> Configuring LDAP Authentication

Aim

The instructions below should be sufficient to configure LDAP as a naming service with PAM authentication and SSH authentication using keys. This document assumes a 2307bis LDAP schema.

Prerequisites

Before proceeding, you should have a working familiarity with your LDAP configuration and ideally should have it tested on another host.

The following information is required to complete the configuration

An LDAP proxy bind account DN and password
The FQDNs of your LDAP servers

Step One - stabilise the network

Making network changes with tools such as zap can deploy changes that impact the name service switch. Before starting the LDAP join process, ensure your network configuration is clear, preferably with a static IP address configured. Reboot before starting the process to ensure everything is clean.

Install the required packages

Installing the networked-system overlay will catch everything you need. Otherwise, try TRIBsys-net-nis and TRIBnaming-ldap.

Home Directories and Shells

Your LDAP schema will include an attribute for home directory location. This is often /home/username which is handled by the automounter by default on Tribblix.

If your home directories are set to /home/username and you are not using an automounted configuration, edit /etc/auto_master and /etc/auto_home and comment out the configuration. Then restart the automounter with svcadm restart autofs.

Check your LDAP accounts for their login shells and make sure those shells are installed and in the location defined in the LDAP attribute. A user with no shell cannot log in.

Prepare an ldap_client configuration script

Paste the following into a file and edit all the parameters to match your configuration. This is an extremely basic and simple example and you should ensure you read the corresponding man page to add anything missing. In particular, you may wish to add multiple services and handle SSL/TLS.

You can re-run this script as many times as you need, so don't worry about making a mistake. Re-running the script will overwrite the configuration completely.

#!/bin/bash
ldapclient manual -v \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a defaultSearchBase=dc=yoursubdomain,dc=yourdomain,dc=org \
-a domainName=yoursubdomain.yourdomain.org \
-a defaultServerList=ldapserver.yourdomain.org \
-a "proxyDN=cn=tribbind,ou=service accounts,dc=yoursubdomain,dc=yourdomain,dc=org" \
-a proxyPassword=your_fun_filled_password_here \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=group:memberUid=Member \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=posixGroup \
-a objectClassMap=passwd:posixAccount=posixAccount \
-a objectClassMap=shadow:shadowAccount=posixAccount \
-a serviceSearchDescriptor=passwd:ou=people,dc=yoursubdomain,dc=yourdomain,dc=org \
-a serviceSearchDescriptor=group:ou=groups,dc=yoursubdomain,dc=yourdomain,dc=org \
-a serviceSearchDescriptor=shadow:ou=people,dc=yoursubdomain,dc=yourdomain,dc=org \

Run the script as root.

The script will configure the entire LDAP stack including making changes to the /etc/nsswitch.conf file that you most likely do not want. Edit that file, noting that the LDAP service only needs to be applied to the passwd: and group: lines to enable user authentication. You may wish to start by copying /etc/nsswitch.dns> back over /etc/nsswitch.conf and manually adding the ldap option to passwd: and group:.

Verify that the dns/client service is still enabled at the end of the LDAP script run.

Testing

At this point, you should be able to test LDAP with getent passwd and getent group. If you don't see users and groups, modify the script and run it again until you have this working.

Configure PAM

In the /etc/pam.conf file, edit every line that reads:

auth required pam_unix_auth.so.1

and change it to

auth binding pam_unix_auth.so.1 server_policy
auth required pam_ldap.so.1

For example, if we start with:

other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1

It should now look like:

other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth binding            pam_unix_auth.so.1 server_policy
other   auth required           pam_ldap.so.1

Configuring SSH including key-based login from LDAP

Tribblix doesn't ship with a default script to read ssh keys from LDAP, so create a script to do this. In this example, the script is located at /opt/scripts/pubkey.sh.

#!/bin/sh
ldaplist -l passwd $1 | grep sshPublicKey:  | awk '{print $2" "$3" "$4}'

Don't forget to chmod +x /opt/scripts/pubkey.sh.

Add the following lines to the bottom of /etc/ssh/sshd_config

AuthorizedKeysCommand /opt/scripts/pubkey.sh
AuthorizedKeysCommandUser daemon

If you would like LDAP users to be able to connect by ssh using a password rather than keys, ensure the UsePAM yes option is set in /etc/ssh/sshd_config.

Restart ssh with svcadm restart ssh.

Completed

At this point, you should have passwd and group entities populated with LDAP entries and users should be able to connect by ssh using their LDAP provided credentials. Further, tools like sudo should work with the LDAP stored password.

Index | Previous Section | Next Section

tribblix@gmail.com :: GitHub :: Privacy