Select Page

Contents

Overview

This document describes how to configure a Linux system to authenticate users against NA LDAP (EC LDAP). Follow these instructions after you have deployed your operating system.

Prerequisites

Ubuntu/Debian:

# apt-get install libnss-ldap krb5-user libpam-krb5

CentOS/RedHat:

# yum install nss_ldap pam_krb5 krb5-workstation openldap

Procedures

Configure the system to grab user information (passswd & group) from NA LDAP

LDAP configuration

In Ubuntu 9.04/Debian the contents of ‘/etc/ldap.conf’ & ‘/etc/libnss-ldap.conf’ (in CentOS/RedHat ‘/etc/openldap/ldap.conf’ & ‘/etc/ldap/ldap.conf’): You have to edit both of them otherwise won’t work, you may rather link them to make sure they remain consistent in case you change the settings and forgot to update the other file

### BEGIN - EC LDAP SETTINGS ###
URI ldaps://ldap-vip.ec.auckland.ac.nz/
BASE dc=ec,dc=auckland,dc=ac,dc=nz
LDAP_VERSION 3
BINDDN cn=sfac-posix,ou=webapps,ou=ec,o=uoa
BINDPW XXXXXXXX         ###password available on secret server.
NSS_BASE_PASSWD		ou=ec_users,dc=ec,dc=auckland,dc=ac,dc=nz?one
NSS_BASE_GROUP		ou=ec_unixgrps,dc=ec,dc=auckland,dc=ac,dc=nz?one
SSL start_tls
SSL on
#TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT	/etc/ldap/ca-certificates.crt
TIMELIMIT 60

### END - EC LDAP SETTINGS ###

Make sure that you have a copy of “ca-certificates.crt” otherwise you won’t be able to connect to the LDAP server, it doesn’t have to be placed on /etc/ldap, put it anywhere and update the configuration file accordingly. Certificate can be downloaded from http://www.sit.auckland.ac.nz/ca-certificates.crt

NSS configuration

Edit ‘/etc/nsswitch.conf’. Append the word ‘ldap’ at the end of lines that begins with ‘passwd:’ & ‘group:’, so it should look like the following:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd:         files	ldap
group:          files  ldap
shadow:         compat
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

How to verify whether this step was done successfully or not?

You should get some output similar to a typical ‘/etc/passwd’ row if you run:

$ getent passwd UPI

For example:

$ getent passwd sala028

Output is:

sala028:*:329451:62215:sala028:/afs/ec.auckland.ac.nz/users/s/a/sala028/unixhome:/bin/bash

Configure the system to authenticate users against EC Kerberos

The contents of /etc/krb5.conf (both in Debian or Redhat) should be:

### BEGIN - EC Kerberos SETTINGS ###

[libdefaults]
    default_realm = EC.AUCKLAND.AC.NZ

[realms]
EC.AUCKLAND.AC.NZ = {
         kdc = kerberos.ec.auckland.ac.nz
	admin_server = kerberos.ec.auckland.ac.nz
		 }


[logging]
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmin.log
	default = FILE:/var/log/krb5lib.log

[domain_realm]
ec.auckland.ac.nz = EC.AUCKLAND.AC.NZ
.ec.auckland.ac.nz = EC.AUCKLAND.AC.NZ

### END - EC Kerberos SETTINGS ###

How to verify whether this step was done successfully or not

You will be asked to enter a password if you run:

$ kinit UPI (try kinit UPI@EC.AUCKLAND.AC.NZ if the former didn't work)

If you enter the correct password, then run:

$ klist

The output will be something similar to:

Ticket cache: FILE:/tmp/krb5cc_329451_jzETOa
Default principal: UPI@EC.AUCKLAND.AC.NZ

Valid starting     Expires            Service principal
10/02/08 15:40:00  10/03/08 01:40:00  krbtgt/EC.AUCKLAND.AC.NZ@EC.AUCKLAND.AC.NZ
Kerberos 4 ticket cache: /tmp/tkt329451
klist: You have no tickets cached

For example:

$ kinit sala028

The output will be:

Password for sala028@EC.AUCKLAND.AC.NZ:

Configure the system to allow users log in by using NA credentials

That slightly varies according to the PAM configurations layout, for example in Ubuntu/Debian, having the following in ‘/etc/pam.d/common-auth’ will do the job:

### Common-auth settings ###
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).
#
auth    optional        pam_group.so
auth    optional        pam_env.so

#Check against local password file
auth    sufficient      pam_unix.so nullok_secure

#Check against kerberos
auth    sufficient      pam_krb5.so use_first_pass realm=EC.AUCKLAND.AC.NZ

#If failed the above check(s), deny this user
auth    required        pam_deny.so

### END common-auth settings ###

This is a typical standalone PAM configuration that can be used as ‘/etc/pam.d/ssh’ or ‘/etc/pam.d/gdm’:

