======OpenLDAP====== ===== Connecting UNIX/Linux Systems to the GWDG's User Account Management ===== ==== Prerequisites ==== To use our OpenLDAP service you have to install the so called PAM (pluggable authentication modules) modules and NSS (name service switch). NSS enables your operating system to use name resolution from different data sources. This is true for computer names, group names and user names. PAM and NSS are available for Linux and FreeBSD systems. In the following we describe the connection to our LDAP server. Because SuSE Linux and Ubuntu are widespread in Göttingen, we mainly refer to these Linux distributions. Mac OS X also works with OpenLDAP. Please contact for further information. ==== Requiered Software Packages ==== On SuSE Linux systems you can use the //rpm// command to check if the three necessary software packages are installed: > rpm -qa | grep ldap nss_ldap-262-11.32.39.1 openldap2-client-2.4.26-0.30.1 pam_ldap-184-147.20 \\ On Ubuntu systems, the following software packages are necessary: libnss-ldap libpam-ldap ldap-utils nslcd \\ On FreeBSD systems, you can use the //pkg info// command: > pkg info | grep ldap nss_ldap-1.265_10 openldap-client-2.4.40_1 pam_ldap-1.8.6_2 \\ In the examples above a ">" at the beginning on a line symbolizes a shell command prompt. The mentioned version numbers are not so important. ==== OpenLDAP Configuration ==== On OpenLDAP Linux clients, all the necessary configuration files are stored in the directory // /etc/openldap// respectively // /usr/local/etc/openldap// on FreeBSD clients. The central configuration file is //ldap.conf// which ponits to the GWDG's OpenLDAP server. Here is an example: BASE xxxxxxx # beginning of a search path in the LDAP directory URI ldaps://ldap.gwdg.de binddn xxxxxxx # user with search privileges bindpw xxxxxxx # corresponding password TLS_CACERT /etc/openldap/ldap-ca.pem ssl on \\ Please contact for //BASE//, //binddn// and //bindpw// entries. To use //ssl//, you have to install a CA certificate from a trustcenter. You can find this file on our server //login.gwdg.de//. Simply copy the file // /etc/openldap/ldap-ca.pem// to the same directory where your //ldap.conf// file is located. This file is also available on our server //gwdu60.gwdg.de//. It is located in // /var/openldap/cert/ldap-ca.pem//. Make sure that //ldap.conf// and //ldap-ca.pem// are both readable for every user. ==== PAM Configuration ==== PAM configuration is an important thing during the setup process of an OpenLDAP client. You have to configurate each service (e.g. ssh, sftp) that allows a user login seperately if necessary. On Linux and FreeBSD systems, you have to edit all configuration files in the directory // /etc/pam.d/ // for your relevant services. It is important to include the //pam_ldap// entries in the configuration files. Otherwise OpenLDAP authentifications would not work for these services. \\ \\ On FreeBSD systems one of these configuration files are //system// (to make login and su work) and //sshd// (for ssh logins). Here is an example of the // /etc/pam.d/sshd// configuration file: # # PAM configuration for the "sshd" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account sufficient pam_login_access.so account sufficient pam_ldap.so account required pam_unix.so # session #session sufficient pam_ldap.so session required pam_permit.so # password password required pam_unix.so no_warn try_first_pass \\ E.g. for OpenLDAP console logins on Ubuntu systems, you have to enter the service specific entries in // /etc/pam.d/common-password// and // /etc/pam.d/common-auth//. Here is an example of a common-password configuration file: # # /etc/pam.d/common-password - password-related modules common to all services # password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so \\ and here an example of an common-auth configuration: \\ # # /etc/pam.d/common-auth - authentication settings common to all services # auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so \\ On FreeBSD and Linux systems, the //pam_ldap// module uses its own configuration file //ldap.conf//. You can link them to your OpenLDAP configuration file.\\ On Linux systems enter: > ln -fsv /etc/openldap/ldap.conf /etc/ldap.conf \\ And on a FreeBSD machine: > ln -fsv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf \\ ==== NSS Configuration ==== You have to change two lines in the file // /etc/nsswitch.conf // to get access to the OpenLDAP data: group: files ldap passwd: files ldap \\ On FreeBSD machines, you have to link the file // /usr/local/etc/nss_ldap.conf// to // /usr/local/etc/openldap/ldap.conf//. \\ You can check if your NSS configuration is working with the //id// command and your GWDG account (e.g. gast00). > id gast00 uid=6722(gast00) gid=5070(GGST) groups=5070(GGST) \\ If it does not work, you get an error message like that: id: gast00: no such user \\ ==== Other Measures ==== In the GWDG LDAP directory // /usr/users/USERNAME/ // is defined as your user home directory. In certain circumstances, you have to link your home directory (e.g. /home/otto) to // /usr/users/onormal// for a successful login. Enter: > mkdir /usr/users > ln -s /home/otto /usr/users/onormal \\ Afterwards the user //otto// can use // /usr/users/onormal/ // as his home directory. \\ ==== Contact ==== If you have any problems or questions regarding OpenLDAP, please contact .