5

I use puppet for managing our production servers. Under rhel5 the standard way of enabling ldap is to use the authconfig tool. Which works successfully, but isn't really capable with the puppet way of doing things. If I were to have puppet make the relevant edits to the authentication config files, which ones should I change ? Off the top of my head the files I know that need editing to enable ldap authentication are

/etc/ldap.conf
/etc/nsswitch.conf

But there may also be pam config files which I am not suer about

Dave Cheney
  • 18,307
  • 7
  • 48
  • 56

7 Answers7

3

My preference is to manage /etc/sysconfig/authconfig (which contains a list of vars) then use authconfig --updateall, this lets me drop 1 file that controls everything.

Stick
  • 658
  • 4
  • 10
  • 3
    For those who find this question via Google: note that in RHEL6, `/etc/sysconfig/authconfig` no longer works this way -- it is strictly a read-only file created by running the `authconfig` command. Changes made here will simply be overwritten by authconfig. See http://serverfault.com/questions/292406/puppet-configuration-using-augeas-fails-if-combined-with-notify. – larsks Jul 29 '11 at 01:36
3

I typically edit:

/etc/ldap.conf
/etc/nsswitch.conf
/etc/openldap/ldap.conf (check for certs if necessary)
/etc/pam.d/system-auth

I think that covers the necessary evils. Might need /etc/sudoers as well.

f4nt
  • 859
  • 10
  • 9
1

Slightly off-topic, but something that can be helpful when setting up PAM for ldap auth is to automatically create user home directories when they log into a server for the first time.

If you are setting up ldap in system-auth file, then add the following to "session":

session          required        pam_mkhomedir.so skel=/etc/skel umask=0077

On a RHEL5 server, I have this after "session require pam_limits.so" (3rd "session" config param).

as per tucker's suggestion above, puppet is a great tool for managing configs across multiple servers.

Brett
  • 11
  • 1
1

I'm not sure about any RedHat specific configurations, but take a look at this LDAP configuration guide.

Basically, besides the files you mention, you should also configure PAM like so:

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so

account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so
account    required     pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3    
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_first_pass
password   required     pam_deny.so
Ivan
  • 3,172
  • 3
  • 24
  • 34
  • According to [tldp](http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html), "Note that if you use nss_ldap, you don't strictly need to use pam_ldap." – ILMostro_7 Jun 28 '15 at 21:32
1

Our script to set up ldap auth (which invokes authconfig) modifies these files:

/etc/rc.d/init.d/iptables (rearrange the chkconfig priority)
/etc/gshadow
/etc/ssh/sshd_config
/etc/ldap.conf
/etc/pam.d/login
/etc/pam.d/sshd
/etc/group
Jason Luther
  • 408
  • 3
  • 6
0

If your kickstarting you can set this up as a kickstart option See:

http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/s1-kickstart2-options.html

Jason Tan
  • 2,742
  • 2
  • 17
  • 24
0

Use authconfig-tui on one client to create the necessary files (ldap.conf, krb5.conf, pam.d/system-auth-ac etc), then copy those files into your puppet install and use puppet to push the files to all new and existing servers.

If you have a significant number of servers and you're not using puppet, you should consider it.