Steps for getting LDAP authentication working on Debian

This entry was posted by on Wednesday, 3 June, 2009 at

 

Sources:

http://www.adminspotting.net/articles/windows/linux-and-active-directory.html

http://moduli.net/sysadmin/sarge-ldap-auth-howto.html

http://twitter.com/evilchilli – a very helpful and knowledgeable guy

 

Aim:

To get all linux users authenticating from our Active Directory implementation which is running on Windows 2003R2.

 

On the Active Directory Server:

From Add/remove programs->Add/Remove Windows Componenets->Active Directory Services. Install Identity Management for UNIX and reboot

 

Create an user which we’re going to use to bind. I have called mine adlookup which sits in our Service Accounts OU.

CN=AD Lookup,OU=Service Accounts,DC=DOMAIN,DC=com

 

It is very important that the password doesn’t have any special characters in, I had to change the domain policy to set it as apparently there can only be one password policy per domain.

In Active Directory Users/Computers either create a new group or choose an existing group for your users, right click and choose properties.

Add your users

Choose Unix Attributes and select the correct NIS domain.

 

Now select a user, right click on them and select properties

Choose Unix Attributes

Select the NIS domain, Home Directory, shell and primary group name

 

Linux Client:

apt-get install ldap-utils openssl libpam-ldap libnss-ldap nscd

edit the /etc/ldap/ldap.conf to look like this:

 

BASE    OU=OU,dc=DOMAIN,dc=com

 

URI     ldap://IPOFADBOX:389 

HOST    IPOFADBOX

run

ldapsearch -x -W -D “cn=AD Lookup,OU=Service Accounts,dc=DOMAIN,dc=com” -LLL “(sAMAccountName=adlookup)”

then enter your password and it should return the correct details, if it does then you’re brilliant 🙂

Now backup the existing file

mv /etc/libnss-ldap.conf /etc/libnss-ldap.old

nano -w /etc/libnss-ldap.conf

make it look like this:

host IPOFADSERVER #Important – it must be the IP and not the dns entry

ldap_version 3

binddn CN=AD Lookup,OU=Service Accounts,DC=DOMAIN,DC=com

bindpw PASSWD #nospecialcharacters

scope sub

timelimit 30

nss_map_objectclass posixAccount User

nss_map_objectclass shadowAccount User

nss_map_attribute uid msSFU30Name

nss_map_attribute uniqueMember msSFU30PosixMember

nss_map_attribute userPassword msSFU30Password

nss_map_attribute homeDirectory unixHomeDirectory

nss_map_objectclass posixGroup Group

pam_login_attribute msSFU30Name

pam_filter objectclass=User

pam_password ad

base OU=YOUROU,dc=DOMAIN,dc=com # make sure you limit this to only what is required as I had strange errors

rootbinddn CN=ADMINUSER,CN=Users,DC=DOMAIN,DC=com #What user should root join as to enable passwd change etc

pam_groupdn CN=WHATGROUPAREUSERSIN,CN=Users,DC=DOMAIN,DC=com #what group must users be in to enable login


The contents of libnss-ldap.conf and pam_ldap.conf are identical in my setup so just link them together to save any additional work:

mv /etc/pam_ldap.conf /etc/pam_ldap.old && ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf

nano -w /etc/libnss-ldap.secret # enter in your admin password

ln -s /etc/libnss-ldap.secret /etc/pam_ldap.secret #same passwords

chmod 600 /etc/libnss-ldap.secret # make sure this is readable by only that user

Edit your /etc/nscd.conf file and change the following parameters:

I have chosen an arbitrary size of 500MB but I found that there were some crazy assertion errors coming in if I left the defaults such as this openldap-2.4.11/libraries/liblber/sockbuf.c. I think it must be to do with the size of the cache in nscd but am not sure. I also got an error about “invalid persistent database” when this was set too large.

max-db-size             passwd          524288000

        max-db-size             group           524288000

        max-db-size             services        524288000

Now you have to tell pam how to get it’s users so make your /etc/nssswitch.conf look like the below, it is very important to get the order right, compat must come first and then ldap. I found that my machine wouldn’t boot if it was trying to do the ldap first.

#passwd:         compat

#group:          compat

#shadow:         compat

passwd:         compat ldap

group:          compat ldap

shadow:         compat

 

You must now make nsswitch readable by all so:

chmod 644 /etc/nsswitch.conf

Now you can test this is working by doing:

getent passwd USER.NAME # this must be a username you have enabled up there ^

/etc/pam.d Common Files

 

Debian has a series of files in /etc/pam.d appended by common- at the beginning of their names, which are included by the other files in that directory for specific services. We can tell PAM to use LDAP for all of these services by modifying these common files.

 

Edit /etc/pam.d/common-password, comment out and replace:

password required pam_unix.so nullok obscure min=4 max=8 md5

or:

password required pam_cracklib.so retry=3 minlen=6 difok=3

password required pam_unix.so use_authtok nullok md5

with:

# try password files first, then ldap. enforce use of very strong passwords.

password required pam_passwdqc.so min=disabled,16,12,8,6 max=256

password sufficient pam_unix.so use_authtok md5

password sufficient pam_ldap.so use_first_pass use_authtok md5

password required pam_deny.so

Read the pam_passwdqc man page for more about parameters you can give to it.

 

Edit /etc/pam.d/common-auth comment:

auth required pam_unix.so nullok_secure

replace with:

# try password file first, then ldap

auth sufficient pam_unix.so

auth sufficient pam_ldap.so use_first_pass

auth required pam_deny.so

In /etc/pam.d/common-account comment:

account required pam_unix.so

replace with:

# try password file first, then ldap

account sufficient pam_unix.so

account sufficient pam_ldap.so

account required pam_deny.so

And this line to /etc/pam.d/common-session:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


This should now be it, I haven’t quite got automatic sudo working yet or auto mount of the home dir from an nfs source but that is the next step 🙂

 

Troubleshooting:

Password you bind with must not have special characters

In nscd.conf you must have a decent sized cache file

Your unix attributes must be correct

check that your getent passwd is working and that your ldapsearch is working