LDAP has been around for over a decade, and yet it is still considered a newer technology.\u00c2\u00a0 Many modern vendors have added LDAP authentication.\u00c2\u00a0 This document is a brief generic howto for configuring linux to use LDAP.\u00c2\u00a0 This will be a fairly detailed recipe as most of my docs are.<\/p>\n
Linux Name Services<\/strong> host\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 ldap.analogrithems.com PAM<\/strong> auth:\u00c2\u00a0\u00c2\u00a0 use_ldap NSS<\/strong> passwd: compat passwd_compat: files ldap LDAP has been around for over a decade, and yet it is still considered a newer technology.\u00c2\u00a0 Many modern vendors have added LDAP authentication.\u00c2\u00a0 This document is a brief generic howto for configuring linux to use LDAP.\u00c2\u00a0 This will be a fairly detailed recipe as most of my docs are. Linux Name Services Name Server […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[5,168,169,6],"class_list":["post-3","post","type-post","status-publish","format-standard","hentry","category-ldap","category-linux","tag-centralized-authentication","tag-ldap","tag-linux","tag-pam"],"_links":{"self":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/3","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/comments?post=3"}],"version-history":[{"count":4,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/3\/revisions"}],"predecessor-version":[{"id":51,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/3\/revisions\/51"}],"wp:attachment":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/media?parent=3"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/categories?post=3"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/tags?post=3"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nName Server Switch is the engine that really enables Linux to harness LDAP. In linux you have two different ldap.conf files that the modules and services use to configure their ldap communications ‘\/etc\/ldap.conf’ and ‘\/etc\/openldap\/ldap.com’. The first gives the dn’s for passwd, group and sudoers. You can also specify the server and communication protocol. One really cool bonus is that you get to enable the host_acl based of users with this config file<\/p>\n
\nbase\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 dc=analogrithems,dc=com,dc=us
\nldap_version\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 3
\n#Validate cert
\ntls_checkpeer no
\nssl\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 start_tls
\n#ssl on
\nnss_map_attribute\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 uniqueMember member
\npam_password_prohibit_message Please visit http:\/\/enterprise.company.com\/password_policy.html.
\npam_groupdn cn=ldap.analogrithems.com,ou=Computers,dc=analogrithems,dc=com,dc=us
\npam_member_attribute uniquemember
\npam_filter accountStatus=active
\nnss_base_passwd\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 ou=People,dc=analogrithems,dc=com,dc=us?one
\nnss_base_shadow\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 ou=People,dc=analogrithems,dc=com,dc=us?one
\nnss_base_group\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 ou=Groups,dc=analogrithems,dc=com,dc=us?one
\nsudoers_base\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 ou=SUDOers,dc=analogrithems,dc=com,dc=us
\n#This options is VERY helpful for debugging sudo ldap extension
\n#sudoers_debug 2<\/p>\n
\nPAM is an authentication and accounting module that allows Linux services to use different methods for authenticating users (MySQL, LDAP, NIS, etc..). Their are two different pam config versions. You should look up the version your gnu\/linux vedor uses for exact details on ldap setup, for SuSE you modify “\/etc\/security\/pam_unix2.conf” to include the following. This system makes it so you don’t have to modify every pam service to use ldap, you just let them all use the standard unix2 module which then handles the ldap lookup.<\/p>\n
\naccount:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 use_ldap
\npassword:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 use_ldap
\nsession:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 none<\/p>\n
\nEdit your ‘\/etc\/nsswitch.conf’ place the word ldap before files for the passwd and group name service. You can also add it to sudoers if you want to store your sudo configs in ldap also<\/p>\n
\nshadow: compat
\ngroup: compat
\nsudoers: files ldap<\/p>\n
\nshadow_compat: files ldap
\ngroup_compat: files ldap<\/p>\n","protected":false},"excerpt":{"rendered":"