Tuesday, February 10, 2009

System authentication using LDAP in Mandriva

The necessary packages are pam_ldap and nss_ldap. I enabled PAM authentication in /etc/ssh/sshd_config
UsePAM yes

Then updated the file /etc/pam.d/sshd to the following (/etc/ssh/denyusers is empty):
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers
auth include system-auth

account sufficient pam_ldap.so
account required pam_nologin.so
account include system-auth

password required pam_ldap.so
password include system-auth

session sufficient pam_ldap.so
session include system-auth


I also updated the file /etc/pam.d/proftpd to enable LDAP authentication for proftpd:
#%PAM-1.0

auth sufficient pam_ldap.so
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth include system-auth

account sufficient pam_ldap.so
account include system-auth

session sufficient pam_ldap.so
session include system-auth


The following are included in the file /etc/nsswitch.conf:
passwd: ldap files
shadow: files ldap
group: ldap files

Note: If a user with uid entry in both ldap and /etc/password, there should be two entries returned by the command getent passwd | grep username. Use command id username to return the corresponding user entry including the group membership.

The following items are changed in the file /etc/ldap.conf:
host
base
binddn
bindpw
scope sub
pam_filter objectClass=posixAccount
pam_login_attribute uid
ssl off
#default objectclass posixAccount and attribute uid
nss_base_passwd
nss_base_shadow
#default objectclass posixGroup and attribute cn
nss_base_group
nss_base_hosts


The above two files can also be modified by running the command drakauth

The nss_updatedb utility maintains a local cache of network directory user and group information. Used in conjunction with the pam_ccreds module, it provides a mechanism for disconnected use of network directories. I have the follwoing lines in file /etc/sysconfig/nss_updatedb
NSS_SERVICE=ldap
ONLY_LOGGED_USERS=yes

Ref: LDAP Authentication HOWTO

No comments: