LDAP Authentication, Part Three

Managing users on a network is a whole lot simpler with LDAP. Part Three: Configuring LDAP clients.

This month is the last part of a three-part series on using the Lightweight Directory Access Protocol (LDAP) to manage accounts for a network of users. (See Part One and Part Two.) The previous two columns covered basic LDAP configuration, migrating an existing Linux account database to LDAP, and managing accounts in an LDAP directory. This time, let’s look at how to configure LDAP clients. This process involves setting up the Name Service Switch (NSS) and Pluggable Authentication Modules (PAM) to use LDAP in addition to the local Linux authentication tools. (In theory, you could use LDAP exclusively; however, in most cases it’s best to have at least some accounts defined locally.)

You should review the previous two columns in this series to refamiliarize yourself with the terminology and procedures before proceeding with this month’s column. Ensure that your LDAP server is running; this month’s column requires that the LDAP server be operational. You will, however, be performing most of the actions described this month on other computers. (You can, if you like, configure the LDAP server computer as described here, simply to gain access to the LDAP account directory.)

The Roles of NSS and PAM

Most people give little thought to the details of how Linux accounts are structured. In fact, there are several characteristics of accounts, such as usernames, passwords, home directories, default shells, and so on. These features are managed by two Linux tools:

PAM is a security tool; it tells login tools, such as the text-mode login process or the GUI GNOME Display Manager (GDM) or KDE Display Manager (KDM), that the password a user types is (or is not) correct for the specified username. PAM also handles some additional tasks, such as changing passwords when a user runs the passwd utility.

NSS handles less sensitive account data, such as the path to a user’s home directory, his or her default shell, and so on.

If you configure PAM but not NSS to use LDAP, only users who have local account data stored in /etc/passwd and /etc/shadow will be able to log in. These files could lack passwords, but they’d have to host the normal NSS data.

If you configure NSS but not PAM to use LDAP, then Linux will believe it has accounts for the users defined on the LDAP server, but those users won’t be able to log in. Thus, to use an LDAP server for authentication, you must normally reconfigure both PAM and NSS to use LDAP. Either alone could be useful in some limited circumstances, but in most cases you must configure both to use LDAP.

Setting Basic LDAP Client Options

Before proceeding with NSS and PAM configuration, you must set a few client-wide LDAP options. To do so, you should first ensure that the PAM and NSS LDAP libraries are installed on your client computer. These tools are usually stored in packages called pam_ldap and nss_ldap, although some distributions use other names, such as libpam-ldap and libnss-ldap. Some distributions combine both packages into one — nss_ldap in the case of Fedora Core 6, for instance.

In most cases, the LDAP client tools for NSS and PAM both rely on the /etc/ldap.conf file. Debian and its derivative distributions use two files, /etc/nss_ldap.conf and /etc/pam_ldap.conf. If your distribution uses two files, you must make similar changes to both. Be sure not to confuse this file with the /etc/openldap/ldap.conf, which is the configuration file for the LDAP tools described last month.

To proceed, load your /etc/ldap.conf file into an editor and change the host and base lines:

base dc=luna,dc=edu

The host line specifies the LDAP server’s IP address or hostname, so modify it to suit your network’s neeeds. The base line points to the base directory used by your LDAP account directory. As described two months ago, this is often related to your domain name, but it need not be.

You may want to peruse additional options in the /etc/ldap.conf file. Many default files include commented-out options related to port numbers, encryption, and other features. In a high-security environment, you may want to enable some of these options. Doing so can improve security, but these features can be difficult to debug.

Setting NSS Options

Telling NSS to use LDAP is fairly straightforward. The main NSS configuration file is /etc/nsswitch.conf, and you must edit three lines to have NSS use LDAP. These lines begin with the words passwd, shadow, and group, and you should add the string ldap to each of these lines:

passwd:  files  ldap
shadow:  files  ldap
group:   files  ldap

In practice, NSS uses each of the named subsystems in the order in which they’re listed for the duties specified by the leading keyword. You may have noticed that each of these lines begins with the name of a file that’s used in Linux account management: /etc/passwd, /etc/shadow, and /etc/group. This is because NSS ordinarily accesses these files (hence the files keyword). By adding ldap to the end of the line, you direct NSS to use the local files first and then to call on LDAP. Thus, when reconfigured in this way, your system will include all the locally-defined accounts and groups, plus whatever accounts or groups are defined in the LDAP directory.

