Linux LDAP Client | Signalboxes

This isn’t the gospel way, but this will get things up and running.

Table of Contents

1 Install Packages
2 Install the SSL certificate
3 Configure /etc/ldap.conf
4 Edit /etc/nsswitch.conf
5 Verify
6 Configure PAM
7 Other stuff
- 7.1 ldapd vs ldap

Install Packages

sudo apt-get install libnss-ldapd libpam-ldapd

Installing those packages will ask a few questions. If you aren’t sure what to put, just accept the defaults. We’ll replace the configs in the next steps anyway.

Install the SSL certificate

Install the SSL certificate for the LDAP server to /etc/ssl/certs/servername.pem

Configure /etc/ldap.conf

Open up /etc/nslcd.conf in an editor and configure the following (this is a very minimal example):

uid nslcd
gid nslcd
 
uri ldaps://ldapserver.orgname.net
base dc=ldapsvr,dc=orgname,dc=net
 
ldap_version 3
 
timelimit 60
 
bind_timelimit 30
ssl on
tls_cacertfile /etc/ssl/certs/servername.pem
tls_reqcert demand
 
# This is handy for pointing home directories somewhere else on the system:
#map    passwd  homeDirectory "/home/$uid"

The default nslcd.conf file on your system will be decently commented for other options.

If your LDAP server is Apple Open Directory:
Don’t bother with rootbinddn and things to get password changes to work. Open Directory no longer stores passwords in LDAP, Apple uses PasswordService, so this won’t work anyway. Maybe in the future (shakes fist @ Apple).

A word about nscd
nscd will try to cache service requests. Unfortunately, it’s kind of infamously quirky for a lot of folks. I’ve had a number of experiences where lookups fail when it’s running. That said, I leave it disabled. If you run into problems with failed lookups or other such bizarre things, I suggest disabling it.

In any event, if it’s running and you’ve just setup your nslcd.conf, you’ll need to restart it:

/etc/init.d/nscd restart

Edit /etc/nsswitch.conf

This was probably already setup for you by libnss-ldapd. Just make sure it’s looking at ldap for the relevant entries:
Edit /etc/nsswitch.conf and make it look like the following:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
 
hosts:          files dns
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
aliases:        ldap
 
netgroup:       nis

Verify

Execute the following:

getent passwd

You should get a whole slew of users from the LDAP directory.

Additionally, execute the following:

id <your LDAP username>

You should see the appropriate LDAP info for your user – your UID and groups.

Configure PAM

Open up /etc/pam.d/common-auth and enable the ignore_authinfo_unavail option for pam_ldap.so:

auth	[success=1 default=ignore]	pam_ldap.so use_first_pass ignore_authinfo_unavail

Do the same for common-password:

password	[success=1 default=ignore]	pam_ldap.so try_first_pass ignore_authinfo_unavail

This will ignore the pam_ldap module if the LDAP server is unreachable. If you don’t have this, you’ll likely be “locked out” of the system if your LDAP server is unavailable (even from a local console login). At minimum, you’ll likely have a very delayed login and session.

Other stuff

The above will get you up and running. There’s a lot more you can configure to have much more granular and special settings on a server, but those are outside the scope of this document.

Do note, by default, PAM will not create home directories for LDAP users. So when you login as an LDAP user that doesn’t have a home on the local machine, you’ll get a (harmless) error. This can be configured in the appropriate PAM configs.

Also note, it’s a good idea to lock SSHD down to a specific list of groups. Check for the AllowGroups directive in /etc/ssh/sshd_config

For example:

AllowGroups adm admin unixadmins

In this example, I’m letting members of the local groups adm and admin login via SSH as well as members of my unixadmins LDAP group.

Keep in mind, if you’re setting this up on a web server that end-users use with SFTP, you’ll need to allow them as well. For example, you might add those users to an LDAP group called sftpusers or something.

For some more info on SSH hardening, see this document.

ldapd vs ldap

In this document, I installed libnss-ldapd and libpam-ldapd (note the trailing ‘d’). On Debian derivatives, there’s also the “classic” libpam-ldap and libnss-ldap.

From Debian’s wiki (emphasis is mine):

There are currently two packages available to configure NSS lookups through LDAP: the libnss-ldap package and the libnss-ldapd package. Which one to choose depends on the needs. In general libnss-ldapd is simpler but newer and libnss-ldap is more mature but more complex. Also libnss-ldap has some known issues with serving host information and lookups during boot which should be addressed in libnss-ldapd. In addition, libnss-ldap breaks setuid programs (su, sudo) when using LDAP+SSL (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579647).

I haven’t run into any issues using libnss-ldapd over libnss-ldap. In fact, it has the obvious immediate benefit of working with sudo when using LDAP+SSL (maybe this is fixed by now).

Was this post helpful? Not helpful

(+2 rating, 2 votes)

Loading ...

Download Linux LDAP Client as PDF