In this post we will show how to use OpenDJ ldap server to authenticate user on an ubuntu workstation.
You will need to set the field
If you don't add those
You will be ask about your ldap configuration. You can change it later by editing the
It should look something like that:
Don't forget to comment out
Otherwise you have to edit
For the home dir, create the file
For the group, first add the group you want for the new user.
Then create the file
Finally update pam auth to process the configuration and restart the nss cache service.
At this point you should be good to go. Don't forget that you will need the network in order to be able to communicate with the ldap server, so be sure that your network interface is properly set up before the login phase. User will be created on the fly with the information retrieved from your ldap server.
OpenDJ setup
I will assume that you already have an OpenDJ server running. If not please, have a look at the OpenDJ instalation guide.PosixAccount and posixGroup
One important step before setting up ubuntu is to add the ldap user, you want to allows on the workstation, to the auxiliaryobjectClass posixAccount and posixGroup. It can easilly be done through the OpenDJ control-panel, in the Manage Entries section of the Directory Data.You will need to set the field
uidNumber, gidNumber and the homeDirectory. They must contains respectively the user id number, the group id number and the user home directory path. For example:uidNumber = 1100
uidNumber = 1100
homeDirectory = /home/foo
objectclass to your ldap user, he won't be able to be authentified on the workstation. If that the case, you will likely have a log saying that the credential are wrong on both the work station and opendj. Workstation setup
Setup the ldap-auth-client
The first step is too install the ldap-auth-client and nscd. The first allows for authentication through ldap via PAM. The name service cache deamon is just a cache of the nss (name service switch).sudo apt-get install ldap-auth-client nscd
/etc/ldap.conf file. It should look something like that:
# You ldap host, an ip is ok too
host ldap.myserver.com
# Your ldap base dn.
base dc=myserver,dc=com
# If your server don't allow for anonymous bind
binddn cn=workstation,ou=App,dc=myserver,dc=com
bindpw thepassword
pam_password md5. OpenDJ need to recieved the password in clear by default, not in md5.
If your server is running on the port 389, you don't need anything else. However, please note that it is not secure at all. It would be better to use ldap over ssl and have proper certificate. Setup the name service switch
We need to configure nss so that it looks for ldap authentication. It can be done via the following command:sudo auth-client-config -t nss -p lac_ldap
/etc/nsswitch.conf and append ldap for passwd, group and shadow. It should look like that: passwd: files ldap
groups: files ldap
shadow: files ldap
Home dir and group
In order for your ldap user to have their home created as well as be part of some usefull group, you need to configure pam.For the home dir, create the file
/usr/share/pam-configs/my_mkhomedir with the following content. Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
echo "*;*;*;Al0000-2400;audio,cdrom,dialout,usb" >> /etc/security/group.conf
/usr/share/pam-configs/my_mkhomedir with the following content.Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
sudo pam-auth-update
service nscd restart
Comments
Post a Comment