullaccess) Warning Another example (?) using Gosa's accessTo and trustModel attributes with hostGroups grants? This is totally undocumented and probably it is the key feature to introduce an open solution like this one in a corporation.dc=com changetype: modify add: host host: thehostname The hostname should match the output from the hostname command. or you can create a modification LDIF such as: dn: uid=user_to_change.. libpam-ldap authentication Using the pam_check_host_attr directive to enforce host authentication has the effect that users are explicitly informed they are not permitted to access the host with an error message: Access denied for this host. Each client system then checks this field against its own hostname and either allows or denies login based upon the attribute field. Basically you add an attribute to each LDAP user's record that includes hostnames that they are allowed to log in to. pam(7) manpage 6 de 7 23-11-2010 09:29 . When in doubt. the first is to use libpam-ldap. check the slapd logs on the server.d) to include the line: pam_check_host_attr yes Warning: /etc/nsswitch.
launchpad..130...74[62. An alternate directory server authentication HOWTO KRB5+LDAP Authentication LDAPClientAuthentication (editada pela última vez em 2010-07-15 11:59:45 por https://login..213.LDAPClientAuthentication .net/+id/hL4fGr7 @ 62.com/community/LDAPClientAut. https://help.213.ubuntu.130.74]:Guido Serra) Page History 7 de 7 23-11-2010 09:29 .Community Ubuntu D.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.