LDAP authentication based on the virtual core¶
Ubuntu¶
apt-get install libpam-ldap ldap-utls
ldap-utils is recommended, not required.
On the configuration you will need to supply your LDAP URL (with https) and your base DN. You probably will want to allow users to change their passwords (with impact on the LDAP server). The server is not authenticated.
This will change the PAM configuration on /etc/pam.d. It will also change /etc/ldap.conf
If you are using your own certificate authority, you will need to add the certificate of the authority, by changing the TLS_CACERT parameter on /etc/ldap/ldap.conf . Be careful with auto-reconfiguration
Finally do
pam-auth-update
And you should be done
https://wiki.debian.org/LDAP/PAM
(uid limitation - pam_filter)
CentOS 5¶
We do this manually
Make sure openldap-clients and nss_ldap is installed
Copy your CA certificate to /etc/openldap/cacerts
Make sure /etc/ldap.conf has (among other things):
URI ldaps://PATH_TO_YOUR_LDAP_SERVER BASE your_base pam_password exop ssl on port 636 tls_cacertfile /etc/openldap/cacerts/cacert.pem
Make sure /etc/openldap/ldap.conf has (among other things):
URI ldaps://PATH_TO_YOUR_LDAP_SERVER BASE your_base TLS_CACERT /etc/openldap/cacerts/cacert.pem
Edit /etc/nsswitch.conf to include ldap (on password, group and shadow)
Edit at least /etc/pam.d/system-auth and add in appropriate places:
auth sufficient pam_ldap.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_ldap.so password sufficient pam_ldap.so use_authtok session optional pam_ldap.so
Restart nscd
CentOS 6¶
Install openldap-clients, sssd, pam_ldap and nss-pam-ldapd
Make sure sssd is running
on /etc/nsswitch.con use sss instead of ldap
Here is an example of a sssd.conf file:
[sssd] domains = LDAP services = nss config_file_version = 2 [nss] filter_groups = root filter_users = root [domain/LDAP] enumerate=true cache_credentials = TRUE id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 chpass_provider = ldap ldap_uri = YOU_SERVER ldap_search_base = YOUR_BASE
Copy your CA certificate to /etc/openldap/cacerts
Make sure /etc/pam_ldap.conf has (among other things):
URI ldaps://PATH_TO_YOUR_LDAP_SERVER BASE your_base pam_password exop ssl on port 636 tls_cacertfile /etc/openldap/cacerts/cacert.pem
Make sure /etc/openldap/ldap.conf has (among other things):
URI ldaps://PATH_TO_YOUR_LDAP_SERVER BASE your_base TLS_CACERT /etc/openldap/cacerts/cacert.pem
Edit at least /etc/pam.d/system-auth and add in appropriate places:
auth sufficient pam_ldap.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_ldap.so password sufficient pam_ldap.so use_authtok session optional pam_ldap.so
CentOS 7¶
needs review
follow instructions for centos 5, caveats:
On CentOS install nss_ldap and nss-pam-ldapd
/etc/nslcd.conf - ldap server (instead of /etc/ldap.conf)
make sure nslcd is started
make sure /etc/pam.d/system-auth is the only file of interest (e.g. password-auth)
- authconfig –enableldap –enableldapauth –ldapserver=ldap://ldap.YOUR-DOMAIN:389/
- –ldapbasedn=”BASE-DN” –enablecache –disablefingerprint –kickstart