Re: Autofs-OpenLDAP Assistance

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Tuesday 29 July 2008 20:19:33 Sven Ulland wrote:
> Santosh Balan wrote:
> > Can you please guide and provide some appropriate doccumentation or
> > method as how I hv to go about with the installation of OpenLDAP and
> > autofs such that it will authenticate my users and automatically
> > mounts the users partition.

Depending on how your infrastructure is set up, you could get home directories 
automounted for every user with a single automount (wildcard) rule. Unless you 
give more details, it is difficult to know how you are associating the need 
for home directories and automount rules.

> To use ldap for login, you need to get nsswitch and pam to talk ldap.
> It is easily done by installing libnss-ldapd (or libnss-ldap -- they
> are functionally equivalent) and libpam-ldap. Package names are likely
> to be different on your platform -- these are from Debian.
>
> First change /etc/nsswitch.conf so that it reads something like this:
>
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap

I would avoid compat unless you actually require the features. See the 
discussion of compat in nsswitch.conf(5). Additionally, I would avoid adding 
ldap to shadow unless you have applications that require access to the 
password hash or are intending to use nss_ldap->pam_unix for authentication 
(and forego any ldap authorization features).

> hosts:          files dns
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
> automount:      ldap
>
> Then set up /etc/pam.d/common-{account,auth,password,session} with the
> following *additions*:
>
> common-account:
>  account     sufficient    pam_succeed_if.so uid < 1000 quiet
>  account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>  account     required      pam_permit.so

I would rather suggest adding:

account sufficient pam_localuser.so
account sufficient pam_ldap.so
account required pam_deny.so

otherwise password expiry, host attribute use etc. will most likely not work.

> common-auth:
>  auth    requisite       pam_succeed_if.so uid >= 1000 quiet
>  auth    sufficient      pam_ldap.so use_first_pass
>  auth    required        pam_deny.so
>
> common-password:
>  password    sufficient    pam_ldap.so use_authtok
>  password    required      pam_deny.so
>
> common-session
>  session     optional      pam_ldap.so

pam_ldap doesn't implement session as far as I know, pam_mkhomedir would be a 
better candidate for the line above.

>
> (There is probably some silly configuration in the above, but it
> works. I haven't looked into the details of PAM yet.)

Have you tested every aspect with the configuration above?

> Next, install autofs5-ldap (or v4 if you want). It is important that
> you understand the structure of autofs entries in ldap. You can get an
> overview here: http://efod.se/blog/archive/2006/06/27/autofs-and-ldap
>
> Finally, make sure that your /etc/ldap.conf (or /etc/ldap/ldap.conf),
> /etc/autofs_ldap_auth.conf and /etc/nss-ldapd.conf are set up to point
> to your ldap directory server.
>
> When things don't work, try running each daemon in debug mode. This
> is particularly true for slapd and the nslcd (that comes in
> libnss-ldapd). Also have a look in /var/log/auth.log or equivalent, to
> see if logins are accepted.


And disable nscd while troubleshooting.

Regards,
Buchan