It’s possible that your configuration will include other keywords, in addition to or instead of the files keyword that’s common to the lines in this example. For instance, many systems use compat rather than files. If so, the safest approach is usually to add ldap to the end of each line.

Setting PAM Options

PAM is a more complex subsystem than NSS to configure as an LDAP authentication client. As noted earlier, PAM stands for Pluggable Authentication Modules. The modules referred to in the name are pieces of code, similar to libraries or kernel modules, that extend PAM to handle new authentication methods. The PAM LDAP package you installed earlier provides an LDAP module for PAM; this module” talks” to the LDAP server, providing an interface between the LDAP server and the local computer’s authentication system.

The main PAM configuration file is /etc/pam.conf; however, all common Linux distributions place the bulk of the PAM configuration in files within the /etc/pam.d directory. Each file in this directory controls one authentication tool.

For instance, /etc/pam.d/login controls the login process, /etc/pam.d/gdm controls the GDM GUI login tool, and /etc/pam.d/su controls the su command’s authentication. In theory, to configure PAM to use LDAP, you must modify the files for each subsystem that should use LDAP. Precisely which files and subsystems this should be can vary greatly from one computer to another; for instance, you might need to modify files for a Post Office Protocol (POP) email server on one computer, but for GDM on another computer.

Fortunately, many Linux distributions provide a shortcut: /etc/pam.d/system-auth. Not all distributions use this file, but if yours does, you can modify just this one file rather than modifying all the relevant authentication programs’ files. Whether you need to modify the system-auth file or multiple files, though, the procedure is similar.

PAM authentication files consist of stacks, which are sets of external modules that provide authentication services. These stacks are broken into four management groups: auth, account, password, and session. Each management group’s stack defines the rules that PAM uses to perform a specific action, such as authenticate a user (auth) or manage a login session (session). A typical authentication stack resembles Listing One, which is based on a Gentoo PAM stack. (Some lines have been broken for publication.)

Listing One: A typical PAM authentication stack


auth required pam_env.so
auth sufficient pam_unix.so likeauth \
auth required pam_deny.so

account required pam_unix.so

password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok md5 \
shadow use_authtok
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

To add LDAP authentication to the mix, you must add a reference to the LDAP authentication module (pam_ldap.so) to each of the management groups. To do so, though, you must first understand a bit about how PAM processes its stacks.

When it’s called upon to perform an action, such as authenticate a user or change a password, PAM calls each of the modules (in the third column of Listing One) for the associated management group in turn. Ultimately, the action will succeed or fail, and which happens depends on the successful completion of each module in conjunction with the control flag in the second column of Listing One. Of most importance are the requisite, required, and sufficient flags:

  • A requisite flag means that the module must succeed if the stack is to succeed. If the module fails, stack execution terminates immediately.

  • A required flag is much like a requisite flag, but if the module fails, execution continues until the end.

  • A sufficient flag causes stack execution to immediately terminate with a successful outcome if the associated module succeeds, provided no previous required module failed. If a sufficient module fails, the stack as a whole could still succeed, if other modules cause it to succeed — that is, a module failure causes the stack to work as if the sufficient module has not been present in the stack.

The default stacks provided with most Linux distributions rely heavily on requisite or required flags, with an occasional sufficient flag thrown in; Listing One is a typical example. To add LDAP authentication while keeping local authentication working, you must add references to the pam_ldap.so module as sufficient. You must also usually change some of the requisite or required modules to be sufficient. The result might resemble Listing Two.

