Central authentication

From JhuAcmWiki

KnHimj dfv078fnw8f934ndvkg2l

Contents 1 System setup: Generic 2 System setup: Debian/Ubuntu 3 System setup: Solaris 10 3.1 Ideas 4 acmguest

System setup: Generic

* For Unices, you must change "nsswitch.conf" so the system can turn usernames into user IDs, and...
* updated PAM, the Pluggable Authentication Modules, so the system can ask the LDAP server to verify user authentication.

/etc/pam_ldap.conf (or ldap.conf) should have at least these options:

host 128.220.223.231
base dc=acm,dc=jhu,dc=edu
pam_password crypt
ssl no

/etc/nsswitch.conf from fomalhaut:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:        ldap files
group:         ldap files
shadow:        ldap files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

System setup: Debian/Ubuntu

The Pluggable Authentication Modules on your system should know about the LDAP service. You can get generic instructions for Ubuntu or Debian, or for other OSs. Or, you can apply our Debian/Ubuntu PAM patch. (FIXME: This patch is reversed. For now, the commands above work - note the "-R" in the patch command.)

• apt-get install libpam-ldap libnss-ldap
• Fix nsswitch.conf
• cd /etc/pam.d/
• wget paulproteus.acm.jhu.edu/deb-pam-ldap.patch
• patch -R -ur -p1 < deb-pam-ldap.patch
  • Apply this patch. It is very important that you do so. If you do not, login will be broken on the next reboot, and you will be a sad panda.
  • Also, on Edgy systems and beyond, I strongly recommend installing the Debian libnss-ldap module, as Ubuntu's has a nasty bug involving how long it times out for. Rince 05:36, 17 January 2007 (EST)
  • No longer true on Gutsy. Rince

If you'd like chfn and chsh to work:

apt-get -y install libnet-ldap-perl
dpkg-divert --add --rename --divert /usr/bin/chfn.local /usr/bin/chfn
dpkg-divert --add --rename --divert /usr/bin/chsh.local /usr/bin/chsh
ln -s /usr/share/doc/libpam-ldap/examples/chsh /usr/bin/chsh
ln -s /usr/share/doc/libpam-ldap/examples/chfn /usr/bin/chfn

System setup: Solaris 10

• This was broken before S10U4/S11b63, and Just Works(tm) at that point. Rather silly, thanks Sun.

• Warning: this is a work in progress (read: not yet right)
  • Lies, it works perfectly. The nsswitch.conf requires more editing, but it works.

To initiate the database, run

# ldapclient manual -v -a defaultsearchbase=dc=acm,dc=jhu,dc=edu -a domainname=acm.jhu.edu 128.220.223.231.

Note: after running this, /etc/nsswitch.conf will be in a rather ldap-centric state. Since we still want to use DNS, edit it and change the "hosts" and "ipnodes" lines to say "files dns".

• What works? Here's the output of ldapclient: (remove this once its debugged)

bash# ldapclient manual -v -a defaultsearchbase=dc=acm,dc=jhu,dc=edu -a domainname=acm.jhu.edu 128.220.223.231.
Parsing defaultsearchbase=dc=acm,dc=jhu,dc=edu
Parsing domainname=acm.jhu.edu
Arguments parsed:
        defaultSearchBase: dc=acm,dc=jhu,dc=edu
        domainName: acm.jhu.edu
        defaultServerList: 128.220.223.231
Handling manual option
Proxy DN: NULL
Proxy password: NULL
Authentication method: 0
Authentication method: 0
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: sleep 6400000 microseconds
stop: system/filesystem/autofs:default... success
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "acm.jhu.edu"
file_backup: stat(/var/yp/binding/acm.jhu.edu)=-1
file_backup: No /var/yp/binding/acm.jhu.edu directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname acm.jhu.edu... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: network/ldap/client:default... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: system/filesystem/autofs:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
System successfully configured

afterwards, some queries seem to work:

bash-3.00# grep digitaleric /etc/passwd
bash-3.00# id digitaleric
uid=648(digitaleric) gid=100(users)

But resolving passwords does not work. Perhaps this is the same issue where Solaris doesn't like whatever format the shadow entries are? Will debug more later --EricN

update: also had to edit /etc/pam.conf. "man pam_ldap" to see suggested modifications. We're still not working, but we're getting a message in syslog that goes like this:

Sep 19 23:01:31 sol su: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Sep 19 23:01:31 sol su: [ID 810491 auth.crit] 'su digitaleric' failed for acmguest on /dev/pts/4

This error message comes from http://cvs.opensolaris.org/source/xref/usr/src/lib/pam_modules/ldap/ldap_utils.c and seems to indicate that the client does not like any of the "authentication methods" it found. Perhaps this is because it doesn't want to run over a non-encrypted link? more debugging needed

Ideas

• Proxy DN? See http://forum.sun.com/thread.jspa?threadID=23522&messageID=81619
• Server-side config? See http://www.int-evry.fr/mci/user/procacci/ldap/Ldap_int012.html
• "To debug PAM, add "debug" keyword to /etc/pam.conf at the end of the line, I think." [1]
• Others' experiences with Fedora Directory Server and Solaris: http://www.mail-archive.com/fedora-directory-users@redhat.com/msg00678.html
• Unfortunately, it seems that certain crypt formats (MD5, SHA1...) are *not* supported before Solaris 9, only the traditional DES "Unix Crypt". So if your password won't resolve, unix-crypt it in the LDAP server, and try to log in again...

acmguest

We have a guest account. It must only work inside the lab.

To achieve this, add this line to sshd_config:

DenyUsers acmguest

THIS IS IMPORTANT.

-- AsheeshLaroia 2005-03-03.