Integration with libpam-ldap and ncsd
Note that, with this setup, LDAP groups will automatically be assigned as Linux groups, same as using NIS (for instance)
Setup
sudo apt-get install -y libpam-ldap nscdHere are some answers to the prompts you will see during the setup process:
| