With CakePHP 2.0 the authentication system has been completely redesigned to allow for extending the Auth component to allow other methods of authentication and authorization.  I finally sat down last weekend and updated my LDAPAuth component to work with the new version.  While I was doing it I added a few new features that people had been asking for. Also by updating this component I ended up also updating the Ldap Datasource. This included a lot of code cleanup as well.

You can get the new code at https://github.com/analogrithems/idbroker/tree/dev_cake2.0

To get things going download the idbroker code from github and place it in your  plugin folder App/Plugin/Idbroker pay attention to the new capital first letter.  This is a new convention for the CakePHP 2.0 to help in automatic class loading.

Now in your App/Controller/AppController.php you need a minimal of the following

<?php
class AppController extends Controller {
        var $components = array('Auth', 'Session', 'RequestHandler');

        var $user;

        function beforeFilter(){
                global $menus;
                $this->Auth->authenticate = array('Idbroker.Ldap'=>array('userModel'=>'Idbroker.LdapAuth'));
                //If you want to do your authorization from the isAuthorized Controller use the following
                $this->Auth->authorize = array('Controller');
        }

        /*
        * This just says aslong as this is a valid user let them in, you can also modify this to restrict to a group
        */
        public function isAuthorized(){
                $user = $this->Auth->user();
                if($user) return true;
                return false;
        }
}

Notice:That in the components you define the Auth component. This is making all your controllers register the authentication component. In the beforeFilter you are specifically stating you want to use the Idbroker’s Ldap Auth. Then you’re also telling your app to use the prepackaged model for the LDAP component.

The next step is to configure your Users controller and your views.

In your /App/Controller/UsersController.php

<?php
class UsersController extends AppController {
        var $name = 'Users';

        /*
        * Make sure to define which functions don't require auth to be accessed
        */
        function beforeFilter(){
                $this->Auth->allow('usernameExists', 'forgotPassword', 'signup','login','logout');
                parent::beforeFilter();
        }

        function login(){
                if ($this->request->is('post')) {
                        if ($this->Auth->login()) {
                                return $this->redirect($this->Auth->redirect());
                        } else {
                                $this->Session->setFlash(__('Username or password is incorrect'), 'default', array('class'=>'error-message'), 'auth');
                        }
                }
        }

        function logout(){
                $this->log("Destroying session",'debug');
                $this->Session->destroy();
                $this->redirect($this->Auth->logout());
        }
}

You’ll notice compared to previous version of the authcomponent you used to just have the Auth component automatically do the auth, now you actually call $this->Auth->login() to get it to actually check the username and password and run the login logic.

We’re not done yet, we also need to create our view /App/View/Users/login.ctp

<div id='loginForm'>
<?php
        echo $this->Session->flash('auth');
        echo $this->Form->create('Users', array('action' => 'login'));
        echo $this->Form->input('username');
        echo $this->Form->input('password',array('value'=>''));
        echo $this->Form->input('remember',array('type' => 'checkbox', 'label' => 'Remember me'));
        echo $this->Form->submit('Login');
?>
</div>

Last piece to tie this all together is telling your application how to access your LDAP server. Add something like this to youyr /App/Config/database.php

<?php
class DATABASE_CONFIG {
        public $ldap = array (
                        'datasource' => 'Idbroker.LdapSource',
                        'host' => 'localhost',
                        'port' => 389,
                        'basedn' => 'DC=example,DC=com',
                        'login' => 'CN=Manager,DC=example,DC=com',     //For Proxy Userdn
                        'password' => 'LdapPassword',  //For Proxy UserDN password
                        'database' => '',
                        'tls'         => false,
                        'type' => 'OpenLDAP', //Available types are 'OpenLDAP', 'ActiveDirectory', 'Netscape'
                        'version' => 3
        );
}

And in your /App/Config/bootstrap.php add the following to the very bottom

CakePlugin::load('Idbroker');
Configure::load('ldap');

These two lines tell your app to first load the Idbroker plugin and then load the ldap config file which you will create next.

