Pages

Wednesday, 16 May 2007

Configure pam on Debian to authenticate against an ldap server (sarge and etch)

There are tons of guides on how to use pam to link your debian to ldap, this is just another one, made as simple as possible.


Configure access to a Debian machine using PAM and LDAP

We assume here that you already have an LDAP server up, running and configured.

When configuring and/or re-configuring libnss-ldap and/or libpam-ldap it's always better to do it using dpkg-reconfigure rather than editing files by hand since the right services are then restarted automatically.

Install the needed modules:

apt-get install ldap-utils libpam-ldap libnss-ldap nscd


Configuring libnss-ldap

Sarge

enable automatic configuration updates by debconf yes

LDAP server host address yourldap.com

distinguished name of the search base o=yourorganization

LDAP version to use 1 #( where 1. 3 2. 2)

database requires login no

make configuration readable/writeable by owner only yes

Etch
LDAP server Uniform Resource Identifier: ldap://yourldap.com

Distinguished name of the search base: o=yourbase

LDAP version to use: 1 #( where 1. 3 2. 2)

Does the LDAP database require login? no

Special LDAP privileges for root? no

Make the configuration file readable/writeable by its owner only? yes

Configuring nss

Edit file /etc/nssswitch.conf
passwd: ldap compat
group: ldap compat
shadow: ldap compat
Configuring pam_ldap

Sarge

LDAP Server host. yourldap.com

The distinguished name of the search base. dc=whatever

LDAP version to use. 1

Make local root Database admin. no

Database requires logging in. no

1. clear 2. crypt 3. nds 4. ad 5. exop 6. md5

Local crypt to use when changing passwords. 2

Etch
LDAP server Uniform Resource Identifier: ldap://yourldap.com

Distinguished name of the search base: dc=whatever

LDAP version to use: 1

Make local root Database admin. no

Does the LDAP database require login? no

1. clear 2. crypt 3. nds 4. ad 5. exop 6. md5

Local crypt to use when changing passwords. 2

Editing pam configuration files

Add to /etc/pam.d/common-account
account sufficient pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

Add to /etc/pam.d/common-auth
auth sufficient pam_ldap.so

Add to /etc/pam.d/common-password
password sufficient pam_ldap.so
Add to /etc/pam.d/common-session
session sufficient pam_ldap.so

If you want to restrict access with some complex string add to /etc/pam_ldap.conf
pam_filter |(uid=oneuser)(uid=anotheruser)(objectclass=specialAccount)

REMEMBER TO RESTART NSCD and SSH EVERY TIME YOU CHANGE SOMETHING!


No comments:

Post a comment