Configuring LDAP Authentication for Debian.

  This is a big topic that has no definitive documentation for Debian. Someone please fill this in with optimal setup instructions for a Debian system.

  I have a project for setting this up on my system where I will cronologicly document my efforts, but this is a better place to put general documentation. Feel free to email me if you want me to put more effort into this wiki. Remember it's a wiki so you can just add your own suggestions, solutions, or queries... the more the better.

  Here is a start:

  Links

  * minkirri ldap-auth project

  * Mandrake LDAP documentation -- very good!

  * Debian LDAP stuff

  * Misc LDAP docs

  * LDAPv3-Howto -- covers LDAP, Kerberos, TLS/SSL, everything with Debian-related pointers

  * http://ldap.akbkhome.com/ -- Explanations about many possible LDAP entries

  * Exploring LDAP (Part 2, Part 3). Excellent Articles from one of the leading Linux/Unix-Authors. 

  * http://padl.com -- Company creating (gpl'd!) pam-ldap/nss-ldap software

  * http://linuxselfhelp.com/HOWTO/LDAP-HOWTO.html -- General LDAP Howto

  * http://howto.linuxpowered.net/ldap/ldap.html -- One more Howto

  * http://www.linuxjournal.com/article.php?sid=5689 -- Related Article

  * http://www.wlug.org.nz/LDAPAuthentication -- Another good wiki page

  Overview

    There are documents everywhere that talk about this, but most of them suck. They typicaly have outdated or misleading info, with even the best documentation having flaws.

    The final objective of this document is to have the LDAP server containing all non-system users (uid>=1000) and non-system groups (GID>=100), and all other hosts/networks/services/etc data. The services/etc data might not be used, but is included for completeness of the LDAP contents. The only special user in ldap will be the ldap admin user, with no additional "proxy" users. Clients will use NSS with the normal unix PAM module for authentication. Only root will have access to shadow passwords via NSS. The ldap PAM module will only be used for passwd, chfn, and chsh updating of LDAP contents. All posix passwords shall use md5 hashing.

    SAMBA passwords can also be stored in LDAP, with a samba-ldap module being used to synchronise password updates via the "passwd" command. The unix passwords in LDAP should be updated by samba when passwords are changed via samba.

    I'm not sure what the best tools are for user management, but it would be nice to have replacements for the standard "adduser" "usermod" etc tools. It would also be nice to have a webmin management interface.

    I'll include seting up autofs to automount home directories off the server, and configuring samba to also share the same home directories.

  Tools

    getent will return the current nss view of passwd, shadow, group whatever. This is handy to check that nss is using ldap correctly. In particular, if getent shadow as root returns a shadow file with passwords, then the PAM unix module can do authentication without using libpam-ldap. If getent shadow as non-root returns passwords, you have a security hole: 

      $ getent <etcfile>


    ldapsearch will return return the ldap info for direct from ldap. This requires that /etc/ldap/ldap.conf have your defaults set to point at your ldap server using the right base: 

      $ ldapsearch -x uid=<username>


  Server Setup

    OpenLdap Setup

      1 Do apt-get install slapd, answering prompts as required and generaly picking defaults except where they are obviously examples.

      2 To make using ldap utilities like ldapsearch a little less painful, edit /etc/ldap/ldap.conf (installed by libldap2 on woody) to set: 

        BASE dc=<yourhost>,dc=<your>,dc=<domain>
        URI ldap://localhost


      3 To improve ldap performance edit /etc/ldap/slapd.conf to set more indexes than the woody default of just objectClass (taken from the Mandrake documentation): 

        index objectClass,uid,uidNumber,gidNumber eq
        index cn,mail,surname,givenname           eq,subinitial


      4 Make sure the indexes are updated by doing: 

        $ /etc/init.d/slapd stop
        $ slapindex
        $ /etc/init.d/slapd start


    MigrationTools Importing Data

      1 Do apt-get install migrationtools (for woody, though I wouldn't be surprised if this package gets renamed).

      2 Edit /etc/migrationtools/migratecommon.ph, changing the following lines. Note the EXTENDED_SCHEMA is set to 1 in many other documents. I found that this caused problems for me as I don't know if Debian includes all the additional schema definitions in /etc/ldap/schema/: 

        # Default DNS domain
        $DEFAULT_MAIL_DOMAIN = "yourhost.your.domain";

        # Default base
        $DEFAULT_BASE = "dc=yourhost,dc=your,dc=domain";

        # turn this on to support more general object clases
        # such as person.
        $EXTENDED_SCHEMA = 0;

        # Uncomment these to avoid Debian managed system users and groups
        $IGNORE_UID_BELOW = 1000;
        $IGNORE_GID_BELOW = 100;


      3 Import all the data into ldap by doing to following as root and answering questions as required. Note that if you don't do this as root, the shadow passwords will not be imported, and you will have all sorts of strange problems: 

        # cd /usr/share/migrationtools
        # LDAPADD="/usr/bin/ldapadd -c" ./migrate_all_online.sh


      4 Check that the data is in there using ldapsearch as above under Tools.

      5 Make the password encoding as stored in the LDAP is something glibc can understand. I'm using {MD5}, but you can use {CRYPT}. Anything else will not work.

