Centralized user authentication with OpenLDAP and PAM

[Koon]

-IMPORTANT NOTICE-
This howto was written for an old version of OpenLDAP, DirectoryAdministrator and else. It's awfully deprecated and does not work as is. You should use the (current and maintained) Gentoo Guide to OpenLDAP Authentication instead. If you need help, you should post to the Networking forum. If you find a problem in that (official) doc, please file a Documentation bug. For those that choose to ignore that warning and use this howto, you might find this post interesting, as it details what user weyhan did to have it working.
-IMPORTANT NOTICE-

-----------------------------------------------------------------------------
This setup is useful if you manage multiple systems and want all of them to share the same user/passwords.

Server setup

Install openldap :

[prophetx2]

wow thanks for this, it's exactly what I'm looking for. I'm going to try this maybe next week when I get my new box =)

[snafoo]

some notes: i think the rootpw entry is incorrect, should use output from slappasswd and the base.ldif should contain:


dn: dc=a2t,dc=com
dc: a2t
objectClass: top
objectClass: domain

for your domain obviously

hope this helps the readers

-snafoo

[Koon]

[El_Presidente_Pufferfish]

Hrm...would this work on a laptop that leaves the network often?
or is this only for computers that are always on the same network?

[Koon]

[Koon]

The system-auth file in the original post was incomplete (missing the auth, session and account sections).

This has been corrected in the original post.

-K

[StrCrssd]

Can you please post an example ldif? directoryadministrator keeps crashing on me, and I don't know exactly what fields to include in my user ldif files.
_________________
StrCrssd

Give a man enough rope, he'll hang himself. Teach a man to make rope, he'll hang other people.

[Koon]

[StrCrssd]

Wonderful.

I appreciate your help.
_________________
StrCrssd

Give a man enough rope, he'll hang himself. Teach a man to make rope, he'll hang other people.

[Sasun]

The best guide to setup LDAP for user auth is on

http://www.mandrakesecure.net/en/docs/ldap-auth2.php

too bad that the site is down but the google cash is available:

http://216.239.53.104/search?q=cache:5jgAEQWmmaMJ:www.mandrakesecure.net/en/docs/ldap-auth2.php+&hl=en&ie=UTF-8

It is the only guide that is worth reading, and includes details how to migrate and stay compatible with md5 /etc/shadow passwords, how to increase security etc.

[Shizatoga]

First I'd like to thank Koon for this great, bumpable, howto.
To consoladate this information I'll ask my question here. Does anyone know how to set up /etc/pam.d/passwd to change user's passwords in ldap? I've looked around and all the examples I've found don't work, all I get is some form of error complaining about tokens.

[Shizatoga]

Apparently upgrading to openldap 2.1 fixed this, go figure.

[adamtheo]

I'm reading in the OpenLDAP config file docs that the following is an acceptable option, and supposedly means a Berkeley DB backend for storing the directory info:

[adamtheo]

Nevermind, I found out the solution to the below problem was to chown the database directory to the ldap user. Thanks anyway.

I have successfully installed and started OpenLDAP so far, but when I get to importing the "/root/base.ldif" file, I get this error:

[Koon]

[erebus]

Hi ya... I've spent the last few hours trying to implement ldap on my new system and have found your guide very helpful..

But I've run into a few problems. I've created a user in ldap called andrew and a group called users and this seems to work fine. But when I try to modify this use using the standard linux commands, say usermod to add a group.. e.g.;

[erebus]

Ahh well I've managed to get things sorted regards the group front (you mearly add all the users you want in a particular group to the group data rather than adding the group to the user data)..

But if anyone else is having difficultly.. I can recommend emerging migrationtools.. its a set of perl scripts to automatically convert over you local file groups, passwd, hosts and a load of other things.. Worked like charm for me.

[Koon]

Yes, usermod is used to manipulate the standard Unix files (like useradd and others). You have to use an LDAP-specific solution to manage your LDAP-defined users & groups. I recommend directoryadminsitrator (it's not perfect, but better than nothing).

-K

[adamtheo]

RESOLVED: It seems I had an error in my /etc/hosts file, which was causing all local LDAP clients to hang when looking up the LDAP hostname. The error was having the wrong LAN IP address (192.168....) point to the domain name.

I had this setup working before, but decided to uninstall and try something different.

I have now set up my slapd.conf file as so:

[adamtheo]

Hello, again. It seems that getting past that last hurdle only got me into another one. Now I have the local LDAP clients accessing the LDAP directory. I have put slapd in debug mode, and watch as I try to log in with a regular user, or run the getent command. I see activity, but in the case of logging in, the password is rejected. And in the case of getent, the users and groups in the LDAP directory are not displayed.
_________________
* Theoretic Solutions "The Internet's Open Think-Tank" - http://www.theoretic.com

[Koon]

[bueno]

hello,

i've a prbl

i've emerge openldap and i've tupe hostname...I obtain "sqall.maryblue.homeip.net"

I've type this to create the root pass :

[Carlo]

bueno: Comment out the TLS lines, to ensure that this isn't your problem.


Carlo
_________________
Please make sure that you have searched for an answer to a question after reading all the relevant docs.

[adamtheo]

RESOLVED!!! See next post by me. Thanks Koon and all for the help!

Koon:

Hereis the output of slapd when started in debug mode 768 and running "getent passwd":