Debian LDAP Authentication

From Docunext Technology Wiki

I've been hesitant to move forward with setting this up, because I ran into some issues with nss mysql, but now I've decided I want to set it up with ldap.

Contents 1 Goals 2 Progress 3 Practice 4 Errors 5 Review 6 Questions 7 Updates 8 Related Pages 9 External Pages

Goals

• Security - no security holes
• Maintainability - ability to update passwd
• Convenience - integration with ssh-agent and friends
• Modular and extensible - lots to say about this
• Reliable - ability to survive an LDAP server outage

Progress

So far I've been able to create a test user and login as them. When I try to change their password I get this error:

albertlash@diamondshell:~$ ssh tuser@dev-1
tuser@dev-1's password: 
Linux everex-1 2.6.22-3-686 #1 SMP Sun Feb 10 20:20:49 UTC 2008 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 13 21:00:46 2008 from 192.168.1.174
tuser@everex-1:~$ passwd
passwd: User not known to the underlying authentication module
passwd: password unchanged

I believe that is a pam error.

Practice

Here's the steps I'm taking to setup another server to use LDAP for authentication:

apt-get install libnss-ldap

Wow - actually this second time all I had to do was go through the debconf stuff and add ldap to /etc/nsswitch.conf. For the ldap host, I used the basic ldap:// protocol instead of ldapi://. After that, when I did getent passwd - it worked! (For Debian GNU/kFreeBSD only libnss-ldapd worked for me, not libnss-ldap.)

# edit nsswitch.conf
# change to host in /etc/libnss-ldap.conf and /etc/pam_ldap.conf

So libnss-ldap allows the user to login, but what about changing their password via the passwd command? I got this error:

passwd: User not known to the underlying authentication module

This was because PAM was mis-configured and missing the libpam-ldap package. I installed that and setup /etc/pam.d/common-* correctly, and when I type passwd in a shell I get this prompt:

yogi-the-bear@dev-101:~$ passwd
Enter login(LDAP) password: hey-hey-boo-boo

I don't think the Ranger's going to like this Yogi!

Errors

(pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.174 

In my case, this error was caused by a misconfigured /etc/pam_ldap.conf

---

slap_global_control: unrecognized control

Review

Files potentially needing edits after installation:

• /etc/pam_ldap.conf
• /etc/libnss-ldap.conf or /etc/nss-ldapd.conf
• /etc/pam.d/common-*
• Restarting nscd might help as a last resort for troubleshooting
• Also, for NFS, I had to restart portmap, nfs-common, and nfs-kernel-server on the server for a uid to propagate successfully

Questions

• What is the difference between libnss-ldap and libnss-ldapd? I believe that libnss-ldapd is a fork of libnss-ldap and comes with a few fixes.

Updates

Setting this up on Debian Squeeze is really easy! I chose libnss-ldapd, went though the console configuration, and voila - getent passwd worked. Wow!

Related Pages

• Setup an Ubuntu machine to use an LDAP server for Authentication
• Setup a FreeBSD machine to use an LDAP server for Authentication
• phpLDAPadmin
• LDAP
• Debian

External Pages

• http://wiki.debian.org/NSSLDAPSetup
• http://debianclusters.cs.uni.edu/index.php/LDAP_Client