LDAP client

From Grid5000
Jump to: navigation, search

LDAP is used to manage user accounts. Therefore, nsswitch and pam need to be tailored to query the correct LDAP server for respectively login/uidNumber match and authentication. Moreover, it is quite useful to have standard LDAP tools work out of the box with the Grid'5000 servers. This page explains how to achieve this.

Contents

NSS

NSS (Name Service Switch) matches names and values. For user management, it matches the uidNumber to the login.

Correct configuration for user management implies that the /etc/nsswitch.conf file must be aware of using the LDAP backend if searches in local files are unfruitful:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

NSS-LDAP on Debian

Installing the LDAP bindinds for NSS on Debian:

apt-get install libnss-ldap

The binding configuration is the same as the LDAP library configuration:

ln -sf /etc/ldap/ldap.conf /etc/libnss-ldap.conf

NSS-LDAP on Redhat/Fedora

Installing the LDAP bindinds for NSS on Redhat/Fedora:

yum install nss_ldap

The binding configuration already use the LDAP library configuration file /etc/ldap.conf.

PAM

PAM (Pluggable Authentication Modules) can authenticate users by matching login and passwords.

To configure PAM to use LDAP for account management, your PAM configuration should at least have the following information:

account sufficient      pam_unix.so
account sufficient      pam_ldap.so
account required        pam_deny.so

auth    sufficient      pam_unix.so nullok
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so

password sufficient     pam_ldap.so
password sufficient     pam_unix.so nullok md5 obscure min=6 max=8
password required       pam_deny.so

session  required       pam_unix.so

Description of some part of the configuration:

  • use_first_pass enables usage of the same password for all authentication methods: the password is therefore only requested once.
  • pam_unix is called before pam_ldap in case the LDAP server fails

PAM-LDAP on Debian

Installing the LDAP bindings for PAM:

apt-get install libpam-ldap

The binding configuration is the same as the LDAP library configuration:

ln -sf /etc/ldap/ldap.conf /etc/pam_ldap.conf

Files describing PAM configuration and related to the LDAP client configuration are on Debian:

/etc/pam.d/common-auth
/etc/pam.d/common-account
/etc/pam.d/common-password
/etc/pam.d/common-session

PAM-LDAP on Redhat/Fedora

PAM-LDAP was installed in conjunction to NSS-LDAP.

The binding configuration already use the LDAP library configuration file /etc/ldap.conf.

File describing PAM configuration and related to the LDAP client configuration is on Redhat/Fedora:

/etc/pam.d/system-auth

LDAP

Here is the LDAP client configuration /etc/ldap.conf to use with the reference server implementation:

# LDAP server
base            dc=grid5000,dc=fr
uri             ldaps://ldap.site.grid5000.fr/
ldap_version    3

# NSS
nss_base_group  dc=grid5000,dc=fr

# PAM
pam_password    md5
pam_filter      objectclass=posixAccount
pam_min_uid     9000
pam_max_uid     0

# TLS/SSL
tls_cacert      /path/to/ca-cert.pem
tls_reqcert     demand

Note: the certification is the same as in the reference server configuration and is common to all Grid'5000 sites

LDAP on Debian

Installing the LDAP library on Debian:

apt-get install libldap2

Installing the LDAP client tools (ldapsearch, ...) on Debian (not required):

apt-get install ldap-utils

LDAP on RedHat/Fedora

Installing the LDAP library on RedHat/Fedora:

yum install openldap

Installing the LDAP client tools (ldapsearch, ...) on RedHat/Fedora (not required):

yum install openldap-clients

If installed, configuring the LDAP client tools on RedHat/Fedora:

ln -sf /etc/ldap.conf /etc/openldap/ldap.conf

NSCD

NSCD (Name Service Cache Daemon) is required to avoid hammering the LDAP server.

Please read the page dedicated to this service to learn how to install and configure it.

Global configuration way on Redhat/Fedora

Under Redhat/Fedora, you can configure LDAP using authconfig, either interactively or in batch mode. In both cases, a log is stored under /etc/sysconfig/authconfig. For batch mode configuration, the correct parameters are:

authconfig --kickstart --enableldap --enableldapauth --enableldaptls --ldapserver ldap.site.grid5000.fr --ldapbasedn "dc=grid5000,dc=fr"

Batch-mode warning

In batch mode, the new configuration files will overwrite older versions of the following files:

/etc/nsswitch.conf
/etc/pam.d/system-auth
/etc/ldap.conf
/etc/openldap/ldap.conf

Modifications of the two versions of ldap.conf are identical, therefore if one of them is a link to the other, changes will be applied twice and have been found to be insufficient.

Interactive-mode warning

In interactive mode, you might also change other files such as /etc/passwd or /etc/shadow if you make a mistake.

F.A.Q.

ldapseach is working, /etc/ldap/ldap.conf seems to be correct but nss doesn't want to connect to the ldap server

This issue appears on version libnss-ldap 258-1ubuntu3.

First to debug, you should add to /etc/ldap/ldap.conf :

nss_connect_policy oneshot
debug 3
bind_policy hard_init

With this config you will have a debug ouput and nss will try to reconnect to the ldap server even if the initial connection failed. Now you should see that nss tries to connect to the ldap server but WITHOUT SSL

ldap_connect_to_host: Trying 192.168.133.213:389

To solve this issue, just add to /etc/ldap/ldap.conf

ssl on
Personal tools
Namespaces

Variants
Actions
Public Portal
Users Portal
Admin portal
Wiki special pages
Toolbox