It should be an easy task in modern linux environment to use openldap as a central user database for authentication.\u00a0 I try to list out the steps about the implementation.<\/p>\n
The reference system is base on Slackware 13.37. Some packages may already included in your Linux distribution but not for mine. So, you may skip the installation process and jump to the configuration process.
\n<\/p>\n
\r\n
\r\n> .\/configure --prefix=\/usr\/local\/nss_ldap --with-ldap-conf-file=\/usr\/local\/nss_ldap\/etc\/libnss_ldap.conf\r\n> make\r\n> make install\r\n<\/pre>\nIn case, you’ve got ‘\/bin\/sh: vers_string: command not found’ when building the nss_ldap, please include current directory in your PATH, export PATH=.:${PATH} before run make.<\/strong>\n<\/li>\n
- nss_ldap will look up \/usr\/local\/nss_ldap\/etc\/libnss_ldap.conf<\/strong> for LDAP connection parameter, at least, modify the base DN to match your site configuration. Also, modify bind_policy to soft<\/strong> to prevent blocking response when LDAP is down.\n
\r\nhost 127.0.0.1\r\nbase dc=xyz,dc=xxx\r\nbinddn cn=libnssManager,ou=systemObject,dc=xyz,dc=xxx (optional)\r\nbindpw xxxxxxx (optional)\r\nbind_policy soft (optional)<\/em>\r\n<\/pre>\n<\/li>\n- As for my site configuration, modify <\/strong>\/etc\/nsswitch.cong<\/strong> as follow:\n
\r\npasswd: files ldap\r\ngroup: files ldap\r\n<\/pre>\n<\/li>\n- You may test your nss_ldap configuration for correctness now. As for this example, you need to remove user123<\/strong> in \/etc\/passwd, \/etc\/group & \/etc\/shadow<\/strong> and then you may try su – user123<\/strong> (assume you are root now) and running id<\/strong>. If you could switch to the user123 and get the id information of the user successfully then you’ve finished the setup of nss_ldap. Or simply running getent passwd<\/strong><\/li>\n
- Install pam_ldap<\/a>:\n
\r\n> .\/configure --prefix=\/usr\/local\/pam_ldap --with-ldap-conf-file=\/usr\/local\/pam_ldap\/etc\/pam_ldap.conf\r\n> make\r\n> make install\r\n<\/pre>\nIn case, you’ve got ‘\/bin\/sh: vers_string: command not found’ when building the pam_ldap, please include current directory in your PATH, export PATH=.:${PATH} before run make.<\/strong>\n<\/li>\n
- update configuration in \/usr\/local\/pam_ldap\/etc\/pam_ldap.conf<\/strong>, setting suitable base DN and binding parameter and modify bind_policy to soft<\/strong> to prevent blocking response when LDAP is down.\n
\r\nhost 127.0.0.1\r\nbase dc=xyz,dc=xxx\r\nbinddn cn=pamManager,ou=systemObject,dc=xyz,dc=xxx (optional)\r\nbindpw xxxxxxx (optional)\r\nbind_policy soft (optional)<\/em>\r\n<\/pre>\n<\/li>\n- Create \/etc\/pam.d\/other as follow:\n
\r\n#%PAM-1.0\r\nauth required pam_deny.so\r\naccount required pam_deny.so\r\npassword required pam_deny.so\r\nsession required pam_deny.so\r\n<\/pre>\nwhich deny all PAM access by default.<\/p>\n
- For better security measure, you may add additional ACL as follow:\n
\r\ndn: ou=systemObject,dc=q-station,dc=net\r\nchangetype: add\r\nobjectclass: organizationalunit\r\nou: systemObject\r\ndescription: system object\r\n\r\ndn: cn=libnssManager,ou=systemObject,dc=q-station,dc=net\r\nchangetype: add\r\nobjectclass: top\r\nobjectclass: simpleSecurityObject\r\nobjectclass: organizationalRole\r\ncn: libnssManager\r\nuserPassword: {SSHA}814COSqesQupX5Bh0JSpKipPf3G6+VnJ\r\n\r\ndn: cn=pamManager,ou=systemObject,dc=q-station,dc=net\r\nchangetype: add\r\nobjectclass: top\r\nobjectclass: simpleSecurityObject\r\nobjectclass: organizationalRole\r\ncn: pamManager\r\nuserPassword: {SSHA}6Fe9ff8YI83BNfpyN8AUf2qdxrn8V8XM\r\n\r\ndn: olcDatabase={1}bdb,cn=config\r\nchangetype: modify\r\nreplace: olcAccess\r\nolcAccess: to attrs=userpassword\r\n by self write\r\n by dn=\"cn=libnssManager,ou=systemObject,dc=q-station,dc=net\" read\r\n by anonymous auth\r\n by * none\r\nolcAccess: to *\r\n by self write \r\n by dn=\"cn=libnssManager,ou=systemObject,dc=q-station,dc=net\" read\r\n by dn=\"cn=pamManager,ou=systemObject,dc=q-station,dc=net\" read\r\n by users read\r\n by anonymous auth\r\n by * none\r\n\r\nupdate binddn & bindpw in \/usr\/local\/nss_ldap\/etc\/libnss_ldap.conf & \/usr\/local\/pam_ldap\/etc\/pam_ldap.conf\r\n<\/pre>\n<\/li>\n<\/li>\n- In case, if you are having any problem, please turn on *.* for \/var\/log\/debug in \/etc\/syslog.conf and kill -HUP the syslogd. You could debug your setup in debug log.\n<\/ul>\n