Then create an ldap config file /App/Config/ldap.php with the following. This config file will configure how Ldap is used through out your app.

/**
 * LDAP Settings
 *
 */
        $config['LDAP']['Db']['Config'] = 'ldap'; //What is the name of the db config that has the LDAP credentials
        $config['LDAP']['User']['Identifier'] = 'uid'; //What is the LDAP attribute that identifies the username attribute,
                                                       // openldap, iplant, netscapr use uid, AD uses samaccountname
        $config['LDAP']['Group']['Identifier'] = 'cn'; //What is the LDAP attribute that identifies the group name, usually cn
        $config['LDAP']['Model'] = 'Idbroker.LdapAuth'; //Default model to use for LDAP components
        $config['LDAP']['LdapAuth']['Model'] = 'Idbroker.LdapAuth';
        $config['LDAP']['LdapAuth']['MirrorSQL']['Users'] = 'User'; //A SQL table to duplicate ldap records in for user
        $config['LDAP']['LdapAuth']['MirrorSQL']['Groups'] = 'Group'; //A SQL table to duplicate LDAP records in for groups
        $config['LDAP']['LdapACL']['Model'] = 'Idbroker.LdapAcl';
        $config['LDAP']['LdapACL']['groupType'] = 'group';
        $config['LDAP']['groupType'] = 'groupofuniquenames'; //What object class do you use for your groups?
        $config['LDAP']['Group']['behavior']['tree']['parent_id'] = '49db8df1-5e74-4e91-b15f-4d33e927f14e'; //Are you using a tree behavior?  Need to set the default parent_id?

That last part was a lot, not all of that is needed. Really just the first line is $config['LDAP']['Db']['Config'] = ‘ldap’; – this part tells your application which database config to use for LDAP. The other config options are for new extended features that I will explain below.

When creating this plugin I made use of the new extended features to allow you to use the HTTP basic authentication. In this method you can actually pass your username and password credentials in the http request header. This is useful for allowing command line tools like wget & curl to access authorized parts of your application. It is also used for rest applications.

Another new features that has been added to this Auth Component is the ability to have Ldap Auth mirror a SQL table. What this means is that if you really want to have your user information in SQL but just have authentication come from Ldap you can do that. You need to add the following configuration options to the bootstrap.php These tell it which Models to use to mirror the data to and what the LDAP identifiers are for the data.

        $config['LDAP']['LdapAuth']['MirrorSQL']['Users'] = 'User'; //A SQL table to duplicate ldap records in for user
        $config['LDAP']['LdapAuth']['MirrorSQL']['Groups'] = 'Group'; //A SQL table to duplicate LDAP records in for groups
        $config['LDAP']['User']['Identifier'] = 'uid'; //What is the LDAP attribute that identifies the username attribute,
                                                       // openldap, iplant, netscapr use uid, AD uses samaccountname
        $config['LDAP']['Group']['Identifier'] = 'cn'; //What is the LDAP attribute that identifies the group name, usually cn

Have a question?

Discuss it in the CakePHP 2.0 Ldap Plugin Forum

Share on Facebook

Here is an awesome script I found to change the admin password on all the computers in your domain.  It uses a simple visual basic object to search for all the computers in your domain’s Active Directory then loops through each computer and sets a new password for the Administrator account.

On Error Resume Next
rem http://blogs.technet.com/b/heyscriptingguy/archive/2007/07/03/how-can-i-change-the-local-administrator-password-on-all-my-computers.aspx
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select Name From 'LDAP://DC=hilohattie,DC=com' Where objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
    strComputer = objRecordSet.Fields("Name").Value

    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
    objUser.SetPassword "P0dvd1h@te"

    objRecordSet.MoveNext
Loop

Share on Facebook

It’s been over a year since I wrote the first version of the CakePHP LdapAuth & Ldap Datasource. What I’ve learned over the last year is that a simple component & datasource is not enough and it should really be a full plugin. So I started working on Idbroker. The new plugin offers the following

* A ldap Datasource that bad been tested with Iplanet, Netscape Directory Server, OpenLDAP & Active Directory

* A revised Ldap Auth component that works with CakePHP 1.3

* A simple application (Which is still in development) that uses both and will give great examples of how to use.

