Table of Contents
Connecting UNIX/Linux Systems to the GWDG's User Account Management
To use our OpenLDAP service you have to install the so called PAM (pluggable authentication modules) modules and NSS (name service switch). NSS enables your operating system to use name resolution from different data sources. This is true for computer names, group names and user names. PAM and NSS are available for Linux and FreeBSD systems. In the following we describe the connection to our LDAP server. Because SuSE Linux and Ubuntu are widespread in Göttingen, we mainly refer to these Linux distributions. Mac OS X also works with OpenLDAP. Please contact firstname.lastname@example.org for further information.
Requiered Software Packages
On SuSE Linux systems you can use the rpm command to check if the three necessary software packages are installed:
> rpm -qa | grep ldap nss_ldap-262-18.104.22.168 openldap2-client-2.4.26-0.30.1 pam_ldap-184-147.20
On Ubuntu systems, the following software packages are necessary:
libnss-ldap libpam-ldap ldap-utils nslcd
On FreeBSD systems, you can use the pkg info command:
> pkg info | grep ldap nss_ldap-1.265_10 openldap-client-2.4.40_1 pam_ldap-1.8.6_2
In the examples above a “>” at the beginning on a line symbolizes a shell command prompt. The mentioned version numbers are not so important.
On OpenLDAP Linux clients, all the necessary configuration files are stored in the directory /etc/openldap respectively /usr/local/etc/openldap on FreeBSD clients. The central configuration file is ldap.conf which ponits to the GWDG's OpenLDAP server. Here is an example:
BASE xxxxxxx # beginning of a search path in the LDAP directory URI ldaps://ldap.gwdg.de binddn xxxxxxx # user with search privileges bindpw xxxxxxx # corresponding password TLS_CACERT /etc/openldap/ldap-ca.pem ssl on
Please contact email@example.com for BASE, binddn and bindpw entries.
To use ssl, you have to install a CA certificate from a trustcenter. You can find this file on our server login.gwdg.de. Simply copy the file /etc/openldap/ldap-ca.pem to the same directory where your ldap.conf file is located. This file is also available on our server gwdu60.gwdg.de. It is located in /var/openldap/cert/ldap-ca.pem.
Make sure that ldap.conf and ldap-ca.pem are both readable for every user.
PAM configuration is an important thing during the setup process of an OpenLDAP client. You have to configurate each service (e.g. ssh, sftp) that allows a user login seperately if necessary. On Linux and FreeBSD systems, you have to edit all configuration files in the directory /etc/pam.d/ for your relevant services. It is important to include the pam_ldap entries in the configuration files. Otherwise OpenLDAP authentifications would not work for these services.
On FreeBSD systems one of these configuration files are system (to make login and su work) and sshd (for ssh logins). Here is an example of the /etc/pam.d/sshd configuration file:
# # PAM configuration for the "sshd" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account sufficient pam_login_access.so account sufficient pam_ldap.so account required pam_unix.so # session #session sufficient pam_ldap.so session required pam_permit.so # password password required pam_unix.so no_warn try_first_pass
E.g. for OpenLDAP console logins on Ubuntu systems, you have to enter the service specific entries in /etc/pam.d/common-password and /etc/pam.d/common-auth. Here is an example of a common-password configuration file:
# # /etc/pam.d/common-password - password-related modules common to all services # password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so
and here an example of an common-auth configuration:
# # /etc/pam.d/common-auth - authentication settings common to all services # auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so
On FreeBSD and Linux systems, the pam_ldap module uses its own configuration file ldap.conf. You can link them to your OpenLDAP configuration file.
On Linux systems enter:
> ln -fsv /etc/openldap/ldap.conf /etc/ldap.conf
And on a FreeBSD machine:
> ln -fsv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf
You have to change two lines in the file /etc/nsswitch.conf to get access to the OpenLDAP data:
group: files ldap passwd: files ldap
On FreeBSD machines, you have to link the file /usr/local/etc/nss_ldap.conf to /usr/local/etc/openldap/ldap.conf.
You can check if your NSS configuration is working with the id command and your GWDG account (e.g. gast00).
> id gast00 uid=6722(gast00) gid=5070(GGST) groups=5070(GGST)
If it does not work, you get an error message like that:
id: gast00: no such user
In the GWDG LDAP directory /usr/users/USERNAME/ is defined as your user home directory. In certain circumstances, you have to link your home directory (e.g. /home/otto) to /usr/users/onormal for a successful login. Enter:
> mkdir /usr/users > ln -s /home/otto /usr/users/onormal
Afterwards the user otto can use /usr/users/onormal/ as his home directory.
If you have any problems or questions regarding OpenLDAP, please contact firstname.lastname@example.org.