[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Implementing LDAP for password authentication
> Has anyone got a how to on setting LDAP to do password authentication
> (we would like to replace good old buggy NIS)??? Any help would be
> greatly appreciated!!!
Actually, it's pretty straightforward. First, need records like this
one:
dn: uid=<user>,ou=people,o=<organization>
uid: <user>
objectClass: account
objectClass: posixAccount
loginShell: /bin/bash
uidNumber: 1000
homeDirectory: /home/<user>
gidNumber: 100
cn: <Firstname> <Lastname>
userPassword: <...blah...>
The migration tools that come with OpenLDAP will help you generate
ldifs from your /etc/passwd file. You can use
ldappasswd -x -ZZ -W -D "<root dn>" -S "<user dn>"
to change passwords.
Next, you need to tell OpenLDAP with whom to share this information. I
use the following slapd.conf configuration directives
password-hash {MD5}
access to attrs=userPassword
by self write
by * compare
access to * by * read
Note that I store passwords MD5-hashed, and I don't allow mere mortals
to read even the hashed passwords. This effectively implements shadow
security.
If you are running RedHat, you can tell a machine to get user data
from an LDAP database using setup. What that effectively does is
insert the line
passwd: files ldap
into nsswitch.conf, and insert the lines
host <ldapserver>
base o=<organization>
ssl yes
into ldap.conf. It wouldn't hurt to get shadow and group info from
LDAP, too, but for that you'll have to put some more data into the
database.
Now we are gettting user data via LDAP, but we are still not
authenticating via LDAP. On RedHat, you can also use the setup tool to
configure that. Assuming you use PAM and pam_ldap, what you want to do
is to add lines like
auth sufficient /lib/security/pam_ldap.so use_first_pass
to the relevant files in pam.d. The necessary files are distributed
with pam_ldap. Any service that uses PAM for authentication can be
made to use LDAP in this way. Finally, you probably want to add
ssl yes
pam_password exop
to ldap.conf, so that communications are encrypted and the LDAP
database hashes all password changes. There is an incompatibility
between OpenLDAP and the password change mechanism of old versions of
pam_ldap, so be sure to get the very latest releases.
Hope that helps.