User login using LDAP and pam_ldapd

LDAP comes handy to manage users and groups across many systems. However you’ll probably want only a subset of your users to login on console or over ssh. In this post I’ll describe my setup using pam_ldapd.

I’m mainly using LDAP for user management as I don’t want to have to change passwords and accounts on each system again and again. For my little set of servers it almost looks like overkill, but I like the central management of everything user related a lot. I even manage email accounts in LDAP. Setting up user login with LDAP works in two ways, using libpam-ldap (the old way) or using libpam-ldapd (the new way).

Install packages

Installing libpam-ldapd will pull in all the dependencies needed (ldap-utils, libnss-ldapd, nscd, nslcd, nslcd-utils):

sudo apt-get install libpam-ldapd

The automatic configuration assistant from dpkg will ask you for the url(s) of your LDAP server(s), base dn and services to be configured from LDAP. I only want to manage users and groups from LDAP so I choose group, passwd and shadow. This can be extended later.

Setup user login with pam_ldapd

The settings taken automatically need to checked and edited now. First check the file /etc/nsswitch to look like

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

In case you’ve decided to use more services than me over LDAP it might look different of course.

Then have a look at /etc/nslcd.conf. Nslcd is the service used to connect to a directory service like LDAP. Libpam-ldapd is then managing the data obtained from there. All connection relevant information can be found in the nslcd.conf.

Issue

getent passd
getent group

to check wether users and groups are taken correctly from LDAP.

Restrict acess to certain users

In my LDAP are quite a lot of people right now. Family members who have a mail account on my server, colleagues and friends who have access to my file sharing platform, and so on. Only very few people should be able to have login access on several system, mainly being me. All these people I put in the login group. But of course it would also be possible to limit access on a per system basis (see eg https://help.ubuntu.com/community/LDAPClientAuthentication).

Add the following to the end of /etc/security/access.conf

# disallow all except people in the login group and root
-:ALL EXCEPT root (login):ALL EXCEPT LOCAL

Uncomment

account  required       pam_access.so

in /etc/pam.de/login and /etc/pam.de/login to take the changes effect.

In this file you could also restrict root access to certain IP addresses, subnets, … I’m not doing this right now, as my network is quite limited. Check the settings taken above by trying to login as a user not in the group ‘login’. Note that users will be given a login prompt, but can’t succeed to login.

User group mapping

To allow mixed use of local and remote users on system (like the user ‘pi’ on raspberries) there is no group ‘users’ in my LDAP. However users should of course belong to that group. To achieve this add the following to your /etc/security/group.conf

# Any member of the group login is granted access to the (local) group 'users'
*;*;%login;Al0000-2400;users

Create a file /usr/share/pam-configs/my_group:

Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
        required                        pam_group.so use_first_pass

and activate it running

sudo pam-auth-update

Restart nscd and nslcd

/etc/init.d/nscd restart
/etc/init.d/nslcd restart

and check with a user if mapping is working.

id dummy

You should see something similar to

uid=1002(dummy) gid=100(users) Groups=100(users)

Watch out especially for Groups and gid.

Automatically create home directory

The home directory on this server is only needed to keep bash‘s config and history file and maybe some notes. So it does not need to be mapped to a sever kept home directory by nfs or samba. It just needs to be created on first login. Create a file /usr/share/pam-configs/my_mkhomedir containing

Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

Activate the pam_mkhomedir.so by issuing

sudo pam-auth-update

Check if it’s working by logging in as a user without existing home.

Leave a Reply

Your email address will not be published. Required fields are marked *