Using this plugin you can get Ldap authentication in CakePHP.

To get started place a copy of the plugin in your plugins directory. Simplest way is to clone it from github

git clone https://github.com/analogrithems/idbroker

Auth LDAP

To make use of the LDAPAuth,

1) Add the following to either the controller you want to add LDAPAuth to or to app_controller to give all our controllers LDAPAuth

var $components = array( 'Idbroker.LDAPAcl'=>array('groupType'=>'group'), 'Idbroker.LDAPAuth');

For the groupType, this really has to do with how your LDAP group objectClass is. For active directory your groupType will be ‘group’ for most other LDAP v# implementations it will be either posixGroup (If the group stores membership info as memberUid=jdoe) or groupOfNames( if your group stores membership info as uniquemember=cn=jdoe,ou=people,dc=example,dc=com). If not set, it defaults to groupOfNames. If you are using Active Directory, set this to ‘group’

2) Add the LDAP settings to your /APP/config/database.php
Now we need to get the LDAP settings plugged into the database.php file. This hasn’t changed much since the last version.

<?php
class DATABASE_CONFIG {
	var $ldap = array (
			'datasource' => 'Idbroker.Ldap',
			'host' => 'ldap.example.com',
			'port' => 389,
			'basedn' => 'DC=example,DC=com',
			'login' => 'CN=authservice,CN=Users,DC=example,DC=com',     //For Proxy Userdn Active Directory and sometimes iPlanet require this
			'password' => 'superSecretPassword',  //For Proxy UserDN password
			'database' => '',
			'tls'      => false, //If you are using TLS encryption set to true.
			'type' => 'ActiveDirectory', //Available types are 'OpenLDAP', 'ActiveDirectory', 'Netscape'
			'version' => 3
	);
}
?>

3) The last step is to setup the LDAP settings. Create a file called /APP/config/ldap.php with the following. See comments for explanation of vars

<?php
/**
 * LDAP Settings
 *
 */
	$config['LDAP']['Db']['Config'] = 'ldap'; //What ever the config was called in the database.php file, defaults to ldap if not specified
	$config['LDAP']['User']['Identifier'] = 'samAccountName'; //The LDAP attribute that holds the username, defaults to uid, use samaccountname for AD
	$config['LDAP']['LdapAuth']['Model'] = 'Idbroker.LdapAuth'; //The model to use for the LDAPAuth Component, Should probably just set it to 'Idbroker.LdapAuth for must users
	$config['LDAP']['LdapACL']['Model'] = 'Idbroker.LdapAcl';  //The model to use for the developing LDAPAcl don't change unless you know what your doing
	$config['LDAP']['LdapACL']['groupType'] = 'group'; //group type refers to the group objectclass your ldap server uses.  can also be overwriten in the components array
?>

add the following to the bottom of /APP/config/core.php

//Ldap Config
Configure::load('ldap');

Share on Facebook

So I’ve been trying to find a good way to discover the schema path in LDAP that would work across Netscape style ldap servers as well as Active Directory.  See the problem is each one hides their schema path in a different place.  Netscap style servers (Redhat-DS, Project 389, iPlanet, Sun One, etc) use ‘cn=schema’, while openldap has been known to use ‘cn=subschema’ and Active Directory uses  'CN=Schema, CN= Configuration, DC=forest_root_domain' this makes it really difficult to create a universal tool that can find any schema path.  In the past I would lift code from the PhpLDAPAdmin tool, but even they changed their methods.  Usually you get stuck using several case statements.  Recently I discovered a way to do a query to the Root DSE and have it just tell you where it has stored it’s schema data.   Use the subschemaSubentry to tell you exactly where the schema path is.

Here is an example of how to get it in PHP

$checkDN = @ldap_read($this->database, ”, ‘objectClass=*’);
$schemaEntry = ldap_get_entries($this->database, $checkDN);
$SchemaDN = $schemaEntry[0]['subschemaSubentry'];

Share on Facebook

So I was looking for a way to authenticate against LDAP with cake but I’ve found that it doesn’t support it by default. I found one that checks the auth against ldap then creates a local mysql account. This also didn’t use a actual ldap data sourc e either, it just handeled it’s own ldap connection. After I read through the standard cakphp auth component I saw that it wouldn’t be that hard to write an LDAP based auth component.

First you need to download this file ldap_auth.php to your ‘app/controllers/components/’ directory.

Then just like the original auth component you add that component to a model. I followed the usual auth example and created a model called Users.php like so

If some of these options are odd looking please have a look at my ldap data source post.

Next you are going to need your controller. Here is the one I used It defines the required functions like login, logout & authorize.

redirect($this->LdapAuth->logout());
	}

        function isAuthorized() {
                return true;
        }

}
?>

7

Share on Facebook

I’ve been using CakePHP for a while now and I’ve been thinking for a while it was time to see if I could give something back. As an IT leader I’m in love with LDAP. It makes life so simple for me and my team. The big downside to LDAP is it’s not very easy to learn how all the objectClasses and attributes work with various applications. Microsoft has eliminated this with the Microsoft Management Console (MMC). It amazes me that no open source project has developed a tools such as this before. I’ve worked on a open source tool in the past that was a web interface wrapper around ldap to do account management, so I’m familiar with the requirements such an application should have. Being that CakePHP is so powerful, I wanted to see if I could do this with that.

When I first started, I realized that CakePHP didn’t have an LDAP data source officially supported yet. I did find two articles about some good attempts. One by euphrate, unfortunately this one was only for reading from ldap. The second one was by Gservat, this one was a bit more complete, but was not really working for me and as i read from his comments many others. I think we wrote his for CakePHP 1.1. Since I wanted to use Current cake 1.2.8xxx I set out to use this as my start and fix/extend it.

Before we get started I want to state the environment I was using to do my work was Redhat Enterprise 5.2 & Fedora 10 (Work requirement) with redhat directory server 8.1 and Fedora directory server 1.2. Now while LDAP is a standard protocol, some of the driver may have become centric to those platforms, so if this is the case, please leave me a comment and I will try to correct the ldap data source I’m working on. My hope is to get ldap as an offical CakePHP data source. With that said the reason i call this a living example is because I’ve continued to upgrade and improve this data source as well as this article. Some of the next features I want to implement is data associations. Basically has and belongs to many relations. This way when you look up an user account it also shows you all the groups that user is in. This will take some time but I’ll get there. This work is all being done in the hopes that I can use this data source and CakePHP to build a really user friendly web interface for managing enterprise LDAP infrastructures without a whole lot of LDAP knowledge.

6/1/2011 – This datasource has gotten picked up by the CakePHP core guys and they may be officially adding it in the future.  I’ve also added some changes to support Active Directory better.

4/15/2010 – Made several changes to the code to hopefully play nicely with active directory.  Tested it with CakePHP-1.3 everything looks good.  Please test and leave feedback.  The new datasource requires you to add a new field to the database.cfg ldap entry.  See the config below

8/20/2009 – New Home for the source. I’ve got this datasource in my github tree now http://github.com/analogrithems/idbroker/tree/master/models/datasources enjoy, and feel free to submit bugs or request there.

7/13/2009 – updated ldap_source.php to make better use of the debug describe code. Also fixed the way things update. Only update what has changed instead of whole record. This will help with LDAP aci rules when logging in as non-admin users and trying to do things like update your userpassword or email.

6/20/2009 – Updated ldap_source.php to work with OpenLDAP 2.3 schema system. First it will try ‘cn=schema’, if that doesn’t return any results then it looks for schemas in ‘cn=subschema’ this make sure the code will work with OpenLDAP as well as the Netscape based versions like iPlanet, Redhat Directory Server, Fedora Directory Server etc.

First things first, here is my ldap data source for CakePHP. You will need to download this ldap_source.php to your ‘app/models/datasources/’ directory.

So lets dive right in below is the database config we will use.

<?php
class DATABASE_CONFIG {
var $ldap = array (
 		'datasource' =--> 'ldap',
		'host' => 'localhost',
		'port' => 389,
		'basedn' => 'dc=examnple,dc=com',
		'login' => '',
		'password' => '',
		'database' => '',
                'tls'         => false,
                'type' => 'Netscape', //Available types are 'OpenLDAP', 'ActiveDirectory', 'Netscape'
		'version' => 3
	);
}
?>

You notice that the variables database, login and password are blank. Keep at least database this way. You can populate login and password if don’t want your ldap connections to be anonymous. I keep mine blank because I have written my own auth component that uses ldap, So once I’m authed that gets passed to the datasource instead. This is a ugly hack that I’ve written another post about.

Please note that if you are using Redhat directory server, iPlanet or Fedora Project 389 then the type is Netscape as these all evolved off the Netscape LDAP server code base.  The other available types are ‘OpenLDAP’ or ‘ActiveDirectory’  (case matters).

Here is our people model for accessing the users in your LDAP tree.

<?php
class Person extends AppModel {
        var $name = 'Person';
        var $useDbConfig = 'ldap';

        // This would be the ldap equivalent to a primary key if your dn is
        // in the format of uid=username, ou=people, dc=example, dc=com
        var $primaryKey = 'uid';

        // The table would be the branch of your basedn that you defined in
        // the database config
        var $useTable = '';

        var $validate = array(
                'cn' => array(
                        'alphaNumeric' => array(
                                'rule' => array('custom', '/^[a-zA-Z ]+$/'),
                                'required' => true,
                                'on' => 'create',
                                'message' => 'Only Letters, Numbers and spaces	 can be used for Display Name.'
                        ),
                        'between' => array(
                                'rule' => array('between', 5, 40),
                                'on' => 'create',
                                'message' => 'Between 5 to 40 characters'
                        )
                ),
                'sn' => array(
                                'rule' => array('custom', '/^[a-zA-Z]*$/'),
                                'required' => true,
                                'on' => 'create',
                                'message' => 'Only Letters and Numbers can be used for Last Name.'
                ),
                'userpassword' => array(
                                'rule' => array('minLength', '8'),
                                'message' => 'Mimimum 8 characters long.'
                ),
                'uid' => array(
                                'rule' => array('custom', '/^[a-zA-Z0-9]*$/'),
                                'required' => true,
                                'on' => 'create',
                                'message' => 'Only Letters and Numbers can be used for Username.'
                )
        );
}
?>

Here is a very basic controller to accompany our people model. It demonstrates the important core functions and should get you started on using this data source with your own application.

<?php
class PeopleController extends AppController {

	var $name = 'People';
	var $components = array('RequestHandler', 'Ldap');
	var $helpers = array('Form','Html','Javascript', 'Ajax');

	function add(){
		if(!empty($this->data)){
			$this->data['Person']['objectclass'] = array('top', 'organizationalperson', 'inetorgperson','person','posixaccount','shadowaccount');

			if($this->data['Person']['password'] == $this->data['Person']['password_confirm']){
				$this->data['Person']['userpassword'] = $this->data['Person']['password'];
				unset($this->data['Person']['password']);
				unset($this->data['Person']['password_confirm']);

				if(!isset($this->data['Person']['homedirectory'])&& isset($this->data['Person']['uid'])){
					$this->data['Person']['homedirectory'] = '/home/'.$this->data['Person']['uid'];
				}