Listing Two: A PAM authentication stack that uses LDAP


auth required pam_env.so
auth sufficient pam_unix.so likeauth \
auth sufficient pam_ldap.so \
auth required pam_deny.so

account sufficient pam_unix.so
account sufficient pam_ldap.so

password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok md5 \
shadow use_authtok
password sufficient pam_ldap.so use_authtok \
password required pam_deny.so

session required pam_limits.so
session sufficient pam_unix.so
session sufficient pam_ldap.so use_first_pass

session required pam_mkhomedir.so \
skel=/etc/skel umask=0027

In this example, Listing One uses the pam_unix.so module to perform the key tasks for each of the four management groups; however, some distributions use other modules instead of pam_unix.so, so you may need to do some research on your distribution’s PAM defaults.

To add LDAP to the mix, you add its line after the pam_unix.so line and, if pam_unix.so is set to be requisite or required, change it to sufficient. Alternatively, you could add pam_ldap.so to the stack before the requisite or required module; pam_ldap.so, if successful, will then bypass the requisite or required module. You may also need to add a reference to pam_deny.so to the auth and password stacks; if you don’t, the stack may incorrectly indicate success even when an incorrect password is entered. (You may need to test both ways, as described shortly.)

The pam_ldap.so lines in Listing Two include parameters that vary from one management group to another. These parameters tweak the module’s behavior. For instance, the try_first_pass and use_first_pass options tell the module to try the password collected on behalf of the first authentication tool. Without these options, users may be prompted for their passwords twice when they have only LDAP accounts.

Listing Two’s final line is a new one that’s unrelated to LDAP, but that’s very useful for network logins: The pam_mkhomedir.so module automatically creates a new home directory for a user if one doesn’t already exist. You can call this module as part of the session management group, using options as shown in Listing Two to specify template files and permissions. Of course, this tool is most useful on workstations or computers that should have home directories. You might not need it for all systems.

Remember to make changes either to the /etc/pam.d/system-auth file or to the configuration files for all of the authentication tools you want to use LDAP. Note that if you modify individual configuration files, not all files use all of the management groups shown in Listing One and Listing Two, so you might not need to make all of the changes shown in Listing Two.

Testing Proper Functioning

Once you’ve made your changes, you should test them. Try using each authentication tool to log in using several different types of accounts and procedures:

  • Use a real local account with a correct password

  • Use a real local account with an incorrect password

  • Use a real LDAP account with a correct password

  • Use a real LDAP account with an incorrect password

  • Use an account that exists in neither the local account database nor LDAP

You should see the correct login behavior in each of these cases. If you see authentication failures when you type the correct password or, worse in some ways, authentication successes when you use an incorrect password or a non-existent account, you should review your configuration. Unfortunately, there’s little standardization between Linux distributions concerning their default PAM configurations, so the changes that work for one distribution might not work for another. You may need to experiment or look for distribution-specific documentation to help fill in the gaps.

Be sure to test every authentication tool, or at least every one you’ve altered to use LDAP. The passwd utility deserves special mention: If you change the /etc/pam.d/passwd configuration file, or if it uses the system-auth stack, users who use the passwd command to change their passwords should change their passwords in the local database, in the LDAP directory, or in both, depending on precisely how you’ve configured PAM. Check both the local database and LDAP to be sure that the changes have been made as you expect.

Comments on "LDAP Authentication, Part Three"

Major thanks for the article.Thanks Again. Really Great.

Here are some links to web-sites that we link to mainly because we consider they are really worth visiting.

We like to honor quite a few other world wide web web pages around the net, even though they aren?t linked to us, by linking to them. Below are some webpages worth checking out.

We prefer to honor quite a few other world-wide-web web pages around the web, even if they aren?t linked to us, by linking to them. Under are some webpages worth checking out.

We like to honor many other world wide web web pages on the internet, even though they aren?t linked to us, by linking to them. Beneath are some webpages worth checking out.

The info talked about inside the write-up are a few of the best readily available.

The info talked about within the report are a number of the ideal obtainable.

Here are some of the sites we advocate for our visitors.

Very handful of websites that take place to be comprehensive beneath, from our point of view are undoubtedly nicely really worth checking out.

e4HIW4 daesmjdfsmdb, [url=http://epcgojscbghf.com/]epcgojscbghf[/url], [link=http://mpqnmkjlsecp.com/]mpqnmkjlsecp[/link], http://whwxnmudaqub.com/

We like to honor a lot of other world wide web web-sites on the internet, even if they aren?t linked to us, by linking to them. Below are some webpages really worth checking out.

