Formatting code for SecurityLDAPLinux
{{parent page="SecurityLDAP"}}
===Using LDAP for authentication on Linux===
It's not easy for me but I've made some progress. I use OpenDS as LDAP server, and tested authentication with CentOS 5.5 and Ubuntu 10.04.
====LDAP server====
First I need a LDAP server. I used OpenDS because my company has some successful deployment with it. The installation is pretty straight forward and it comes with a GUI control panel (I think it's under $opends-home/bin/control-panel). Once the installation wizard finishes, it will ask you if you want to create an initial DN. I did it and I created a subdomain called "webservers". Under that domain, I created two users "admin" and "oper". I also created a couple of groups. The screenshot below illustrates the tree structure:
{{image url="images/opends.png"}}
Initially, these users I created can only be seen with shelldap, that's because by default, opends does not add the "posixAccount" objectClass to these users. But shelldap gives you a quick way to confirm ldap is up and running, and that it can be queried:
%%
shelldap --basedn dc=webservers,dc=comme,dc=ca --server 192.168.13.10
~ > list
cn=admin
cn=oper
cn=operators
cn=superusers
%%
====ObjectClass and attributes====
One must add the **posixAccount** objectClass to each user as it is required for the later parts. The posixAccount objectClass does not require the attribute **loginShell** be filled in. Make sure that is entered as well.
====Configuring Linux to use LDAP====
Different distro has the same util. On Redhat, it's **authconfig**. On Ubuntu, it's **ldap-auth-config**. Once it is installed, run it once and it will configure your server to use LDAP for authentication. Now the config it generates does not work well for me - it's most likely due to some misconfigurations on my LDAP server. But that can be worked around by editing /etc/ldap.conf. Here is mine:
%%
base dc=webservers,dc=comme,dc=ca
uri ldap://192.168.13.10/
ldap_version 2
pam_password md5
%%
Notice I did not configure LDAPS so passwords are most likely transmitted in plaintext. You wouldn't want to do that in a production environment. Once that config is updated, it's committed to the system. No restart of anything is required.
====Testing LDAP connection and authentication====
To test that my Linux is now able to retrieve the uid / homedir / shell from LDAP server:
%%
> getent passwd | grep admin
admin:*:10001:20001:admin:/home/admin:/bin/bash
> id oper
uid=10002(oper) gid=20001 groups=20001
%%
Next thing is of course to try to login with the credentials on LDAP server. Now for some reason, authconfig did not take care of pam for me. So I had to add the followings to
On CentOS: /etc/pam.d/system-auth
%%(text;system-auth)
auth sufficient pam_ldap.so
account sufficient pam_ldap.so
password sufficient pam_ldap.so
%%
On Ubuntu: /etc/pam.d/common-auth|account|password
%%(text;respective file)
auth sufficient pam_ldap.so
account sufficient pam_ldap.so
password sufficient pam_ldap.so
%%
That works out for me on CentOS, but not on Ubuntu. The latter keeps saying my password is incorrect. I'll try to iron that out later on.
===Using LDAP for authentication on Linux===
It's not easy for me but I've made some progress. I use OpenDS as LDAP server, and tested authentication with CentOS 5.5 and Ubuntu 10.04.
====LDAP server====
First I need a LDAP server. I used OpenDS because my company has some successful deployment with it. The installation is pretty straight forward and it comes with a GUI control panel (I think it's under $opends-home/bin/control-panel). Once the installation wizard finishes, it will ask you if you want to create an initial DN. I did it and I created a subdomain called "webservers". Under that domain, I created two users "admin" and "oper". I also created a couple of groups. The screenshot below illustrates the tree structure:
{{image url="images/opends.png"}}
Initially, these users I created can only be seen with shelldap, that's because by default, opends does not add the "posixAccount" objectClass to these users. But shelldap gives you a quick way to confirm ldap is up and running, and that it can be queried:
%%
shelldap --basedn dc=webservers,dc=comme,dc=ca --server 192.168.13.10
~ > list
cn=admin
cn=oper
cn=operators
cn=superusers
%%
====ObjectClass and attributes====
One must add the **posixAccount** objectClass to each user as it is required for the later parts. The posixAccount objectClass does not require the attribute **loginShell** be filled in. Make sure that is entered as well.
====Configuring Linux to use LDAP====
Different distro has the same util. On Redhat, it's **authconfig**. On Ubuntu, it's **ldap-auth-config**. Once it is installed, run it once and it will configure your server to use LDAP for authentication. Now the config it generates does not work well for me - it's most likely due to some misconfigurations on my LDAP server. But that can be worked around by editing /etc/ldap.conf. Here is mine:
%%
base dc=webservers,dc=comme,dc=ca
uri ldap://192.168.13.10/
ldap_version 2
pam_password md5
%%
Notice I did not configure LDAPS so passwords are most likely transmitted in plaintext. You wouldn't want to do that in a production environment. Once that config is updated, it's committed to the system. No restart of anything is required.
====Testing LDAP connection and authentication====
To test that my Linux is now able to retrieve the uid / homedir / shell from LDAP server:
%%
> getent passwd | grep admin
admin:*:10001:20001:admin:/home/admin:/bin/bash
> id oper
uid=10002(oper) gid=20001 groups=20001
%%
Next thing is of course to try to login with the credentials on LDAP server. Now for some reason, authconfig did not take care of pam for me. So I had to add the followings to
On CentOS: /etc/pam.d/system-auth
%%(text;system-auth)
auth sufficient pam_ldap.so
account sufficient pam_ldap.so
password sufficient pam_ldap.so
%%
On Ubuntu: /etc/pam.d/common-auth|account|password
%%(text;respective file)
auth sufficient pam_ldap.so
account sufficient pam_ldap.so
password sufficient pam_ldap.so
%%
That works out for me on CentOS, but not on Ubuntu. The latter keeps saying my password is incorrect. I'll try to iron that out later on.
