LDAP-NSS-PAM

LDAP
Everything is identified by dn
cn= Common Name
ou= Organizational Unit
dc= Domain Component

Schemas, objectClasses and Attributes

An objectClass is a collection of attributess:

• An objectclass is defined within a Schema
• An objectclass may be a part of an objectclass hierarchy, in which case it inherits all the properties of its parents.
• An objectclass has a globally unique name or identifier

Attributes typically contain data:

• Every attribute is defined in a schema.
• Every attribute is included in one or moreobjectclasses.
• To use an attribute in an entry, itsobjectclass must be included in the entry definition and its objectclass must be included in a schema. In turn, the schema must be identified to the LDAP server.

Install LDAP


apt-get install slapd ldap-utils ldapvi



Config Layout

Setup backend database

Import schemas

$ cd /etc/ldap/schema

$ ldapadd -Y EXTERNAL -H ldapi:/// -f cosine.ldif

$ ldapadd -Y EXTERNAL -H ldapi:/// -f nis.ldif

(Provides linux account attributes)

$ ldapadd -Y EXTERNAL -H ldapi:/// -f inetorgperson.ldif

backend.ldif

# Load dynamic backend modules

dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulepath: /usr/lib/ldap

olcModuleload: back_hdb.la




# Database Setting

dn: olcDatabase={1}hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {1}hdb

olcSuffix: dc=[ID],dc=csie,dc=ntu,dc=edu,dc=tw

olcDbDirectory: /var/lib/ldap

olcRootDN: cn=admin,dc=[ID],dc=csie,dc=ntu,dc=edu,dc=tw

olcRootPW: {SSHA}HUpwPlcpSOwCNd8hRfiQsXFYYdyPewC2**

olcDbConfig: set_cachesize 0 2097152 0

olcDbConfig: set_lk_max_objects 1500

olcDbConfig: set_lk_max_locks 1500

olcDbConfig: set_lk_max_lockers 1500

olcDbIndex: objectClass eq

olcLastMod: TRUE

olcDbCheckpoint: 512 30

olcAccess: to attrs=userPassword,shadowLastChange

  by dn="cn=admin,dc=[ID],dc=csie,dc=ntu,dc=edu,dc=tw" write

  by anonymous auth 

  by self write

  by * none

olcAccess: to attrs=homeDirectory

  by dn="cn=admin,dc=[ID],dc=csie,dc=ntu,dc=edu,dc=tw" write

  by anonymous auth

  by self read

  by * none

olcAccess: to dn.base=""

  by * read

olcAccess: to *

  by dn="cn=admin,dc=fate,dc=csie,dc=ntu,dc=edu,dc=tw" write

  by * read



**note:olcrootPW generated by slappasswd

import backend

ldapadd -v -Y EXTERNAL -H ldapi:/// -f backend.ldif

FRONTEND: Adding users and groups (by ldapscripts or frontend.ldif file)

for /etc/passwd

objectClass: posixAccount
id	uid
password	userPassword
uid	uidNumber
gid	gidNumber
full_name	gecos
Home Directory	homeDirectory
Login shell	loginShell

for /etc/shadow

objectClass: shadowAccount
username	uid
password	userPassword
last	shadowLastChange
may	shadowMin
must	shadowMax
warn	shadowWarning
expire	shadowExpire
disable	shadowInactive
reserved	shadowFlag

for /etc/group

objectClass: posixGroup
group name	cn
password	userPassword
group id	gidNumber
other account	memberUid

option 1: Use ldapscripts to add user

install ldapscripts 
(which includes utilities too add/remove POSIX accounts)
apt-get isntall ldapscripts
modify /etc/ldapscripts/ldapscripts.conf
SERVER=localhost
BINDDN='cn=admin,dc=,dc=csie,dc=ntu,dc=edu,dc=tw'
SUFFIX='dc=,dc=csie,dc=ntu,dc=edu,dc=tw'
GSUFFIX='ou=Groups'
USUFFIX='ou=Peolple'
MSUFFIX='ou=machines'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000

PASSWORDGEN="pwgen" // $ apt-get install pwgen

RECORDPASSWORDS="yes"

PASSWORDFILE="/var/log/ldapscripts_passwd.log"

BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"

keep the rootPW in /etc/ldapscripts/ldapscripts.passwd

sh -c "echo -n '[password]' > /etc/ldapscripts/ldapscripts.passwd"
chmod 400 /etc/ldapscripts/ldapscripts.passwd


**Careful: if authentication failure happens after ldapadduser. Check LDAP database for user password encryption

try dpkg-reconfigure libpam-ldap and set encryption method

Option 2: use frontend.ldif

file frontend.ldif

# Create top-level object in domain
dn: dc=b99902120,dc=csie,dc=ntu,dc=edu,dc=tw
objectClass: top
objectClass: dcObject
objectclass: organization
o: b99902120
dc: b99902120
description: b99902120

#people
dn: ou=people,dc=b99902120,dc=csie,dc=ntu,dc=edu,dc=tw
objectClass: organizationalUnit
ou: people

#groups
dn: ou=groups,dc=b99902120,dc=csie,dc=ntu,dc=edu,dc=tw
objectClass: organizationalUnit
ou: groups

#user setting: ta217, groups, b99902120.csie.ntu.edu.tw
dn: uid=ta217,ou=people,dc=b99902120,dc=csie,dc=ntu,dc=edu,dc=tw
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: ta217
displayName: ta217
uidNumber: 1001
gidNumber: 1001
userPassword: SAL2013
gecos: ta217
loginShell: /bin/bash
homeDirectory: /home/ta217
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
givenName: 217
sn: ta
cn: ta217
mail: ta217@b99902120.csie.ntu.edu.tw
title: ta217

#group setting: ta217, groups, b99902120.csie.ntu.edu.tw
dn: cn=ta217,ou=groups,dc=b99902120,dc=csie,dc=ntu,dc=edu,dc=tw
objectClass: posixGroup
cn: ta217
gidNumber: 1001


import frontend file
ldapadd -v -x -D -W -f frontend.ldif

nss and pam

apt-get install libpam-ldap libnss-ldap libnss-db nslcd nscd

/etc/libnss-ldap.conf
base dc="dc=b99902120,dc=csie,dc=ntu,dc=edu,dc=tw"
/etc/nsswitch.conf 
passwd: files ldap
group: files ldap
shadow: files ldap
add users and groups
ldapadduser [user] [group]
ldapaddgroup [group]
update pam auth
pam-auth-update
auto create home directory
/etc/pam.d/common-account
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

Allow user change password
vim /etc/pam.d/common-password
password [success=1 user_unknown=ignore default=die]
pam_ldap.so use_authtok try_first_pass
change to
password [success=1 user_unknown=ignore default=die]
pam_ldap.so try_first_pass




client config

/etc/nslcd.conf

# The user and group nslcd should run as.

uid nslcd

gid nslcd

# The location at which the LDAP server(s) should be reachable.

uri ldap://192.168.50.119

# The search base that will be used for all queries.

base dc=b99902120,dc=csie,dc=ntu,dc=edu,dc=tw

/etc/nsswitch.conf

passwd: files ldap
group: files ldap
shadow: files ldap