Got a question? Ask us:

Overview

This page provides set-up information that should apply to the pam_ldap software from PADL Software that is usually included with their nss_ldap software. This is usually included with the nss_ldap package for Red Hat/Fedora and deriviates.

The set-up described here provides for:

• authenticating users with their UH username and password
• controlling access locally on the machine

The advantages of this are:

• no administration of user passwords
• no GUI required to be able to set up configuration
• explicit access control

Set-up

As the root user:

• DO NOT USE the Users and Groups GUI and the Authentication GUI from System -> Administration. CAUTION: You run the risk of not being able to log into you machine or someone else breaking in if you deviate from these instructions or use the system administration GUIs to do these set-up activities.
• Rename /etc/ldap.conf to /etc/ldap.conf-orig.
• Copy the sample ldap.conf file to /etc/ldap.conf.
• Secure the /etc/ldap.conf to protect the password of the special DN if you have been issued one for your specific purpose. Be sure to keep the password protected at all times. It is not to be shared with others.
  

  # chown root:root /etc/ldap.conf
  # chmod 600 /etc/ldap.conf
          

• Copy the sample system-auth file to /etc/pamd.d/system-auth-ac. Retain a copy so that you can restore it if someone uses the Authentication System Administration GUI to enable LDAP or other things.

  NOTE: This assumes that system-auth is a symbolic link to system-auth-ac as it is for CentOS 5, Fedora Core 5 & 6, and Fedora 7. This isn't the case with CentOS 4 and Fedora 4, so you'll work directly with system-auth.

• Add users from the command line using something like this:

  # adduser -g users -c 'Test User' -m testuser
          

  This will create the user and her home directory. It will set a non-guessable password for the user. This is OK because LDAP will be used to authenticate the user.

  This can be scripted with a file containing the username and full name. See the sample user-admin.sh.

  NOTE: Users will need to change or reset their passwords with assistance from the Help Desk or by going to the Managing Your UH Username page at:

             https://sunsys.its.hawaii.edu/acctmgmt/ 
          

• To remove a user from the command line use something like this:

  # userdel -r testuser
          

  This can be scripted with a file containing the username and full name. See the sample user-admin.sh.

Problems

To debug problems with the set-up, you'll need access to some log files.

Check /var/log/messages and /var/log/secure for pam and authentication related entries.

To increase the logging level in /var/log/messages, you can edit the /etc/syslog.conf file. Change info to debug:

# Don't log private authentication messages!
##*.info;mail.none;authpriv.none;cron.none              /var/log/messages
*.debug;mail.none;authpriv.none;cron.none               /var/log/messages

      

If you see error messages in /var/log/messages or /var/log/secure about "ldap_simple_bind Can't contact LDAP server", it may be due to not having the location of the CA certs file correct for the tls_cacertfile entry in /etc/ldap.conf. Check to see if you have the OpenSSL package installed and where the ca-bundle.crt is located.

You can also check that you can reach the LDAP server using the ping or traceroute command. Alternatively, you can use ldapsearch like so:

$ ldapsearch -b dc=hawaii,dc=edu -H ldaps://ldap1.its.hawaii.edu -x uid=david
      

Sample files

• /etc/ldap.conf

  # 08/15/07, russ@hawaii.edu; Configuration for CentOS 5 to use LDAP for
  #                            user authentication.
  #
  base ou=people,dc=hawaii,dc=edu
  uri ldaps://ldap1.its.hawaii.edu
  #   Blank means anonymous LDAP binds are used to look up the UH
  #   username before authenticating the user.
  binddn 
  bindpw 
  scope sub
  pam_login_attribute uid
  #  Require an affiliation at a campus/org
  pam_filter uhOrgAffiliation=*
  pam_lookup_policy no
  pam_min_uid 100
  pam_max_uid 59999
  tls_checkpeer yes
  #   This file is usually part of the OpenSSL package.
  tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
  tls_ciphers TLSv1
          

• /etc/pam.d/system-auth

  #%PAM-1.0
  # This file is auto-generated.
  # User changes will be destroyed the next time authconfig is run.
  auth        required      pam_env.so
  auth        sufficient    pam_ldap.so debug
  auth        sufficient    pam_unix.so nullok try_first_pass
  auth        requisite     pam_succeed_if.so uid >= 500 quiet
  auth        required      pam_deny.so
  
  account     required      pam_unix.so
  account     sufficient    pam_succeed_if.so uid < 500 quiet
  account     required      pam_permit.so
  
  password    requisite     pam_cracklib.so try_first_pass retry=3
  password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
  password    required      pam_deny.so
  
  session     optional      pam_keyinit.so revoke
  session     required      pam_limits.so
  session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
  session     required      pam_unix.so
  session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022
          

• user-admin.sh - Add or delete users listed in a file.

  #!/bin/sh
  # user-admin.sh - Add or delete users listed in a file.
  #               - 08/16/07, russ@hawaii.edu
  #
  #
  #---------------------------------------------------------------------
  # Run as root or with root privileges.
  #
  # A file of users should contain a username, colon (:), and the user's
  # fulll name like so:
  #
  # test1:Test User 1
  # test2:Test User 2
  # test3:Test User 3
  #
  #---------------------------------------------------------------------
  #
  
  
  if [ $# -ne 2 ]; then
      echo "usage: $0 add file_of_users"
      echo "       $0 del file_of_users"
      exit 1
  fi
  
  CMD=$1
  LIST=$2
  
  if [ "$CMD" != "add" -a "$CMD" != "del" ]; then
      echo "Must be add or del; not $CMD"
      exit 1
  fi
  
  if [ ! -f $LIST ]; then
      echo "Can't find $LIST"
      exit 1
  fi
  
  MYPID=$$
  CMD_FILE=/tmp/cmds-${MYPID}.sh
  LOG=/tmp/user-admin-${MYPID}.log
  
  if [ "$CMD" == "add" ]; then
      awk -F: '{print "adduser -g users -c \"" $2 "\" -m " $1}' $LIST > $CMD_FILE
  elif [ "$CMD" == "del" ]; then
      awk -F: '{print "userdel -r " $1}' $LIST > $CMD_FILE
  fi
  
  # Execute the commands
  /bin/sh $CMD_FILE > $LOG 2>&1
  
  # Clean up
  /bin/rm $CMD_FILE
  
  echo
  echo "Done.  A log of what was done is in $LOG"
  echo
  
  # eof: user-admin.sh
          

Use of this site implies consent with our Usage Policy

The University of Hawai‘i is an Equal Opportunity Employer

copyright ©2006 University of Hawai‘i

This page last modified on Thursday, 16-Aug-2007 13:29:31 HST