LDAP client
From Grid5000
LDAP is used to manage user accounts. Therefore, nsswitch and pam need to be tailored to query the correct LDAP server for respectively login/uidNumber match and authentication. Moreover, it is quite useful to have standard LDAP tools work out of the box with the Grid'5000 servers. This page explains how to achieve this.
Contents |
NSS
NSS (Name Service Switch) matches names and values. For user management, it matches the uidNumber to the login.
Correct configuration for user management implies that the /etc/nsswitch.conf file must be aware of using the LDAP backend if searches in local files are unfruitful:
passwd: files ldap group: files ldap shadow: files ldap
NSS-LDAP on Debian
Installing the LDAP bindinds for NSS on Debian:
apt-get install libnss-ldap
The binding configuration is the same as the LDAP library configuration:
ln -sf /etc/ldap/ldap.conf /etc/libnss-ldap.conf
NSS-LDAP on Redhat/Fedora
Installing the LDAP bindinds for NSS on Redhat/Fedora:
yum install nss_ldap
The binding configuration already use the LDAP library configuration file /etc/ldap.conf.
PAM
PAM (Pluggable Authentication Modules) can authenticate users by matching login and passwords.
To configure PAM to use LDAP for account management, your PAM configuration should at least have the following information:
account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so auth sufficient pam_unix.so nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so password sufficient pam_ldap.so password sufficient pam_unix.so nullok md5 obscure min=6 max=8 password required pam_deny.so session required pam_unix.so
Description of some part of the configuration:
-
use_first_passenables usage of the same password for all authentication methods: the password is therefore only requested once. -
pam_unixis called beforepam_ldapin case the LDAP server fails
PAM-LDAP on Debian
Installing the LDAP bindings for PAM:
apt-get install libpam-ldap
The binding configuration is the same as the LDAP library configuration:
ln -sf /etc/ldap/ldap.conf /etc/pam_ldap.conf
Files describing PAM configuration and related to the LDAP client configuration are on Debian:
/etc/pam.d/common-auth /etc/pam.d/common-account /etc/pam.d/common-password /etc/pam.d/common-session
PAM-LDAP on Redhat/Fedora
PAM-LDAP was installed in conjunction to NSS-LDAP.
The binding configuration already use the LDAP library configuration file /etc/ldap.conf.
File describing PAM configuration and related to the LDAP client configuration is on Redhat/Fedora:
/etc/pam.d/system-auth
LDAP
Here is the LDAP client configuration /etc/ldap.conf to use with the reference server implementation:
# LDAP server base dc=grid5000,dc=fr uri ldaps://ldap.site.grid5000.fr/ ldap_version 3 # NSS nss_base_group dc=grid5000,dc=fr # PAM pam_password md5 pam_filter objectclass=posixAccount pam_min_uid 9000 pam_max_uid 0 # TLS/SSL tls_cacert/path/to/ca-cert.pemtls_reqcert demand
Note: the certification is the same as in the reference server configuration and is common to all Grid'5000 sites
LDAP on Debian
Installing the LDAP library on Debian:
apt-get install libldap2
Installing the LDAP client tools (ldapsearch, ...) on Debian (not required):
apt-get install ldap-utils
LDAP on RedHat/Fedora
Installing the LDAP library on RedHat/Fedora:
yum install openldap
Installing the LDAP client tools (ldapsearch, ...) on RedHat/Fedora (not required):
yum install openldap-clients
If installed, configuring the LDAP client tools on RedHat/Fedora:
ln -sf /etc/ldap.conf /etc/openldap/ldap.conf
NSCD
NSCD (Name Service Cache Daemon) is required to avoid hammering the LDAP server.
Please read the page dedicated to this service to learn how to install and configure it.
Global configuration way on Redhat/Fedora
Under Redhat/Fedora, you can configure LDAP using authconfig, either interactively or in batch mode. In both cases, a log is stored under /etc/sysconfig/authconfig. For batch mode configuration, the correct parameters are:
authconfig--kickstart --enableldap --enableldapauth --enableldaptls --ldapserver ldap.site.grid5000.fr --ldapbasedn "dc=grid5000,dc=fr"
Batch-mode warning
In batch mode, the new configuration files will overwrite older versions of the following files:
/etc/nsswitch.conf /etc/pam.d/system-auth /etc/ldap.conf /etc/openldap/ldap.conf
Modifications of the two versions of ldap.conf are identical, therefore if one of them is a link to the other, changes will be applied twice and have been found to be insufficient.
Interactive-mode warning
In interactive mode, you might also change other files such as /etc/passwd or /etc/shadow if you make a mistake.
F.A.Q.
ldapseach is working, /etc/ldap/ldap.conf seems to be correct but nss doesn't want to connect to the ldap server
This issue appears on version libnss-ldap 258-1ubuntu3.
First to debug, you should add to /etc/ldap/ldap.conf :
nss_connect_policy oneshot debug 3 bind_policy hard_init
With this config you will have a debug ouput and nss will try to reconnect to the ldap server even if the initial connection failed. Now you should see that nss tries to connect to the ldap server but WITHOUT SSL
ldap_connect_to_host: Trying 192.168.133.213:389
To solve this issue, just add to /etc/ldap/ldap.conf
ssl on
