Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
en:services:network_services:openldap:start [2016/01/14 12:43] – [Other measures] tottoen:services:network_services:openldap:start [2016/01/14 12:44] (current) – [Other Measures] totto
Line 1: Line 1:
 +======OpenLDAP======
  
 +===== Connecting UNIX/Linux Systems to the GWDG's User Account Management =====
 +
 +==== Prerequisites ====
 +To use our OpenLDAP service you have to install the so called PAM (pluggable authentication modules) modules and  NSS (name service switch). NSS enables your operating system to use name resolution from different data sources. This is true for computer names, group names and user names. PAM and NSS are available for Linux and FreeBSD systems. In the following we describe the connection to our LDAP server. Because SuSE Linux and Ubuntu are widespread in Göttingen, we mainly refer to these Linux distributions. Mac OS X also works with OpenLDAP. Please contact <machelp@gwdg.de> for further information.
 +
 +==== Requiered Software Packages ====
 +On SuSE Linux systems you can use the //rpm// command to check if the three necessary software packages are installed:
 +<file>
 +> rpm -qa | grep ldap    
 +nss_ldap-262-11.32.39.1
 +openldap2-client-2.4.26-0.30.1
 +pam_ldap-184-147.20
 +</file>
 +\\
 +On Ubuntu systems, the following software packages are necessary:
 +<file>
 +libnss-ldap  
 +libpam-ldap  
 +ldap-utils
 +nslcd
 +</file>
 +\\
 +On FreeBSD systems, you can use the //pkg info// command:
 +<file>
 +> pkg info | grep ldap    
 +nss_ldap-1.265_10              
 +openldap-client-2.4.40_1       
 +pam_ldap-1.8.6_2
 +</file>
 +\\
 +In the examples above a ">" at the beginning on a line symbolizes a shell command prompt.
 +The mentioned version numbers are not so important.
 +
 +==== OpenLDAP Configuration ====
 +On OpenLDAP Linux clients, all the necessary configuration files are stored in the directory // /etc/openldap// respectively // /usr/local/etc/openldap// on FreeBSD clients. The central configuration file is //ldap.conf// which ponits to the GWDG's OpenLDAP server. Here is an example:
 +<file>
 +BASE        xxxxxxx                # beginning of a search path in the LDAP directory
 +URI         ldaps://ldap.gwdg.de
 +binddn      xxxxxxx                # user with search privileges
 +bindpw      xxxxxxx                # corresponding password
 +TLS_CACERT  /etc/openldap/ldap-ca.pem 
 +ssl         on   
 +</file>
 +\\
 +Please contact <support@gwdg.de> for //BASE//, //binddn// and //bindpw// entries.
 +
 +To use //ssl//, you have to install a CA certificate from a trustcenter. You can find this file on our server //login.gwdg.de// Simply copy the file // /etc/openldap/ldap-ca.pem// to the same directory where your //ldap.conf// file is located. This file is also available on our server //gwdu60.gwdg.de//. It is located in // /var/openldap/cert/ldap-ca.pem//.
 +
 +Make sure that //ldap.conf// and //ldap-ca.pem// are both readable for every user.
 +
 +==== PAM Configuration ====
 +
 +PAM configuration is an important thing during the setup process of an OpenLDAP client. You have to configurate each service  (e.g. ssh, sftp) that allows a user login seperately if necessary. On Linux and FreeBSD systems, you have to edit all configuration files in the directory // /etc/pam.d/ // for your relevant services. It is important to include the //pam_ldap// entries in the configuration files. Otherwise OpenLDAP authentifications would not work for these services.
 +\\
 +\\
 +On FreeBSD systems one of these configuration files are //system// (to make login and su work) and //sshd// (for ssh logins). Here is an example of the // /etc/pam.d/sshd// configuration file:
 +<file>
 +#
 +# PAM configuration for the "sshd" service
 +#
 +# auth
 +auth            required        pam_nologin.so          no_warn
 +auth            sufficient      pam_opie.so             no_warn no_fake_prompts
 +auth            requisite       pam_opieaccess.so       no_warn allow_local
 +auth            sufficient      pam_ldap.so             no_warn try_first_pass
 +auth            required        pam_unix.so             no_warn try_first_pass
 +# account
 +account         sufficient      pam_login_access.so
 +account         sufficient      pam_ldap.so
 +account         required        pam_unix.so
 +# session
 +#session        sufficient      pam_ldap.so              
 +session         required        pam_permit.so
 +# password
 +password        required        pam_unix.so             no_warn try_first_pass
 +</file>
 +\\
 +E.g. for OpenLDAP console logins on Ubuntu systems, you have to enter the service specific entries in // /etc/pam.d/common-password// and // /etc/pam.d/common-auth//. Here is an example of  a common-password configuration file:
 +<file>
 +#
 +# /etc/pam.d/common-password - password-related modules common to all services
 +#
 +password [success=2 default=ignore] pam_unix.so obscure sha512
 +password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
 +password requisite pam_deny.so
 +password required pam_permit.so
 +password optional pam_gnome_keyring.so 
 +</file>
 +\\
 +and here an example of an common-auth configuration:
 +\\
 +<file>
 +#
 +# /etc/pam.d/common-auth - authentication settings common to all services
 +#
 +auth [success=2 default=ignore] pam_unix.so nullok_secure
 +auth [success=1 default=ignore] pam_ldap.so use_first_pass
 +auth requisite pam_deny.so
 +auth required pam_permit.so
 +</file>
 +\\
 +On FreeBSD and Linux systems, the //pam_ldap// module uses its own configuration file //ldap.conf//. You can link them to your OpenLDAP configuration file.\\
 +
 +On Linux systems enter:
 +<file>
 +> ln -fsv /etc/openldap/ldap.conf /etc/ldap.conf  
 +</file>
 +\\
 +And on a FreeBSD machine:
 +<file>
 +> ln -fsv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf 
 +</file>
 +\\
 +==== NSS Configuration ====
 +
 +You have to change two lines in the file // /etc/nsswitch.conf // to get access to the OpenLDAP data:
 +<file>
 +group: files ldap 
 +passwd: files ldap 
 +</file>
 +\\
 +On FreeBSD machines, you have to link the file // /usr/local/etc/nss_ldap.conf// to // /usr/local/etc/openldap/ldap.conf//.
 +\\
 +You can check if your NSS configuration is working with the //id// command and your GWDG account (e.g. gast00).
 +<file>
 +> id gast00
 +uid=6722(gast00) gid=5070(GGST) groups=5070(GGST)
 +</file>
 +\\
 +If it does not work, you get an error message like that:
 +<file>
 +id: gast00: no such user 
 +</file>
 +\\
 +==== Other Measures ====
 +
 +In the GWDG LDAP directory // /usr/users/USERNAME/ // is defined as your user home directory.  In certain circumstances, you have to link your home directory (e.g. /home/otto) to //  /usr/users/onormal//  for a successful login. Enter:
 +<file>
 +> mkdir /usr/users
 +> ln -s /home/otto /usr/users/onormal
 +</file>
 +\\
 +Afterwards the user //otto// can use // /usr/users/onormal/ // as his home directory.
 +\\
 +==== Contact ====
 +If you have any problems or questions regarding OpenLDAP, please contact <support@gwdg.de>.