### BEGIN - TYPICAL PAM SETTINGS ###

account    sufficient	pam_krb5.so use_first_pass realm=EC.AUCKLAND.AC.NZ
account    required	pam_unix.so
session    required	pam_limits.so
session    optional	pam_foreground.so
session    optional	pam_tmpdir.so
session    optional	pam_krb5.so use_first_pass realm=EC.AUCKLAND.AC.NZ
# pam_openafs_session is necessary if AFS will be used as home directory
session    optional	pam_openafs_session.so
session    required	pam_unix.so
session    optional     pam_lastlog.so
session    optional     pam_motd.so
session    optional     pam_mail.so standard noenv
password   required     pam_unix.so nullok obscure min=4 max=8 md5


### END - TYPICAL PAM SETTINGS ###

The above configuration will allow any user with a valid NA credential to log in.

How to restrict users access in Unix/Linux?

NA is an LDAP server, so the instructions in this document applies to other LDAP servers as long as they provide the right LDAP schema (NIS).

EC auth without AFS home directory

If you wanted to use ec authentication but create local home directories (not mapping to users afs home directory) then do the following in terminal. Switch to root and edit /etc/nsswitch.conf . Removing ‘ldap’ from passwd means account will be local. group will look locally as well as on ldap for membership details.

passwd: files
group: files ldap

The ‘getent’ test will not work if using this system.

You also need to edit /etc/pam.d/ssh and/or /etc/pam.d/gdm and comment out the file

# session optional pam_openafs_session.so

Adding new user

To create a new user account do the following as root

for example:
sudo bash
useradd kpra010
su kpra010 ##this will create the user's home directory in /home
exit ## this will return you to root.

To add that user to the sudoers list enter the users upi under “# User privilege specification”

sudo visudo

# User privilege specification
root  ALL=(ALL) ALL
kpra010  ALL=(ALL) ALL

Delete user

If you want to delete the user do the following as root. Note: this will delete the users home directory.

sudo bash
userdel kpra010
rm -rf /home/kpra010
If user was added as a sudoer, remove users upi from visudo

Caching

Caching will allow user to log in if network is down. It is also useful for mobile/ laptop users. For caching to work, an account will need to be created using Add new user info and then users will need to log in while computer is connected to the university network. general info on caching is available here if you want to read up on it PamCcredsHowto.

install all necessary packages

sudo bash
apt-get install nss-updatedb libnss-db libpam-ccreds

Cache name service directory locally. When ldap connection is available, it creates the two .db

sudo nss_updatedb ldap
passwd... done.
group... done.
ls -l /var/lib/misc/*.db
-rw-r--r-- 1 root root 8192 2008-08-26 18:20 /var/lib/misc/group.db
-rw-r--r-- 1 root root 8192 2008-08-26 18:20 /var/lib/misc/passwd.db

Create a cron job to update local nss database. You may only need to anacron command once. 

echo '#!/bin/sh' | sudo tee /etc/cron.daily/upd-local-nss-db
echo `which nss_updatedb` ldap | sudo tee -a /etc/cron.daily/upd-local-nss-db
sudo chmod +x /etc/cron.daily/upd-local-nss-db
anacron /etc/cron.daily/upd-local-nss-db

Edit the two lines in nsswitch.conf to read the cached named service directories. Make the notes below it for future reference.

passwd: files [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
# look first in the local files (/etc/passwd and /etc/group).
# when files/local does not have user info, exit and return nothing (this is the [NOTFOUND=return] directive)
# if the was no local account, proceed using the cached data
# group will search ldap before proceeding with locally cached data.

Edit /etc/pam.d/common-auth to cache authentication credentials locally in /var/cache/.security.db.

### Common-auth settings ###
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).
#
auth    optional        pam_group.so
auth    optional        pam_env.so
# Check against local password file
auth    [success=done default=ignore] pam_unix.so nullok_secure try_first_pass
# If LDAP is unavailable, go to next line.  If authentication via LDAP is successful, skip 1 line.
# If LDAP is available, but authentication is NOT successful, skip 2 lines.
auth    [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth    [default=done]  pam_ccreds.so action=validate use_first_pass
auth    [default=done]  pam_ccreds.so action=store
auth    [default=bad]   pam_ccreds.so action=update

# Check against kerberos
auth    sufficient      pam_krb5.so use_first_pass realm=EC.AUCKLAND.AC.NZ

# If failed the above check(s), deny this user
auth    required        pam_deny.so

### END common-auth settings ###

You can test this by first logging into the user’s account, then log out and disconnect the network cable. Once there is no network connection try logging into the users account again.

Helpful hints

  • edit/ remove the Ubuntu-welcome screen
  • setup Ubuntu default user environment (to do)
  • if new user account cannot use auto complete in terminal then go to System > administration > users & groups. unlock > select user account and click on properties. Under ‘advance’ change shell to /bin/bash’… to make this default for all new accounts being created edit /etc/default/useradd and change shell to ‘SHELL=/bin/bash’ 

Skip to toolbar