[colug-432] PAM and LDAP

Matthew Gardlik, Ph.D. matt at mattgardlik.com
Wed Sep 7 07:20:14 EDT 2011 

Brian,

Thank you for the information.

Because I am slightly more familiar with configuring Apache httpd, I 
decided to first try to get httpd to authenticate against an OpenLDAP 
directory.  With a little help from Travis, I was able to get that 
working yesterday.  I will play with the PAM setup a little more this 
afternoon.

I'm using CentOS 5.6.

Matt

On 9/7/11 6:24 AM, Brian Miller wrote:
> On 09/05/2011 03:39 PM, Matthew Gardlik, Ph.D. wrote:
>> I would like to use PAM to authenticate against an OpenLDAP directory
>> containing user credentials.
>>
>> Can anyone direct me to a good resource on this topic.  Most of
>> information I can find online seems fragmented and incomplete.  Some of
>> the questions that I have include:  What schema or attributes do I need
>> to have in the LDAP director?  Can I use an email address as the
>> "username" (uid) I want to authenticate?
>
> What other people have replied is good.  At a minimum, you need the
> core, cosine, and nis schemas defined in OpenLDAP.  That will give you
> the necessary "posix account" user attributes (uidNumber, gidNumber,
> homeDirectory, loginShell, etc.) necessary to login to a Linux/UNIX
> workstation.  Note that OpenLDAP only considers about half of the
> attributes mandatory.  For instance, loginShell is not mandatory.  But
> depending on how you have your workstations configured, an account might
> not be able to login if it does not have a shell (as listed in
> /etc/shells) defined.  Other schema definitions (such as inetOrgPerson)
> as not necessary unless you want some of the user attributes provided by
> that schema.
>
>>
>> The man page for pam_ldap(5) provided some useful information, but it
>> still looks like I'm missing something.
>>
>
> You don't say what distribution you are using.  If you are running
> RedHat/Centos, you can run "setup", and select Authentication, and then
> configure the ldap client (nss_ldap).  If you are running SuSE, you can
> run yast-->Security and Users-->User and Group
> Management-->Authentication Settings to achieve the same thing.   These
> will modify /etc/nsswitch and /etc/ldap.conf, and, if necessary, the
> proper files under /etc/pam.d so your system will use OpenLDAP as the
> authentication source.
>
> /etc/nsswitch.conf will generally have one of two edits (depending on
> the distribution):
>
> passwd:  files ldap
> group:   files ldap
>
> Or something like this:
>
> passwd:  compat
> group:   compat
>
> compat_passwd:  ldap
> compat_group:   ldap
>
>
> /etc/ldap.conf will have a number of edits, including IP Address/DNS
> name of the LDAP server.  The file itself generally provides good
> comments about what the important options do.
>
> Older versions of Linux (say 3 to 4 years ago) would add a pam_ldap.so
> entry to the authentication and account sections of the appropriate
> files in /etc/pam.d, but I don't see those changes being made more
> recently.  I suspect some code has been added to pam_unix.so that
> automatically handles the LDAP calls.
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>

More information about the colug-432 mailing list