(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Integration : (Answer) How to use LDAP authentication with AFS and PAM?
This is a brief how-to to enable AFS authentication and LDAP authorization for PAM enabled applications. Since PAM is pretty generic, you can ignore the AFS and use whatever PAM module you want. The applications are typically compiled using the --with-pam option. This enables us to use one database system for user information while keeping the authentication on the AFS database.

First for pam configurations. you need the pam_afs.so module in /lib/security (on solaris it looks like this can be in /usr/lib/security too) with ownership of root. This comes with OpenAFS 2.7 which is the one I used I didnt go back and test previous versions.

For linux you need a file with the name of service ie samba in the /etc/pam.d directory that looks like this:

 #%PAM-1.0
 auth       required     pam_afs.so
 account    required     pam_unix.so
 session    required     pam_unix.so
-- for Solaris you need the /etc/pam.conf file to have about the same thing except the service is prepended to the line and you hard code the module. (im looking to see if there is a universal config for this. Sun created PAM, so im thinking they may have altered the standards a bit after its initial release.) The pam.conf file should have entry for samba should look like this:
 samba   auth       required     /lib/security/pam_afs.so.1
 samba   account    required     /lib/security/pam_unix.so.1
 samba   session    required     /lib/security/pam_unix.so.1
one extra option that seems to be broken is cell=yourcell.com
--LDAP integration You need to have a LDAP database configured using the NIS schema. In order to do this you need to create a base/root, Group and People objects in the LDAP database etc. An ldif file like this should work (ie ldapadd -x -D "cn=admin,dc=yourdomain,dc=com" -W -f blah.ldif )
----beginning of ldif stuff
 # yourdomain, com
 dn: dc=yourdomain,dc=com
 objectClass: dcObject
 objectClass: organization
 o: yourdomain
# admin, yourdomain, com dn: cn=admin,dc=yourdomain,dc=com objectClass: organizationalRole objectClass: simpleSecurityObject cn: admin description: LDAP administrator userPassword:: c2VjcmV0IA==
# People, yourdomain, com dn: ou=People,dc=yourdomain,dc=com ou: People objectClass: top objectClass: organizationalUnit
# Group, yourdomain, com dn: ou=Group,dc=yourdomain,dc=com ou: Group objectClass: top objectClass: organizationalUnit
# testuser, People, yourdomain, com dn: uid=testuser,ou=People,dc=yourdomain,dc=com uid: testuser cn: testuser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: eA== shadowLastChange: 11887 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/false uidNumber: 501 gidNumber: 501 homeDirectory: /home/testuser gecos: Test User
# testuser, Group, yourdomain, com dn: cn=testuser,ou=Group,dc=yourdomain,dc=com objectClass: posixGroup objectClass: top cn: testuser userPassword:: eA== gidNumber: 501 memberUid: testuser
---endof ldif stuff
note: the password for the administrator is 'secret' as per the ldap install instructions, you should change it. The password entry for the user only need to exist it doesnt matter what you put in it since you are doing authentification via AFS, You also need a user (in this case testuser) in the AFS database with the same name. It becomes less confusing if your map the afs id # to the uid/gid number.
Then you need to have nss_ldap or something similar installed on your system. Sun/RedHat/etc all come with a something installed out of the box or you can get the latest (what RH uses) or if that doesnt work you can use the nss_ldap package from padl.com.
You need to edit the /etc/nsswitch.conf file to read something like: -- Linux
 passwd:     files ldap
 shadow:     files ldap
 group:      files ldap
-- Solaris
 passwd:     files ldap
 group:      files ldap
note: Im not sure if the shadow is actually needed for Linux but it works.
This basically says to the system for user/group/shadow information we are going to look at the files first then we are going to look at ldap next. (note: if you just use ldap you may have problems with local user accounts.)
Then you need an /etc/ldap.conf file or your ldap clients information ie Sun has its own ldap piece and it is stored in /var/ldap.

The ldap file takes the form of:

 host yourldapserver.com
 # The distinguished name of the search base.
 base dc=Yourhostname,dc=com
Where host is where the ldap server is (should be an IP, if your DNS is stored in the LDAP database.) and the base is the distinguised name of your database.
You can find migration tools to convert your current information to an LDAP based system from padl.com. These tools are installed with RedHat.
An example configuration of a slapd.conf file is like this: (well the important parts.you might want to do more with the security piece this is meant to be very basic.) ----begin slapd.conf stuff
 ##include relevent schma's i think only core, nis are really needed.
 include         /usr/local/etc/openldap/schema/core.schema
 include         /usr/local/etc/openldap/schema/cosine.schema
 include         /usr/local/etc/openldap/schema/nis.schema
 include         /usr/local/etc/openldap/schema/inetorgperson.schema
 #

 ##access permission
 access to dn.base="dc=yourdomain,dc=com" by auth
 access to dn.children="ou=People,dc=yourdomain,dc=com" by * read
 access to dn.children="ou=Group,dc=yourdomain,dc=com" by * read
##establish database moduleload back_bdb.la
database bdb
suffix "dc=yourdomain,dc=com" rootdn "cn=admin,dc=yourdomain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #you only need a root password set the first time you initialize the db #you can safely delete the line after you do the initializing IE start it up. #rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /home/openldap/users # Indices to maintain index cn,sn,uid,memberUid pres,eq index objectClass,uidNumber,gidNumber eq
---- end of slapd.conf stuff.
TESTING: Once you get through all that now you want to see if it works.
You should be able to login via samba now.
To test to see where the problem exist ('cause there are always problems)
I usually just check to see if im getting information from the ldap server. Like: For linux you can usually just finger the user like:
 finger testuser
For solaris I use a little script. sbin> more ldaptest.pl
 #!/usr/bin/perl
 $user ="testuser";
($name,$passwd,$uid,$gid,$quota,$comment,$gecos,$dir,$shell,$expire) = getpwnam($user);
print "name $name\n"; print "passwd $passwd\n"; print "uid $uid \n"; print "gid $gid \n"; print "quota $quota\n"; print "comment $comment\n"; print "gecos $gcos\n"; print "dir $dir\n"; print "shell $shell\n";
Basically this tells you if you have a firewall issue, ldap server not working, misconfigured, nsswitch file, ldap.conf file or etc. Or if PAM or the server daemon that is causing the problem. Your output should look like:
 name testuser
 passwd eA==
 uid 501
 gid 501 
 quota 
 comment NA
 gecos Test User
 dir /home/testuser
 shell /bin/false

Another test is to do an ldapsearch from the command line to help isolate the ldap pieces of the puzzle.

There might be some mistakes, etc. So feel free to correct any errors, but last I knew if you followed these instructions you could have a very basic authorization server working with PAM/LDAP.

[Append to This Answer]
Previous: (Answer) How do I use LDAP in/with Linux?
Next: (Answer) How do integrate OpenLDAP with HP LDAP-UX?
This document is: http://www.openldap.org/faq/index.cgi?file=1042
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org