Home » ldap » ldap with linux a basic primmer

LDAP has been around for over a decade, and yet it is still considered a newer technology.  Many modern vendors have added LDAP authentication.  This document is a brief generic howto for configuring linux to use LDAP.  This will be a fairly detailed recipe as most of my docs are.

Linux Name Services
Name Server Switch is the engine that really enables Linux to harness LDAP. In linux you have two different ldap.conf files that the modules and services use to configure their ldap communications ‘/etc/ldap.conf’ and ‘/etc/openldap/ldap.com’. The first gives the dn’s for passwd, group and sudoers. You can also specify the server and communication protocol. One really cool bonus is that you get to enable the host_acl based of users with this config file

host    ldap.analogrithems.com
base    dc=analogrithems,dc=com,dc=us
ldap_version    3
#Validate cert
tls_checkpeer no
ssl     start_tls
#ssl on
nss_map_attribute       uniqueMember member
pam_password_prohibit_message Please visit http://enterprise.company.com/password_policy.html.
pam_groupdn cn=ldap.analogrithems.com,ou=Computers,dc=analogrithems,dc=com,dc=us
pam_member_attribute uniquemember
pam_filter accountStatus=active
nss_base_passwd         ou=People,dc=analogrithems,dc=com,dc=us?one
nss_base_shadow         ou=People,dc=analogrithems,dc=com,dc=us?one
nss_base_group          ou=Groups,dc=analogrithems,dc=com,dc=us?one
sudoers_base    ou=SUDOers,dc=analogrithems,dc=com,dc=us
#This options is VERY helpful for debugging sudo ldap extension
#sudoers_debug 2

PAM
PAM is an authentication and accounting module that allows Linux services to use different methods for authenticating users (MySQL, LDAP, NIS, etc..). Their are two different pam config versions. You should look up the version your gnu/linux vedor uses for exact details on ldap setup, for SuSE you modify “/etc/security/pam_unix2.conf” to include the following. This system makes it so you don’t have to modify every pam service to use ldap, you just let them all use the standard unix2 module which then handles the ldap lookup.

auth:   use_ldap
account:        use_ldap
password:       use_ldap
session:        none

NSS
Edit your ‘/etc/nsswitch.conf’ place the word ldap before files for the passwd and group name service. You can also add it to sudoers if you want to store your sudo configs in ldap also

passwd: compat
shadow: compat
group: compat
sudoers: files ldap

passwd_compat: files ldap
shadow_compat: files ldap
group_compat: files ldap

One thought on “ldap with linux a basic primmer

  1. […] some of these options are odd looking please have a look at my ldap data source post. Leave a Reply Click here to cancel […]

Leave a Reply

Your email address will not be published. Required fields are marked *

</Random> is Stephen Fry proof thanks to caching by WP Super Cache