That is the finish of this write-up. Here you will obtain some web sites that we consider you?ll appreciate, just click the hyperlinks.

Every once in a though we pick out blogs that we study. Listed beneath are the most up-to-date web sites that we select.

Just beneath, are various totally not related web pages to ours, however, they’re certainly really worth going over.

Below you?ll locate the link to some web-sites that we believe you need to visit.

Every when in a while we pick blogs that we read. Listed beneath would be the most up-to-date web-sites that we pick.

Please pay a visit to the web-sites we adhere to, such as this a single, as it represents our picks in the web.

Very couple of internet websites that come about to become comprehensive below, from our point of view are undoubtedly well worth checking out.

One of our visitors a short while ago advised the following website.

Here are some hyperlinks to sites that we link to simply because we assume they may be worth visiting.

Very few sites that take place to become comprehensive below, from our point of view are undoubtedly effectively worth checking out.

Here are some links to websites that we link to because we believe they’re really worth visiting.

Very great post. I just came across your weblog and wished to bring up that I actually have truly enjoyed surfing around
your weblog posts. Regardless I will be subscribing for your feed and
I’m hoping you write again immediately!

My weblog … MartinNClune

Wonderful story, reckoned we could combine some unrelated information, nonetheless actually really worth taking a appear, whoa did one study about Mid East has got additional problerms as well.

I simply want to mention I am beginner to blogs and really savored you’re web-site. More than likely I’m going to bookmark your site . You amazingly have fantastic writings. Appreciate it for sharing with us your blog.

Usually posts some quite interesting stuff like this. If you are new to this site.

My brother recommended I might like this blog.He was totally right. This post truly made my day.You cann’t imagine just how much time I had spent for this information! Thanks!

It’s a shame you don’t have a donate button! I’d without a doubt donate
to this fantastic blog! I guess for now i’ll settle for book-marking and adding your RSS feed to my Google account.
I look forward to new updates and will talk about this
site with my Facebook group. Talk soon!

Sites of interest we have a link to.

Very shortly this site will be famous amid all blogging users, due to it’s nice
articles or reviews

Also visit my blog post … BeauQScallan

Hello, I enjoy reading through your article.

I am really enjoying the theme/design of your website. Do you ever run into any internet browser compatibility issues? A few of my blog visitors have complained about my site not working correctly in Explorer but looks great in Firefox. Do you have any advice to help fix this problem?

Please check out the web sites we stick to, including this one particular, because it represents our picks in the web.

Below you?ll come across the link to some sites that we consider it is best to visit.

The time to study or check out the content or internet sites we’ve linked to below.

Link exchange is nothing else but it is just placing one other person’s webpage link
on the page at suitable place along with other person will even do similar for you.

Here is my blog – WallyYDais

Below you?ll find the link to some internet sites that we think you should visit.

Just beneath, are various completely not connected web pages to ours, nevertheless, they’re certainly really worth going over.

What’s up, after reading this remarkable paragraph i am too glad to
share my knowledge here with colleagues.

Here is my web-site: ChongNPrchal

Although sites we backlink to beneath are considerably not related to ours, we feel they’re really worth a go by way of, so possess a look.

Very few web-sites that come about to become in depth beneath, from our point of view are undoubtedly nicely worth checking out.

We came across a cool site which you might delight in. Take a appear in the event you want.

Every once in a although we decide on blogs that we read. Listed below would be the latest internet sites that we choose.

Just beneath, are many totally not related internet sites to ours, nonetheless, they’re certainly really worth going over.

Usually posts some pretty fascinating stuff like this. If you are new to this site.

Usually posts some really fascinating stuff like this. If you are new to this site.

That could be the finish of this write-up. Right here you will locate some websites that we feel you?ll value, just click the hyperlinks.

Always a significant fan of linking to bloggers that I love but do not get a lot of link really like from.

Every after inside a whilst we decide on blogs that we study. Listed beneath are the latest sites that we pick out.

Leave a Reply