| Home | :: | About | :: | Download | :: | Install | :: | Use | :: | Blog |
The instructions below should be sufficient to configure LDAP as a naming service with PAM authentication and SSH authentication using keys. This document assumes a 2307bis LDAP schema.
Before proceeding, you should have a working familiarity with your LDAP configuration and ideally should have it tested on another host.
The following information is required to complete the configuration
Making network changes with tools such as zap can deploy
changes that impact the name service switch. Before starting the
LDAP join process, ensure your network configuration is clear,
preferably with a static IP address configured. Reboot before starting
the process to ensure everything is clean.
Installing the networked-system overlay will catch everything
you need. Otherwise, try TRIBsys-net-nis and TRIBnaming-ldap.
Your LDAP schema will include an attribute for home directory location.
This is often /home/username which is handled by the automounter
by default on Tribblix.
If your home directories are set to /home/username and you
are not using an automounted configuration, edit /etc/auto_master and
/etc/auto_home and comment out the configuration. Then restart the
automounter with svcadm restart autofs.
Check your LDAP accounts for their login shells and make sure those shells are installed and in the location defined in the LDAP attribute. A user with no shell cannot log in.
Paste the following into a file and edit all the parameters to match your configuration. This is an extremely basic and simple example and you should ensure you read the corresponding man page to add anything missing. In particular, you may wish to add multiple services and handle SSL/TLS.
You can re-run this script as many times as you need, so don't worry about making a mistake. Re-running the script will overwrite the configuration completely.
#!/bin/bash ldapclient manual -v \ -a credentialLevel=proxy \ -a authenticationMethod=simple \ -a defaultSearchBase=dc=yoursubdomain,dc=yourdomain,dc=org \ -a domainName=yoursubdomain.yourdomain.org \ -a defaultServerList=ldapserver.yourdomain.org \ -a "proxyDN=cn=tribbind,ou=service accounts,dc=yoursubdomain,dc=yourdomain,dc=org" \ -a proxyPassword=your_fun_filled_password_here \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=group:memberUid=Member \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:homedirectory=homeDirectory \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=posixGroup \ -a objectClassMap=passwd:posixAccount=posixAccount \ -a objectClassMap=shadow:shadowAccount=posixAccount \ -a serviceSearchDescriptor=passwd:ou=people,dc=yoursubdomain,dc=yourdomain,dc=org \ -a serviceSearchDescriptor=group:ou=groups,dc=yoursubdomain,dc=yourdomain,dc=org \ -a serviceSearchDescriptor=shadow:ou=people,dc=yoursubdomain,dc=yourdomain,dc=org \
Run the script as root.
The script will configure the entire LDAP stack including making changes to the
/etc/nsswitch.conf file that you most likely do not want. Edit that file, noting
that the LDAP service only needs to be applied to the passwd: and
group: lines to enable user authentication. You may wish to start by copying
/etc/nsswitch.dns> back over /etc/nsswitch.conf and manually adding the
ldap option to passwd: and group:.
Verify that the dns/client service is still enabled at the end
of the LDAP script run.
At this point, you should be able to test LDAP with
getent passwd and getent group.
If you don't see users and
groups, modify the script and run it again until you have this working.
In the /etc/pam.conf file, edit every line that reads:
auth required pam_unix_auth.so.1
and change it to
auth binding pam_unix_auth.so.1 server_policy auth required pam_ldap.so.1
For example, if we start with:
other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1
It should now look like:
other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth binding pam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1
Tribblix doesn't ship with a default script to read ssh
keys from LDAP, so create a script to do this. In this example,
the script is located at /opt/scripts/pubkey.sh.
#!/bin/sh
ldaplist -l passwd $1 | grep sshPublicKey: | awk '{print $2" "$3" "$4}'
Don't forget to chmod +x /opt/scripts/pubkey.sh.
Add the following lines to the bottom of
/etc/ssh/sshd_config
AuthorizedKeysCommand /opt/scripts/pubkey.sh AuthorizedKeysCommandUser daemon
If you would like LDAP users to be able to connect by ssh using
a password rather than keys, ensure the UsePAM yes option
is set in /etc/ssh/sshd_config.
Restart ssh with svcadm restart ssh.
At this point, you should have passwd and group
entities populated with LDAP entries and users should be able to connect
by ssh using their LDAP provided credentials. Further, tools like
sudo should work with the LDAP stored password.
Index | Previous Section | Next Section