				$cn = $this->data['Person']['cn'];
				if ($this->Person->save($this->data)) {
					$this->Session->setFlash($cn.' was added Successfully.');
					$id = $this->Person->id;
					$this->redirect(array('action' => 'view', 'id'=> $id));
				}else{
					$this->Session->setFlash("$cn couldn't be created.");
				}
			}else{
				$this->Session->setFlash("Passwords don't match.");
			}
		}
		$attributes = array('uidnumber', 'uid', 'homedirectory');
		$preset = $this->autoSet($attributes);
		foreach($this->data['Person'] as $key => $value){
			$preset[$key] = $value;
		}
		$this->data['Person'] = $preset;

		$groups = $this->Ldap->getGroups(array('cn','gidnumber'),null,'posixgroup');
		foreach($groups as $group){
			$groupList[$group['gidnumber']] = $group['cn'];
		}
		natcasesort($groupList);
		$this->set('groups',$groupList);
		$this->layout = 'people';
	}

	function view( $id ){
		if(!empty($id)){
			$filter = $this->Person->primaryKey."=".$id;
			$people = $this->Person->find('first', array( 'conditions'=>$filter));
			$this->set(compact('people'));
		}
		$this->layout = 'people';
	}

	function delete($id = null) {
		$this->Person->id = $id;
		return $this->Person->del($id);
	}

	/**
	*  The AuthComponent provides the needed functionality
	*  for login, so you can leave this function blank.
	*/
	function login() {
	}

	function logout() {
		$this->redirect($this->LdapAuth->logout());
	}

	//Very Ugly, fix this.,
	function isAuthorized() {
		return true;
	}

}

So lets talk about somethings here, in our model we define $primaryKey & $useTable variables. The $useTable is the branch of the ldap server. For this models purpose we define our table as ‘ou=people’. This makes sure that objects we create (I.E. Users/people) will be added under the organization unit people. It also makes sure that when you pass something like ‘jdoe’ to the delete action it will search that branch for the user object to delete. The $primaryKey also helps in the creation and deleting of users. It makes sure that the dn is created as uid, this is helpful to make sure that a user doesn’t already have that user name. Also since ldap is case insensitive you don’t have to worry about the possible variations of the object names when checking the existence.

Now your model isn’t limited to one branch or object type. If you wanted to create a browser for example your could define a model like the following.

You’ll notice here we set our $useTable to nothing (important, you get errors about no db defined from CakePHP if this missing). The really interesting part here is that we set $primaryKey to dn. This is the ultimate primary key for our type or data source. The difference here is that when we create/delete an object we have to pass it the full dn.

Our new data source also adds some new options to the find function.
$options['targetDN'] : This is more like the point in the tree we want to start our search. If you don’t define it it defaults to the $useTable.$config[$useDbConfig]['basedn'] if your $useTable variable is empty it defaults to the basedn configured in your database config.

$options['scope'] : If you’ve worked with ldap before then you are familiar with the concept of search scopes. You have three search scopes, ‘sub’, ‘one, & ‘base’. Basically sub means search from this point down the tree. one means search one level below this point and base means search just this point. For example if you wanted to see if a user already existed you could set the targetDn to uid=jdoe,ou=people,dc=example,dc=com and it will check if this object already exists. The default scope is sub

Share on Facebook

The name service cache daemon has some serious flaws. One that I notice pretty often in Linux arises when you are using LDAP. It seems that nscd will crash and burn when/if ldap is unavailable. Unfortunately when nscd bombs, it usually takes the entire system with it. Actually what will happen is nscd sockets will start getting broken pipe’s and becoming stale until you have several nscd. Eventually your system will slow to a halt. Mind you the box hasn’t crashed, but the box is in a dos state. If you do an ‘$# netstat -an‘ you’ll notice several entries in reference to ‘/var/run/nscd/socket’. This bug has been listed by several distros, I’ve yet to see any of them address it properly.

