Configuring authentication with openLDAP server

From Notes_Wiki

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Authentication through LDAP

LDAP server configuration

Necessary schema

Schema file nis.schema should be included in slapd.conf for being able to add posixAccount or shadowAccount entry.


User accounts

First user accounts or groups should be created on ldap server. A sample ldif file that can be used create a user is:

dn: uid=saurabh,ou=people,dc=sbarjatiya,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: Saurabh Barjatiya
uid: saurabh
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/saurabh
loginShell: /bin/bash
gecos: Hyderabad, India
userPassword: rekall123
shadowLastChange: 0
shadowMax: -1
shadowWarning: 30

Note:

  • Unless shadowMax is set to -1, due to some bug many LDAP clients think LDAP password is expired even when it is changed a minute ago.


Group accounts

To create a group account sample ldif file is:

dn: cn=group1,ou=groups,dc=sbarjatiya,dc=com
objectClass: top
objectClass: posixGroup
cn: group1
userPassword: rekall123
gidNumber: 3000
memberuid: saurabh


To add member to group sample ldif file is:

dn: cn=group1,ou=groups,dc=sbarjatiya,dc=com
changetype: modify
add: memberuid
memberuid: saurabh.barjatiya


To delete member from group sample ldif file is:

dn: cn=group1,ou=groups,dc=sbarjatiya,dc=com
changetype: modify
delete: memberuid
memberuid: saurabh.barjatiya


Linux host authentication

To configure a linux host to authenticate from ldap server use following steps:

  1. yum install openldap-clients openldap nss-pam-ldapd
  2. Check if sssd package is installed using 'rpm -qa | grep sssd'. If it is installed remove it using 'yum remove sssd sssd-*'. If some ipa-* packages also need to be removed then it is fine.
  3. Start setup program and use following steps:
    1. Choose 'Authentication configuration'
    2. Select 'Use ldap'
    3. Select 'Use ldap authentication'
    4. Go to next screen with next button
    5. Do not check Use TLS
    6. Enter server name, for example ldap://ldap.virtual-labs.ac.in/
    7. Enter server basedn, for example, dc=virtual-labs,dc=ac,dc=in
    8. Complete configuration with ok button
    9. Close setup program with quit button
  4. Edit '/etc/hosts' file and add static entry for ldap server, for example '12.4.12.152 ldap.virtual-labs.ac.in'
  5. Edit '/etc/pam_ldap.conf' and replace lines at end that start with uri with following:
    uri ldaps://ldap.virtual-labs.ac.in/
    ssl on
    tls_cacertfile /etc/openldap/certs/ca.crt
    pam_password md5
  6. Go to '/etc/openldap/certs' and put CA certificate in the directory with name ca.crt
  7. Edit '/etc/nslcd.conf' and replace lines at end that start with uri with following:
    uri ldaps://ldap.virtual-labs.ac.in/
    base dc=virtual-labs,dc=ac,dc=in
    ssl on
    timelimit 10
    idle_timelimit 30
    reconnect_sleeptime 30
    reconnect_retrytime 90
    tls_reqcert hard
    tls_cacertfile /etc/openldap/certs/ca.crt
  8. Edit '/etc/pam.d/sshd' and add following line after last 'session required' line
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
    Note that this creates only last folder. Thus if home folder is /home/group1/user1 and if /home/group1 folder does not exists then the home folder creation will fail. To solve this to some extent use following command:
    ldapsearch -x -h ldap.sbarjatiya.com -b 'dc=sbarjatiya,dc=com' -LLL homeDirectory | grep homeDirectory | sed 's/\/[^\/]*$//g' | sort | uniq -d | sed 's/homeDirectory: //g'
    To get list of base folders that must exist for user home folders to be created. Further the output of above command can be piped to "| xargs mkdir -p" for automated folder creation.
  9. Edit '/etc/nsswitch.conf' and for 'hosts' choose value 'files ldap dns'
    Note that you should not see sss anywhere in this file. If you see sss instead of ldap then you have forgotten to remove sssd as mentioned earlier in these steps
  10. Use 'service nscld restart'
  11. Do 'chkconfig nslcd on'


Most of this can be done using single line:

authconfig --enableldap --enableldapauth --ldapserver=ldap.sbarjatiya.com --ldapbasedn="ou=Users,dc=sbarjatiya,dc=com" --enablelocauthorize --enablepamaccess --enablemkhomedir --enablecachecreds --enablecache --updateall

On Fedora-20, CentOS 7 or CentOS 6.7 etc. one may need to do following additional steps:

  1. Remove dependency on sss from pam
    cd /etc/pam.d; sed -i 's/^.*sss.*$//g' *
    Also add this line to /etc/rc.d/rc.local so that regenrated pam files are again modified
  2. Remove all references to sss from /etc/nsswitch.conf. Add ldap at least for passwd, shadow and group after files.
  3. Disable SELinux (Esp for GUI logins)


Verifying setup

To verify whether authentication setup is working or not try commands:

getent hosts
getent passwd
getent group
getent shadow

One can also read '/var/log/messages' and '/var/log/secure' while trying to login from a ldap user, if configuration does not seem to succeed.


Restricting logins to specific users and posixGroups

To restrict logins on a machine to specific users or posixGroups use:

  1. Edit file '/etc/pam.d/sshd' and add following line
    auth required pam_access.so
  2. Edit file '/etc/security/access.conf' and add line similar to:
    - : ALL EXCEPT root (admin) : ALL

An access.conf configuration line has three parameters separated by :

  1. First '+' or '-' to indicate whether to allow or deny
  2. Second list of users and groups. Group names can be enclosed in round brackets () to be more explicit that given name is of group. We can also use word ALL to indicate ALL. We can also use word EXCEPT to create exceptions from ALL for specific users and groups.
  3. Third is the location from where when user logins should this rule apply.

