News | About | Get Frugalware | Packages | Documentation | Discussion Forums | Bug Tracker | Wiki | Community | Development

LDAP User authentication (user names, passwords)

From FrugalWiki

Jump to: navigation, search

Software used

  • openLDAP server (version: slapd 2.2.23, Debian Sarge server)
  • phpLDAPadmin 0.9.5 - for administering the directory
  • nss_ldap package for Frugalware

Configuring local authentication

First, we have to tell something for the local name/pass resolving services about how to connect the LDAP server. This info is stored in "/etc/ldap.conf". The file is self explaining (full of comments), but let's look at some things:

#remember putting this host into /etc/hosts
host my.ldap.server
#under this subtree will be users/groups searched
base dc=section,dc=chapter,dc=book


ldap_version 3
#this is the user which used for retrieving auth info
#configured with read access in ldap server's config 
#for userPassword hash, else auth failed
binddn cn=auth,dc=nlab,dc=chapter,dc=book
bindpw auth 

#timeouts for a not loaded LAN
timelimit 3
bind_timelimit 3
#what to do if the server is unreachable? i had a backup guest user
#but you might dont want such a thing
bind_policy soft

The file "/etc/nsswitch.conf" is responsible for deciding, a given pam-unaware app how gets user/pw information. Frugalware is "no-pam", so tweak it, and we're done:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns

From the moment you save the file, without any restarting, all user/pass/shadow hash lookups will be performed inspecting local files first, and if not found, then having a look at the LDAP server's database with the given bind user. The host resolution is better left for "/etc/hosts" and dns service. We can practically add our LDAP server's address to the former, so less dns lookup will be performed when user info needs to be retrieved. Installing nscd will improve the performace of loaded servers and cause less traffic, in general.

A complement to this would be NFS mounted homes, so an user can have his/her settings on all machines. For the server side, an export in "/etc/exports":

/home 192.168.1.0/24(rw,sync,root_squash,anonuid=65534,anongid=65534)

On the client side, a NFS mount in "/etc/fstab":

server:/home      /home           nfs             rsize=8192,wsize=8192,timeo=3,hard

The examples configured to make a client-side 0 uid (root) treated as given above on the server. Users can be added now to the database and they will be immediately recognized by the client authorization services. The used passwd crypt method on the server was md5crypt - this means md5 hashing the given passwd, and sending this hash over the wire with crypt()-ing it.

Issues

  • passwd change not possible on the client side: passwd see only local files. Actually this is a feature, if PAM can be persuaded to hash passwords like phpMyadmin do with md5crypt, so a pwd-changing util can be left on the server (maybe a prepared ssh account?). Follow-ups on this might come.
  • SSL setup howto, to realiably encrypt the client-server communication
Personal tools
Namespaces
Variants
Actions