From what I’ve discovered about nscd this issue is a design flaw in nscd. Several people have just recommended disabling nscd. While this is a solution, it isn’t an acceptable solution in an enterprise environment. Especially if you are using oracle. Several oracle tools and apps will freeze or crash if they can’t talk to the nscd socket. Lame I know, but I’ve observed this in at least Oracle 10i.

Solutions

Now there are tow ways to get around this. One is to make your LDAP service load balanced and highly available. You can do replication in OpenLDAP with slurpd and then use something like balance to make the service highly available. Another option though is to fix nscd so it doesn’t bomb your machine when it dies.

In this article we are going to go over the fix nscd solution.  nscd comes with a config file located in ‘/etc/nscd.conf’ This file tells the nscd daemon how long to cache which name service.  See the man page to understand what each option means. The quick way to fix nscd is to tell the service here not to cache passwd and group info.  This will make nscd not go to LDAP and freak out if LDAP is not available.  Randomly I also came across a drop in replacement for nscd that dosen’t suffer from this issue. unscd-033.c The compile instructions are in the file. I can’t guarantee this safe, but I’ve used it for a while in an enterprise environment and seem haven’t had any nscd issues since

Refferences:

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248271

Share on Facebook

LDAP has been around for over a decade, and yet it is still considered a newer technology.  Many modern vendors have added LDAP authentication.  This document is a brief generic howto for configuring linux to use LDAP.  This will be a fairly detailed recipe as most of my docs are.

Linux Name Services
Name Server Switch is the engine that really enables Linux to harness LDAP. In linux you have two different ldap.conf files that the modules and services use to configure their ldap communications ‘/etc/ldap.conf’ and ‘/etc/openldap/ldap.com’. The first gives the dn’s for passwd, group and sudoers. You can also specify the server and communication protocol. One really cool bonus is that you get to enable the host_acl based of users with this config file

host    ldap.analogrithems.com
base    dc=analogrithems,dc=com,dc=us
ldap_version    3
#Validate cert
tls_checkpeer no
ssl     start_tls
#ssl on
nss_map_attribute       uniqueMember member
pam_password_prohibit_message Please visit http://enterprise.company.com/password_policy.html.
pam_groupdn cn=ldap.analogrithems.com,ou=Computers,dc=analogrithems,dc=com,dc=us
pam_member_attribute uniquemember
pam_filter accountStatus=active
nss_base_passwd         ou=People,dc=analogrithems,dc=com,dc=us?one
nss_base_shadow         ou=People,dc=analogrithems,dc=com,dc=us?one
nss_base_group          ou=Groups,dc=analogrithems,dc=com,dc=us?one
sudoers_base    ou=SUDOers,dc=analogrithems,dc=com,dc=us
#This options is VERY helpful for debugging sudo ldap extension
#sudoers_debug 2

PAM
PAM is an authentication and accounting module that allows Linux services to use different methods for authenticating users (MySQL, LDAP, NIS, etc..). Their are two different pam config versions. You should look up the version your gnu/linux vedor uses for exact details on ldap setup, for SuSE you modify “/etc/security/pam_unix2.conf” to include the following. This system makes it so you don’t have to modify every pam service to use ldap, you just let them all use the standard unix2 module which then handles the ldap lookup.

auth:   use_ldap
account:        use_ldap
password:       use_ldap
session:        none

NSS
Edit your ‘/etc/nsswitch.conf’ place the word ldap before files for the passwd and group name service. You can also add it to sudoers if you want to store your sudo configs in ldap also

passwd: compat
shadow: compat
group: compat
sudoers: files ldap

passwd_compat: files ldap
shadow_compat: files ldap
group_compat: files ldap

Share on Facebook