[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Implementing LDAP for password authentication

To: Dale Nursten <Dale.Nursten@StreetsOnline.co.uk>
Subject: Re: Implementing LDAP for password authentication
From: ichbin@heidegger.rprc.washington.edu
Date: Fri, 06 Jul 2001 16:21:48 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3B463C0E.1D68C245@pointers.co.uk>
References: <3B463C0E.1D68C245@pointers.co.uk>

> Has anyone got a how to on setting LDAP to do password authentication
> (we would like to replace good old buggy NIS)??? Any help would be
> greatly appreciated!!!

Actually, it's pretty straightforward. First, need records like this 
one:
  dn: uid=<user>,ou=people,o=<organization>
  uid: <user>
  objectClass: account
  objectClass: posixAccount
  loginShell: /bin/bash
  uidNumber: 1000
  homeDirectory: /home/<user>
  gidNumber: 100
  cn: <Firstname> <Lastname>
  userPassword: <...blah...>
The migration tools that come with OpenLDAP will help you generate 
ldifs from your /etc/passwd file. You can use
  ldappasswd -x -ZZ -W -D "<root dn>" -S "<user dn>"
to change passwords.

Next, you need to tell OpenLDAP with whom to share this information. I 
use the following slapd.conf configuration directives
  password-hash   {MD5}
  access to attrs=userPassword
    by self write
    by * compare
  access to * by * read
Note that I store passwords MD5-hashed, and I don't allow mere mortals 
to read even the hashed passwords. This effectively implements shadow 
security.

If you are running RedHat, you can tell a machine to get user data 
from an LDAP database using setup.  What that effectively does is 
insert the line
  passwd: files ldap
into nsswitch.conf, and insert the lines
  host <ldapserver>
  base o=<organization>
  ssl yes
into ldap.conf. It wouldn't hurt to get shadow and group info from 
LDAP, too, but for that you'll have to put some more data into the 
database.

Now we are gettting user data via LDAP, but we are still not 
authenticating via LDAP. On RedHat, you can also use the setup tool to 
configure that. Assuming you use PAM and pam_ldap, what you want to do 
is to add lines like
  auth    sufficient  /lib/security/pam_ldap.so use_first_pass
to the relevant files in pam.d. The necessary files are distributed 
with pam_ldap.  Any service that uses PAM for authentication can be 
made to use LDAP in this way. Finally, you probably want to add
  ssl yes
  pam_password exop
to ldap.conf, so that communications are encrypted and the LDAP 
database hashes all password changes. There is an incompatibility 
between OpenLDAP and the password change mechanism of old versions of 
pam_ldap, so be sure to get the very latest releases.

Hope that helps.

References:
- Implementing LDAP for password authentication
  - From: Dale Nursten <Dale.Nursten@StreetsOnline.co.uk>

Prev by Date: Implementing LDAP for password authentication
Next by Date: Re: Issues I've had migrating from openldap-1 to openldap-2
Index(es):
- Chronological
- Thread