  Client Setup

    NssLdap Setup

      1 Do apt-get install nscd to install the libc caching daemon. This makes a performance difference but it will work without it.

      2 Do apt-get install libnss-ldap ldap-utils to install the nss ldap package and ldapsearch utility.

      3 Edit /etc/ldap/ldap.conf to make life easier when using ldap utilities to include: 

        BASE dc=<yourhost>,dc=<your>,dc=<domain>
        URI ldap://yourhost.your.domain


      4 Edit /etc/hosts so that it includes both the client and ldap server. Without this nasty things happen on bootup as things attempt to use ldap which recurses on itself looking up the hostname. Some documents claim to solve this by putting dns before ldap in /etc/nsswitch.conf, but my experience suggests otherwise (Segfaults requiring rebooting in single to fix things)... I think the reason is nss is needed to do host lookups before dns is available (I use DHCP on my clients). You don't need to do this if you don't use ldap for hosts, because this early host lookup just fails instead of causing nss/ldap to recurse on itself.

      5 Edit /etc/libnss-ldap.conf to include the following, and put the ldap admin password in /etc/ldap.secret with mode 600. Note that the default Debian debconf setup does not set rootbinddn for libnss-ldap.conf (but libpam-ldap does in /etc/pam_ldap.conf, and will create /etc/ldap.secret for you). Without this, nss does not have read access to passwords as root, and hence cannot authenticate users. This is not necisarily a problem as authentication could be performed in PAM by ldap, but I have chosen to use nss for authentication instead. This seems to more closely follow the non-ldap approach of giving root access to passwords in /etc/shadow: 

        # Your LDAP server. Must be resolvable without using LDAP.
        host yourhost.your.domain

        # The distinguished name of the search base.
        base dc=yourhost,dc=your,dc=domain

        # The LDAP version to use (defaults to 3 if supported by client library)
        ldap_version 3

        # The distinguished name to bind to the server with if the effective user ID is root.
        # Password is stored in /etc/ldap.secret (mode 600)
        rootbinddn cn=admin,dc=yourhost,dc=your,dc=domain

       Note that yourhost.your.domain had better be in /etc/hosts, otherwise use the LDAP servers IP address. Only the rootbinddn setting is not automaticly configured in Debian.

      6 Edit /etc/nsswitch.conf to use ldap as follows. Note that I don't use the example nsswitch.conf provided with the woody libnss-ldap package because it seems to be overkill. I don't bother using ldap for protocols, services, ethers, or rpc even though I imported them into LDAP: 

        passwd:         files ldap
        group:          files ldap
        shadow:         files ldap

        hosts:          files dns ldap
        networks:       files ldap

        protocols:      db files
        services:       db files
        ethers:         db files
        rpc:            db files

        netgroup:       nis


      7 I needed a reboot at this point to make sure the nss-ldap setup was fully working. Editing /etc/nsswitch.conf seems to have immediate affect though so it might not be needed. If everything goes arse-up after reboot you will need to boot in single mode (put single on kernel command line) to undo the changes to /etc/nsswitch.conf.

      8 Check that nss is seeing things from ldap using getent as describe in Tools above.

      Note that nscd can mask problems with your nss setup. This is because it runs as root, and hence allows programs to use nsswitch as root. This allows things like ls to see LDAP user and group names, even though getent passwd can't see them. I am uncertain how many things might break with this setup, but things will certainly break when nscd is stopped.

    PamLdap Setup

      libpam-ldap is not needed for authentication, as this can be done with pam_unix, which uses nsswitch. However it is needed for updating LDAP with passwd. Also it can be used to create home directories on the fly (on first login). Provided getent behaves as described under Tools above, only /etc/pam.d/passwd needs to be tweaked.

        1 Do apt-get install libpam-ldap

        2 Change /etc/pam.d/passwd to include the following: 

          password   required   pam_ldap.so ignore_unknown_user md5
          password   optional   pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass


      Note the md5 setting. This will ensure passwords are encrypted into md5 when they are changed. 

      Unfortunately chsh and chfn don't seem to work for updating LDAP, regardless of what you put in their /etc/pam.d/ entries. 

    PamSambaLdap Setup

      I'm sure I found a PAM module that would update samba passwords in LDAP for you. I believe the sambapass utility will do this too if samba has been configured to use LDAP. More on this when I get it sorted...

      This method is superior to the update encryped = yes method from sambas smb.conf as it allows the samba server using encrypted passwords during transistion time.

      In the mean time, here are some links

      * http://us4.samba.org/samba/ftp/docs/htmldocs/Samba-LDAP-HOWTO.html

      * http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html

      * http://us4.samba.org/samba/ftp/docs/htmldocs/Samba-PDC-HOWTO.html

      * http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html

      * http://packages.qa.debian.org/common/index.html

    AutoFs Setup

    NFServer Setup

    AutoFs Client Setup

    SamBa Setup

      SamBa Server Setup

      SamBa Client Setup