LDAP authentication
Introduction and Concepts
This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).
The guide is divided into two parts. The first part deals with how to setup an OpenLDAP server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the second part.
NSS and PAM
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, /etc/passwd
is a file
type source for the passwd
database.
PAM (which stands for Pluggable Authentication Modules) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd
, shadow
and other configuration databases and then configure PAM to use these sources to authenticate its users.
LDAP Server Setup
Installation
Install the OpenLDAP server and configure the server and client. After you have completed that, return here.
Set up access controls
To make sure that no-one can read the (encrypted) passwords from the LDAP server, but still allowing users to edit some of their own select attributes (such as own password and photo), create and import the following LDIF and restart slapd.service
afterwards:
Populate LDAP Tree with Base Data
Create a temporary file called with the following text.
Add it to your OpenLDAP tree:
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
Test to make sure the data was imported:
$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'
Adding users
To manually add a user, create an file like this:
user_joe.ldif
dn: uid=johndoe,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: johndoe cn: John Doe sn: Doe givenName: John title: Guinea Pig telephoneNumber: +0 000 000 0000 mobile: +0 000 000 0000 postalAddress: AddressLine1$AddressLine2$AddressLine3 userPassword: {CRYPT}xxxxxxxxxx labeledURI: https://archlinux.org/ loginShell: /bin/bash uidNumber: 9999 gidNumber: 9999 homeDirectory: /home/johndoe/ description: This is an example user
The in the entry should be replaced with the value in or use the command. Now add the user:
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f user_joe.ldif
You can add a group similarly with
group_joe.ldif
dn: cn=joe,ou=Group,dc=example,dc=org objectClass: top objectClass: posixGroup cn: joe gidNumber: 9999
Client Setup
Install the OpenLDAP client as described in OpenLDAP. Make sure you can query the server with .
Depending on your target, choose either online-only or online and offline authentication.
NSS Configuration
NSS is a system facility which manages different sources as configuration databases. For example, /etc/passwd
is a file
type source for the passwd
database, which stores the user accounts.
Install the package.
Edit which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the ldap
directive to the passwd
, and shadow
databases, so be sure your file looks like this:
passwd: files ldap group: files ldap shadow: files ldap
Edit and change the and lines to fit your ldap server setup.
Edit the and the if your LDAP server requires a password. Make sure you change the permission of your to 0600
for to start properly.
Start using systemd.
You now should see your LDAP users when running getent passwd
on the client.
PAM Configuration
The basic rule of thumb for PAM configuration is to include wherever is included. Arch moving to has helped decrease the amount of edits required. For more details about configuring pam, the Red Hat Documentation is quite good. You might also want the upstream documentation for nss-pam-ldapd.
First edit . This file is included in most of the other files in , so changes here propagate nicely. Updates to may change this file.
Make sufficient at the top of each section, except in the session section, where we make it optional.
Then edit both /etc/pam.d/su
and identically. The su-l
file is used when the user runs .
Make sufficient at the top of each section but below , and add to in the auth section.
To enable users to edit their password, edit :
Create home folders at login
If you want home folders to be created at login (eg: if you are not using NFS to store home folders), edit /etc/pam.d/system-login
and add to the session section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, sddm, gdm, etc. You might choose to edit additional files in the same way, such as /etc/pam.d/su
and to enable it for and . If you do not want to do this for ssh logins, edit instead of system-login
, etc.
Enable sudo
To enable sudo from an LDAP user, edit . You will also need to modify sudoers accordingly.
You will also need to add in the following:
/etc/openldap/ldap.conf
sudoers_base ou=sudoers,dc=example,dc=org
Online and Offline Authentication with SSSD
SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will D-BUS based interfaces for extended user information. It provides also a better database to store local users as well as extended user data.
Install the package.
SSSD Configuration
If it does not exist create .
The above is an example only. See for the full details.
Finally set the file permissions otherwise sssd will fail to start.
NSCD Configuration
Disable caching for passwd, group and netgroup entries in /etc/nscd.conf
as it will interfere with sssd caching.
Keep caching enabled for hosts entries otherwise some services may fail to start.
NSS Configuration
Edit as follows:
PAM Configuration
The first step is to edit as follows:
These PAM changes will apply to fresh login. To also allow the command to authenticate through SSSD, edit /etc/pam.d/su
:
Enable sudo
Edit as follows:
Also add sudo service to the list of enabled services and the search base in :
Alternately, configure sudo to allow the desired LDAP users to use sudo.
Password Management
In order to enable users to change their passwords using passwd
edit as follows:
For changing expired passwords when logging in using add a password entry to /etc/pam.d/su
if it is missing:
You should now be able to see details of your ldap users with or id username
.
Once you have logged in with a user the credentials will be cached and you will be able to login using the cached credentials when the ldap server is offline or unavailable.