Read the comments in file '/etc/security/access.conf' to understand use of access.conf in better way.



Password change

If user tries to ssh or login using credentials then he/she would be forced to change password on first login. During password change user would be asked for existing ldap password again through which user has logged in. Then user would have option of entering new password twice. After password is set user would be logged off automatically. Then user can login again by using ssh and entering new password.


Mediawiki Authentication

Refer Mediawiki Authentication using ldap


Squid proxy authentication

To enable ldap based authentication for squid use:

Earlier name of authentication plugin was squid_ldap_auth. On older installations replace basic_ldap_auth with squid_ldap_auth appropriately.

  1. First find location of program named 'basic_ldap_auth' and run it as follows:
    /usr/lib64/squid/basic_ldap_auth -b "<base-dn>" -f "uid=%s" -h <ldap-server>
    The command will not give any prompt and expect '<username> <password>' as input.
  2. If the after supply username and password the response is ok, then ldap authentication from proxy server is working properly, else debug ldap issues
  3. Edit squid.conf and add following lines:
    acl login-users src <IP-range>
    auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "<base-dn>" -f "uid=%s" -h <ldap-server>
    acl ldapauth proxy_auth REQUIRED
    http_access allow login-users ldapauth
    This would cause all users connecting from given IP-range to be authenticated. For others one can use 'http_access allow all' or 'http_access deny all' etc. based on situation.

In case of LDAPS use -H ldaps://<server>:<port> instead of -h and ensure that CA certificate is mentioned in /etc/openldap/ldap.conf file using TLS_CACERT directive.


Quick Linux host authentication using LDAP without using setup or authconfig

  • yum -y remove sssd
  • Edit /etc/nslcd.conf
    • Change uri, base. (Example uri ldap://ldap.sbarjatiya.com/ Note if FQDN is used then add corresponding entry to /etc/hosts. Or use IP address)
    • Append following lines
ssl off
timelimit 10
idle_timelimit 30
reconnect_sleeptime 30
reconnect_retrytime 90
  • Edit /etc/nssswitch.conf and change passwd, group, shadow, hosts to use ldap (Example value "files ldap" without quotes)
  • Edit /etc/openldap/ldap.conf and append values for BASE, URI same as done for /etc/nslcd.conf
  • Edit /etc/pam.d/fingerprint-auth-ac to authenticate with LDAP
  • Edit /etc/pam.d/password-auth-ac to authenticate with LDAP
  • Edit /etc/pam.d/smartcard-auth-ac to authenticate with LDAP
  • Edit /etc/pam.d/system-auth-ac to authenticate with LDAP
  • Edit /etc/pam.d/sshd to authenticate with LDAP
  • Use commands
rm -f /etc/pam.d/fingerprint-auth
rm -f /etc/pam.d/password-auth
rm -f /etc/pam.d/smartcard-auth
rm -f /etc/pam.d/system-auth
    
ln -s /etc/pam.d/fingerprint-auth-ac /etc/pam.d/fingerprint-auth
ln -s /etc/pam.d/password-auth-ac /etc/pam.d/password-auth
ln -s /etc/pam.d/smartcard-auth-ac /etc/pam.d/smartcard-auth
ln -s /etc/pam.d/system-auth-ac /etc/pam.d/system-auth
  • Edit /etc/pam_ldap.conf
    • Replace values for host and base (Example host ldap.sbarjatiya.com. Again if FQDN is used add corresponding entry in /etc/hosts or use IP instead)
    • Also append (Example <uri> ldap://ldap.sbarjatiya.com/)
uri <uri>
ssl off
pam_password md5
  • Use commands
service nslcd restart
chkconfig nslcd on


Converting quick host authentication to use TLS

  • Edit /etc/nslcd.conf
    • change URI to ldaps://ldap.sbarjatiya.com/
    • Add following config lines
tls_reqcert hard
tls_cacertfile /etc/openldap/certs/ca.crt
  • Edit /etc/pam_ldap.conf
    • Ensure host entry points to FQDN and not to IP
    • Update file so that
uri ldaps://ldap.sbarjatiya.com
ssl on
pam_password md5
tls_cacertfile /etc/openldap/certs/ca.crt
  • Edit /etc/openldap/ldap.conf and ensure
BASE    dc=sbarjatiya,dc=com
URI         ldaps://ldap.sbarjatiya.com/
TLS_CACERT /etc/openldap/certs/ca.crt
  • Ensure /etc/hosts can resolve FQDN (ldap.sbarjatiya.com) to IP, in case corresponding DNS entry is not present
  • Copy certificates to /etc/openldap/certs and update permission using:
chown -R ldap:ldap /etc/openldap/certs/
chmod 755 /etc/openldap/certs/ca.crt
  • Note that ca.crt should be readable by nslcd
  • Deleted old cn=config format entries and create new ones using (These steps can take considerable time):
rm -rf /etc/openldap/slapd.d/*
slapd -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ -u ldap -h 'ldaps://ldap.sbarjatiya.com/'
service slapd restart
  • service nslcd restart
  • Verify using
ldapsearch -x -LLL #Should work
ldapsearch -x -LLL -ZZ    #Should fail because TLS already started
ldapsearch -x -LLL -H ldap://ldap2.rekall.com/   #Should fails as cannot connect to port 389
ldapsearch -x -LLL -H ldaps://ldap2.rekall.com/  #Should work
getent hosts  
getent passwd


Automated LDAP client configuration using ansible

For automated LDAP client configuration for OS where LDAP users might also login using GUI use automation described at Configure machines as LDAP client for graphical LDAP user login


Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Authentication through LDAP