[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap authentication howto?



not sure exactly what your particular problem is, but here is from my
experience, for what it's worth...

you are running redhat, so this is a piece of cake.

- edit your openldap files
- create your custom schema (if any)
- migrate your system files to ldap

from that point on you don't have to change anything manually, not your
nsswitch.conf, not your pam files (unless you really want to)

redhat provides the authconfig utility that will do it all for you

- run authconfig, and choose Use LDAP, enter server and base dn
  (this edits your nsswitch.conf and /etc/ldap.conf)

- on the next screen, you can choose Use LDAP Authentication
  (this edits your /etc/pam.d/system-auth)

if you want, you can elect to use TLS for all your LDAP communication.
select that option via authconfig.  this adds a "ssl start_tls" line to
your /etc/ldap.conf.

for secure (TLS) pam/ldap, you also need to:

1. create a suitable self-signed certificate:
        cd /usr/share/ssl/certs
        make slapd.pem
	chown ldap.ldap slapd.pem
	chmod 0400 slapd.pem
2. uncommend the two TLS lines in the /etc/openldap/slapd.conf 

getting openldap utilities, like ldapsearch and ldapadd, to use starttls
with the server is more difficult with stock redhat rpms.  the latest RH
package seems broken in that respect.  when compiled with sasl, "-Z" and
"-ZZ" options yield a sasl error.  if you want to use your ldap utilities
over TLS, recompile openldap without sasl.  unless folks here have any
other suggestions.

as far as crypted passwords, i am not sure what you are asking.
slappasswd will encrypt a string in a variety of hash schemes.

--sasha


On Mon, May 28, 2001 at 05:21:10PM +0300, Peter Peltonen wrote:
> 
> There must be a FAQ or HOWTO about how to change my Linux box's authentication
> method to LDAP based?
> 
> I've managed to scatter a few pieces of information from here and there. Maybe
> someone could put together the puzzle for me :) 
> 
> Here's what I've got installed on my RH7.1 box:
> 
> --snip--
> openldap-2.0.7-14 (from RH7.1 CD)
> openldap-servers-2.0.7-14
> openldap-clients-2.0.7-14
> openldap-devel-2.0.7-14
> openldap12-1.2.11-4
> 
> pam-0.74-22 (from RH7.1 CD)
> pam_krb5-1.31-1
> pam-devel-0.74-22
> 
> pam_ldap-108-1 (from rpmfind.net)
> nss_ldap-126-1
> --snip--
> 
> I have my LDAP server (dc=fivetec,dc=com) running and I can add and modify
> entries with LDAPExplorer fine (except 8bit support).
> 
> I created a user named peter. I used padl.com's MigrationTool
> migrate_passwd.pl to convert my passwd db. I extracted the part regarding user
> peter to a separate ldif file:
> 
> --snip--
> dn: uid=peter,ou=People,dc=fivetec,dc=com
> uid: peter
> cn: peter
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {crypt}$1$euuT5nGM$F4rDeC4yX3QQPNCGYvSdI1
> shadowLastChange: 11470
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 500
> gidNumber: 500
> homeDirectory: /home/peter
> --snip--
> 
> Relying on the advice offered by LDAP-HOWTO I changed my /etc/pam.d/login to
> look like this:
> 
> --snip--
> 
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_nologin.so
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_unix_auth.so try_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix_acct.so
> password   required     /lib/security/pam_cracklib.so
> password   required     /lib/security/pam_ldap.so
> password   required     /lib/security/pam_pwdb.so use_first_pass
> session    required     /lib/security/pam_unix_session.so
> --snip--
> 
> and was it LDAP-Implementation-HOWTO that told me to change a part of my
> nsswitch.conf to look like this, I don't remember anymore:
> 
> --snip--
> passwd:     files ldap nisplus
> shadow:     files ldap nisplus
> group:      files ldap isplus
> --snip--
> 
> After that I used /usr/sbi/userdel to delete user peter from the passwd db.
> 
> I tried logging in with ssh -- didn't work. Here's what my secure log say:
> 
> --snip--
> May 28 17:15:09 jolo sshd[4104]: input_userauth_request: illegal user peter
> May 28 17:15:10 jolo sshd[4104]: Failed none for illegal user peter from
> 192.168.0.4 port 40450 ssh2
> May 28 17:15:12 jolo sshd[4104]: Failed password for illegal user peter from
> 192.168.0.4 port 40450 ssh2
> --snip--
> 
> As I'm using clear text passwds I changed user peter's userPassword to a clear
> text one with LDAPExplorer but that did not change the situation. 
> 
> What am I missing?
> 
> Do I have to edit some other files? Do I have to restart some services or
> reboot or something to get the system aware of the changes?
> 
> A bit lost here, 
> 
> Peter
> 
> PS. Some advice on how to get crypted passwords in use would be nice -- these
> things really should be in the FAQ!