Linux Ubuntu OpenLDAP client authentication

Posted on March 7, 2008 by Mohamed Zaian

Ubuntu OpenLDAP client authentication

This guide is for authenticating Ubuntu Gutsy (7.10) or later releases of Ubuntu Hardy, Intrepid, Jaunty ..etc against an OpenLDAP directory server in a linux network

Install the ldap required packages

aptitude install auth-client-config libpam-ldap libnss-ldap

A configuration screen will appear:

Should use debconf -> YES
URI -> ldapi:///LDAP_SERVER_IP ldapi:///192.168.1.4
DISTINGUISHED NAME -> dc=localdomain,dc=local dc=example,dc=com
LDAP VERS -> 3
LOCAL ROOT DB ADMIN -> YES
DOES DB REQ LOGIN -> NO
LDAP A/C -> cn=admin,dc=localdomain,dc=local cn=admin,=example,dc=com
LDAP root a/c password -> PASSWORD
My understanding is that this should configure the /etc/ldap.conf file which now acts as central control. However, it doesn’t work
anyway..

vi /etc/ldap.conf

change:

host 127.0.0.1

To for example:

host 192.168.1.2

Change:
base = padl….
To:

base = dc=localdomain,dc=dc=example,,dc=com

then Uncomment :-

#bind_policy=hard

and change it to:

bind_policy=soft

Now, because there is another ldap.conf in /etc/ldap/ldap.conf I duplicated it

cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.bak
cp /etc/ldap.conf /etc/ldap/ldap.conf

Create a new ldap profile:

vi /etc/auth-client-config/profile.d/open_ldap

and paste this into it:

[open_ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files ldap
pam_auth=auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
#the following line (containing pam_group.so) must be placed before pam_ldap.so
#for ldap users to be placed in local groups such as fuse, plugdev, scanner, etc ...
auth       required     pam_group.so use_first_pass
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so
account    required     pam_deny.so
pam_password=password   sufficient   pam_unix.so nullok md5 shadow
password   sufficient   pam_ldap.so use_first_pass
password   required     pam_deny.so
pam_session=session    required     pam_limits.so
session    required     pam_mkhomedir.so skel=/etc/skel/
session    required     pam_unix.so
session    optional     pam_ldap.so

This is an improvement on the default ldap setup because it will create a home directory if one doesn’t exist on login. I authenticate ldap before files because in order to access usb sticks the “on the fly” assignment method doesn’t work. To fix this, an ldap user in the plugdev group is used.

Then execute this to enable the above config:

auth-client-config -a -p open_ldap

Now for on the fly group assignment for all users on login paste:

auth optional pam_group.so

Into the top of both /etc/pam.d/gdm AND /etc/pam.d/login. it’s
important to place it first as these files are not parsed once a
sufficient / required is met.

References: https://help.ubuntu.com/community/LDAPClientAuthentication

This entry was posted in Technical Stuff, Ubuntu and tagged , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply