LDAP authentication

NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, /etc/passwd is a file type source for the passwd database.

PAM (which stands for Pluggable Authentication Modules) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.

So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd, shadow and other configuration databases and then configure PAM to use these sources to authenticate its users.

Install the OpenLDAP server and configure the server and client. After you have completed that, return here.

To make sure that no-one can read the (encrypted) passwords from the LDAP server, but still allowing users to edit some of their own select attributes (such as own password and photo), create and import the following LDIF and restart slapd.service afterwards:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=cn,givenName,sn,userPassword,shadowLastChange,mail,loginShell,photo by self write by anonymous auth by dn.base="cn=Manager,dc=example,dc=org" write by * none
olcAccess: {1}to * by self read by dn.base="cn=Manager,dc=example,dc=org" write by * read

Create a temporary file called base.ldif with the following text.

Add it to your OpenLDAP tree:

$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif

Test to make sure the data was imported:

$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'

To manually add a user, create an file like this:

user_joe.ldif

dn: uid=johndoe,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: johndoe
cn: John Doe
sn: Doe
givenName: John
title: Guinea Pig
telephoneNumber: +0 000 000 0000
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {CRYPT}xxxxxxxxxx
labeledURI: https://archlinux.org/
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 9999
homeDirectory: /home/johndoe/
description: This is an example user

The in the entry should be replaced with the value in or use the command. Now add the user:

$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f user_joe.ldif

You can add a group similarly with

NSS is a system facility which manages different sources as configuration databases. For example, /etc/passwd is a file type source for the passwd database, which stores the user accounts.

Install the package.

Edit which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the ldap directive to the passwd, and shadow databases, so be sure your file looks like this:

passwd: files ldap
group: files ldap
shadow: files ldap

Edit and change the and lines to fit your ldap server setup.

Edit the and the if your LDAP server requires a password. Make sure you change the permission of your to 0600 for to start properly.

Start using systemd.

You now should see your LDAP users when running on the client.

The basic rule of thumb for PAM configuration is to include pam_ldap.so wherever is included. Arch moving to has helped decrease the amount of edits required. For more details about configuring pam, the Red Hat Documentation is quite good. You might also want the upstream documentation for nss-pam-ldapd.

First edit . This file is included in most of the other files in , so changes here propagate nicely. Updates to may change this file.

Make pam_ldap.so sufficient at the top of each section, except in the session section, where we make it optional.

/etc/pam.d/system-auth

'''auth      sufficient pam_ldap.so'''
auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

'''account   sufficient pam_ldap.so'''
account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

'''password  sufficient pam_ldap.so'''
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
'''session   optional  pam_ldap.so'''
session   optional  pam_permit.so

Then edit both and identically. The file is used when the user runs .

Make pam_ldap.so sufficient at the top of each section but below , and add use_first_pass to in the auth section.

To enable users to edit their password, edit :

If you want home folders to be created at login (eg: if you are not using NFS to store home folders), edit /etc/pam.d/system-login and add to the session section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, sddm, gdm, etc. You might choose to edit additional files in the same way, such as and to enable it for and . If you do not want to do this for ssh logins, edit system-local-login instead of , etc.

To enable sudo from an LDAP user, edit . You will also need to modify sudoers accordingly.

You will also need to add in the following:

/etc/openldap/ldap.conf

sudoers_base ou=sudoers,dc=example,dc=org

SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will D-BUS based interfaces for extended user information. It provides also a better database to store local users as well as extended user data.

Install the package.

If it does not exist create .

The above is an example only. See sssd.conf(5) for the full details.

Finally set the file permissions otherwise sssd will fail to start.

Disable caching for passwd, group and netgroup entries in as it will interfere with sssd caching.

Keep caching enabled for hosts entries otherwise some services may fail to start.

Edit as follows:

The first step is to edit as follows:

These PAM changes will apply to fresh login. To also allow the command to authenticate through SSSD, edit :

/etc/pam.d/su

#%PAM-1.0
auth            sufficient        pam_rootok.so

'''auth sufficient   pam_sss.so      forward_pass'''
auth            required        pam_unix.so

'''account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so'''
account         required        pam_unix.so

session         required        pam_unix.so
'''session optional pam_sss.so'''

Edit as follows:

Also add sudo service to the list of enabled services and the search base in :

Alternately, configure sudo to allow the desired LDAP users to use sudo.

In order to enable users to change their passwords using passwd edit as follows:

For changing expired passwords when logging in using add a password entry to if it is missing:

Start/enable .

You should now be able to see details of your ldap users with getent passwd username or .

Once you have logged in with a user the credentials will be cached and you will be able to login using the cached credentials when the ldap server is offline or unavailable.