. .

Configuring OpenLDAP as a replacement for NIS

Written by at February 15, 2012

It should be an easy task in modern linux environment to use openldap as a central user database for authentication.  I try to list out the steps about the implementation.

The reference system is base on Slackware 13.37. Some packages may already included in your Linux distribution but not for mine. So, you may skip the installation process and jump to the configuration process.

  • First, you may need to create sample user entries in your LDAP.  you may using MigrationTools from PADL to convert your /etc/passwd, /etc/groups, /etc/shadow, … into LDIF or directly import into you LDAP. 
      

    • Modify migrate_common.ph to match your baseDN.
      • 

    • Running > ./migrate_passwd.pl /etc/passwd - to have look what will be import into your LDIF
      • 

    • Running > ./migrate_passwd.pl /etc/group - to have look what will be import into your LDIF
      • 

    • Sample LDIF:
dn: cn=user123,ou=Group,dc=xyz,dc=xxx
changetype: add
objectClass: posixGroup
objectClass: top
cn: user123
userPassword: {crypt}x
gidNumber: 1000

dn: uid=user123,ou=People,dc=xyz,dc=xxx
changetype: add
uid: user123
cn: User 123
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}xxxxxxx
shadowLastChange: 15384
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/tcsh
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user123
gecos: User 123
      •
  • Install nss_ldap: 
    > ./configure --prefix=/usr/local/nss_ldap --with-ldap-conf-file=/usr/local/nss_ldap/etc/libnss_ldap.conf
> make
> make install

    In case, you’ve got ‘/bin/sh: vers_string: command not found’ when building the nss_ldap, please include current directory in your PATH, export PATH=.:${PATH} before run make.

  • nss_ldap will look up /usr/local/nss_ldap/etc/libnss_ldap.conf for LDAP connection parameter, at least, modify the base DN to match your site configuration. Also, modify bind_policy to soft to prevent blocking response when LDAP is down. 
    host 127.0.0.1
base dc=xyz,dc=xxx
binddn cn=libnssManager,ou=systemObject,dc=xyz,dc=xxx (optional)
bindpw xxxxxxx (optional)
bind_policy soft (optional)
  • As for my site configuration, modify /etc/nsswitch.cong as follow: 
    passwd:         files ldap
group:          files ldap
  • You may test your nss_ldap configuration for correctness now. As for this example, you need to remove user123 in /etc/passwd, /etc/group & /etc/shadow and then you may try su – user123 (assume you are root now) and running id. If you could switch to the user123 and get the id information of the user successfully then you’ve finished the setup of nss_ldap. Or simply running getent passwd
  • Install pam_ldap: 
    > ./configure --prefix=/usr/local/pam_ldap --with-ldap-conf-file=/usr/local/pam_ldap/etc/pam_ldap.conf
> make
> make install

    In case, you’ve got ‘/bin/sh: vers_string: command not found’ when building the pam_ldap, please include current directory in your PATH, export PATH=.:${PATH} before run make.

  • update configuration in /usr/local/pam_ldap/etc/pam_ldap.conf, setting suitable base DN and binding parameter and modify bind_policy to soft to prevent blocking response when LDAP is down. 
    host 127.0.0.1
base dc=xyz,dc=xxx
binddn cn=pamManager,ou=systemObject,dc=xyz,dc=xxx (optional)
bindpw xxxxxxx (optional)
bind_policy soft (optional)
  • Create /etc/pam.d/other as follow: 
    #%PAM-1.0
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so

    which deny all PAM access by default.

  • For better security measure, you may add additional ACL as follow: 
    dn: ou=systemObject,dc=q-station,dc=net
changetype: add
objectclass: organizationalunit
ou: systemObject
description: system object

dn: cn=libnssManager,ou=systemObject,dc=q-station,dc=net
changetype: add
objectclass: top
objectclass: simpleSecurityObject
objectclass: organizationalRole
cn: libnssManager
userPassword: {SSHA}814COSqesQupX5Bh0JSpKipPf3G6+VnJ

dn: cn=pamManager,ou=systemObject,dc=q-station,dc=net
changetype: add
objectclass: top
objectclass: simpleSecurityObject
objectclass: organizationalRole
cn: pamManager
userPassword: {SSHA}6Fe9ff8YI83BNfpyN8AUf2qdxrn8V8XM

dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userpassword
   by self write
   by dn="cn=libnssManager,ou=systemObject,dc=q-station,dc=net" read
   by anonymous auth
   by * none
olcAccess: to *
   by self write 
   by dn="cn=libnssManager,ou=systemObject,dc=q-station,dc=net" read
   by dn="cn=pamManager,ou=systemObject,dc=q-station,dc=net" read
   by users read
   by anonymous auth
   by * none

update binddn & bindpw in /usr/local/nss_ldap/etc/libnss_ldap.conf & /usr/local/pam_ldap/etc/pam_ldap.conf
  • In case, if you are having any problem, please turn on *.* for /var/log/debug in /etc/syslog.conf and kill -HUP the syslogd. You could debug your setup in debug log.