[colug-432] PAM and LDAP

Brian Miller bnmille at gmail.com
Wed Sep 7 06:24:20 EDT 2011 

On 09/05/2011 03:39 PM, Matthew Gardlik, Ph.D. wrote:
> I would like to use PAM to authenticate against an OpenLDAP directory
> containing user credentials.
>
> Can anyone direct me to a good resource on this topic.  Most of
> information I can find online seems fragmented and incomplete.  Some of
> the questions that I have include:  What schema or attributes do I need
> to have in the LDAP director?  Can I use an email address as the
> "username" (uid) I want to authenticate?

What other people have replied is good.  At a minimum, you need the 
core, cosine, and nis schemas defined in OpenLDAP.  That will give you 
the necessary "posix account" user attributes (uidNumber, gidNumber, 
homeDirectory, loginShell, etc.) necessary to login to a Linux/UNIX 
workstation.  Note that OpenLDAP only considers about half of the 
attributes mandatory.  For instance, loginShell is not mandatory.  But 
depending on how you have your workstations configured, an account might 
not be able to login if it does not have a shell (as listed in 
/etc/shells) defined.  Other schema definitions (such as inetOrgPerson) 
as not necessary unless you want some of the user attributes provided by 
that schema.

>
> The man page for pam_ldap(5) provided some useful information, but it
> still looks like I'm missing something.
>

You don't say what distribution you are using.  If you are running 
RedHat/Centos, you can run "setup", and select Authentication, and then 
configure the ldap client (nss_ldap).  If you are running SuSE, you can 
run yast-->Security and Users-->User and Group 
Management-->Authentication Settings to achieve the same thing.   These 
will modify /etc/nsswitch and /etc/ldap.conf, and, if necessary, the 
proper files under /etc/pam.d so your system will use OpenLDAP as the 
authentication source.

/etc/nsswitch.conf will generally have one of two edits (depending on 
the distribution):

passwd:  files ldap
group:   files ldap

Or something like this:

passwd:  compat
group:   compat

compat_passwd:  ldap
compat_group:   ldap


/etc/ldap.conf will have a number of edits, including IP Address/DNS 
name of the LDAP server.  The file itself generally provides good 
comments about what the important options do.

Older versions of Linux (say 3 to 4 years ago) would add a pam_ldap.so 
entry to the authentication and account sections of the appropriate 
files in /etc/pam.d, but I don't see those changes being made more 
recently.  I suspect some code has been added to pam_unix.so that 
automatically handles the LDAP calls.

More information about the colug-432 mailing list