LDAP Client Authentication
Saturday, February 21, 2009- This file "/etc/ldap.conf" is the 1st file that has to be modified as this is the file that tells the system which ldap server to authenticate too.
host yourdomain.com
base dc=yourdomain,dc=com
uri ldap://yourdomain.com/
ldap_version 3
rootbinddn cn=Manager,dc=yourdomain,dc=com
scope sub
timelimit 5
bind_timelimit 5
nss_reconnect_tries 2
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
pam_password exop
nss_base_passwd ou=People,dc=yourdomain,dc=com
nss_base_shadow ou=People,dc=yourdomain,dc=com - Now we have to add the passwd in this file "/etc/ldap.secret" so that we can authenticate to the ldap server
password - Now we have to modify this file "/etc/nsswitch.conf"
passwd: files ldap
group: files ldap
hosts: dns ldap
services: ldap [NOTFOUND=return] files
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files
netmasks: files
bootparams: files
publickey: files
automount: files
sendmailvars: files
netgroup: ldap [NOTFOUND=return] files - Now it is time to modify the files in /etc/pam.d/ directory.
First file to be modified is "/etc/pam.d/login"
authsufficient pam_ldap.so account sufficient pam_ldap.so password sufficient pam_ldap.so session sufficient pam_ldap.so auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
auth required pam_tally.so onerr=succeed file=/var/log/faillog
account required pam_access.so
account required pam_time.so
account required pam_unix.so
account sufficient pam_ldap.so
password sufficient pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session required pam_env.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/spool/mail standard
session sufficient pam_ldap.so
session optional pam_lastlog.so - Now we modify "/etc/pam.d/shadow"
auth sufficient pam_ldap.so account sufficient pam_ldap.so password sufficient pam_ldap.so session sufficient pam_ldap.so auth sufficient pam_rootok.so
auth required pam_unix.so
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so
account sufficient pam_ldap.so
session required pam_unix.so
session sufficient pam_ldap.so
password sufficient pam_ldap.so
password required pam_permit.so - Now we modify "/etc/pam.d/passwd"
password sufficient pam_ldap.so password sufficient pam_ldap.so
password required pam_unix.so shadow nullok - Now we modify "/etc/pam.d/su"
auth sufficient pam_ldap.so account sufficient pam_ldap.so session sufficient pam_ldap.so auth sufficient pam_ldap.so
auth sufficient pam_rootok.so
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_unix.so - Now we modify "/etc/pam.d/sudo"
auth sufficient pam_ldap.so auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
auth required pam_nologin.so - In this file "/etc/pam.d/sshd" you have to add 3 entries, one for auth, one for account, and one for session.
auth sufficient pam_ldap.so account sufficient pam_ldap.so password required pam_ldap.so auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_env.so
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
account required pam_time.so
password required pam_ldap.so
password required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix_session.so
session sufficient pam_ldap.so
session required pam_limits.so
0 Responses to "LDAP Client Authentication"
Leave a Reply