OpenLDAP

Connecting UNIX/Linux Systems to the GWDG's User Account Management

Prerequisites

To use our OpenLDAP service you have to install the so called PAM (pluggable authentication modules) modules and NSS (name service switch). NSS enables your operating system to use name resolution from different data sources. This is true for computer names, group names and user names. PAM and NSS are available for Linux and FreeBSD systems. In the following we describe the connection to our LDAP server. Because SuSE Linux and Ubuntu are widespread in Göttingen, we mainly refer to these Linux distributions. Mac OS X also works with OpenLDAP. Please contact machelp@gwdg.de for further information.

Requiered Software Packages

On SuSE Linux systems you can use the rpm command to check if the three necessary software packages are installed:

> rpm -qa | grep ldap    
nss_ldap-262-11.32.39.1
openldap2-client-2.4.26-0.30.1
pam_ldap-184-147.20


On Ubuntu systems, the following software packages are necessary:

libnss-ldap  
libpam-ldap  
ldap-utils
nslcd


On FreeBSD systems, you can use the pkg info command:

> pkg info | grep ldap    
nss_ldap-1.265_10              
openldap-client-2.4.40_1       
pam_ldap-1.8.6_2


In the examples above a “>” at the beginning on a line symbolizes a shell command prompt. The mentioned version numbers are not so important.

OpenLDAP Configuration

On OpenLDAP Linux clients, all the necessary configuration files are stored in the directory /etc/openldap respectively /usr/local/etc/openldap on FreeBSD clients. The central configuration file is ldap.conf which ponits to the GWDG's OpenLDAP server. Here is an example:

BASE        xxxxxxx                # beginning of a search path in the LDAP directory
URI         ldaps://ldap.gwdg.de
binddn      xxxxxxx                # user with search privileges
bindpw      xxxxxxx                # corresponding password
TLS_CACERT  /etc/openldap/ldap-ca.pem 
ssl         on   


Please contact support@gwdg.de for BASE, binddn and bindpw entries.

To use ssl, you have to install a CA certificate from a trustcenter. You can find this file on our server login.gwdg.de. Simply copy the file /etc/openldap/ldap-ca.pem to the same directory where your ldap.conf file is located. This file is also available on our server gwdu60.gwdg.de. It is located in /var/openldap/cert/ldap-ca.pem.

Make sure that ldap.conf and ldap-ca.pem are both readable for every user.

PAM Configuration

PAM configuration is an important thing during the setup process of an OpenLDAP client. You have to configurate each service (e.g. ssh, sftp) that allows a user login seperately if necessary. On Linux and FreeBSD systems, you have to edit all configuration files in the directory /etc/pam.d/ for your relevant services. It is important to include the pam_ldap entries in the configuration files. Otherwise OpenLDAP authentifications would not work for these services.

On FreeBSD systems one of these configuration files are system (to make login and su work) and sshd (for ssh logins). Here is an example of the /etc/pam.d/sshd configuration file:

#
# PAM configuration for the "sshd" service
#
# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_ldap.so             no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass
# account
account         sufficient      pam_login_access.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
# session
#session        sufficient      pam_ldap.so              
session         required        pam_permit.so
# password
password        required        pam_unix.so             no_warn try_first_pass


E.g. for OpenLDAP console logins on Ubuntu systems, you have to enter the service specific entries in /etc/pam.d/common-password and /etc/pam.d/common-auth. Here is an example of a common-password configuration file:

#
# /etc/pam.d/common-password - password-related modules common to all services
#
password	[success=2 default=ignore]			pam_unix.so obscure sha512
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so use_authtok try_first_pass
password	requisite					pam_deny.so
password	required					pam_permit.so
password	optional					pam_gnome_keyring.so 


and here an example of an common-auth configuration:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
auth	[success=2 default=ignore]			pam_unix.so nullok_secure
auth	[success=1 default=ignore]			pam_ldap.so use_first_pass
auth	requisite					pam_deny.so
auth	required					pam_permit.so


On FreeBSD and Linux systems, the pam_ldap module uses its own configuration file ldap.conf. You can link them to your OpenLDAP configuration file.

On Linux systems enter:

> ln -fsv /etc/openldap/ldap.conf /etc/ldap.conf  


And on a FreeBSD machine:

> ln -fsv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf 


NSS Configuration

You have to change two lines in the file /etc/nsswitch.conf to get access to the OpenLDAP data:

group: files ldap 
passwd: files ldap 


On FreeBSD machines, you have to link the file /usr/local/etc/nss_ldap.conf to /usr/local/etc/openldap/ldap.conf.
You can check if your NSS configuration is working with the id command and your GWDG account (e.g. gast00).

> id gast00
uid=6722(gast00) gid=5070(GGST) groups=5070(GGST)


If it does not work, you get an error message like that:

id: gast00: no such user 


Other Measures

In the GWDG LDAP directory /usr/users/USERNAME/ is defined as your user home directory. In certain circumstances, you have to link your home directory (e.g. /home/otto) to /usr/users/onormal for a successful login. Enter:

> mkdir /usr/users
> ln -s /home/otto /usr/users/onormal


Afterwards the user otto can use /usr/users/onormal/ as his home directory.

Contact

If you have any problems or questions regarding OpenLDAP, please contact support@gwdg.de.