LDAP comes handy to manage users and groups across many systems. However you’ll probably want only a subset of your users to login on console or over ssh. In this post I’ll describe my setup using pam_ldapd.
I’m mainly using LDAP for user management as I don’t want to have to change passwords and accounts on each system again and again. For my little set of servers it almost looks like overkill, but I like the central management of everything user related a lot. I even manage email accounts in LDAP. Setting up user login with LDAP works in two ways, using libpam-ldap (the old way) or using libpam-ldapd (the new way).
Installing libpam-ldapd will pull in all the dependencies needed (ldap-utils, libnss-ldapd, nscd, nslcd, nslcd-utils):
sudo apt-get install libpam-ldapd
The automatic configuration assistant from dpkg will ask you for the url(s) of your LDAP server(s), base dn and services to be configured from LDAP. I only want to manage users and groups from LDAP so I choose group, passwd and shadow. This can be extended later.
Setup user login with pam_ldapd
The settings taken automatically need to checked and edited now. First check the file
/etc/nsswitch to look like
passwd: compat ldap group: compat ldap shadow: compat ldap gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
In case you’ve decided to use more services than me over LDAP it might look different of course.
Then have a look at
/etc/nslcd.conf. Nslcd is the service used to connect to a directory service like LDAP. Libpam-ldapd is then managing
the data obtained from there. All connection relevant information can be found in the
getent passd getent group
to check wether users and groups are taken correctly from LDAP.
Restrict acess to certain users
In my LDAP are quite a lot of people right now. Family members who have a mail account on my server, colleagues and friends who have access to my file sharing platform, and so on. Only very few people should be able to have login access on several system, mainly being me. All these people I put in the login group. But of course it would also be possible to limit access on a per system basis (see eg https://help.ubuntu.com/community/LDAPClientAuthentication).
Add the following to the end of
# disallow all except people in the login group and root -:ALL EXCEPT root (login):ALL EXCEPT LOCAL
account required pam_access.so
/etc/pam.de/login to take the changes effect.
In this file you could also restrict root access to certain IP addresses, subnets, … I’m not doing this right now, as my network is quite limited. Check the settings taken above by trying to login as a user not in the group ‘login’. Note that users will be given a login prompt, but can’t succeed to login.
User group mapping
To allow mixed use of local and remote users on system (like the user ‘pi’ on raspberries) there is no group ‘users’ in my LDAP. However users should of course belong to that group. To achieve this add the following to your
# Any member of the group login is granted access to the (local) group 'users' *;*;%login;Al0000-2400;users
Create a file
Name: activate /etc/security/group.conf Default: yes Priority: 900 Auth-Type: Primary Auth: required pam_group.so use_first_pass
and activate it running
Restart nscd and nslcd
/etc/init.d/nscd restart /etc/init.d/nslcd restart
and check with a user if mapping is working.
You should see something similar to
uid=1002(dummy) gid=100(users) Groups=100(users)
Watch out especially for Groups and gid.
Automatically create home directory
The home directory on this server is only needed to keep bash‘s config and history file and maybe some notes. So it does not need to be mapped to a sever kept home directory by nfs or samba. It just needs to be created on first login. Create a file
Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel
pam_mkhomedir.so by issuing
Check if it’s working by logging in as a user without existing home.
- man access.conf
- man pam.d
- comments in the files of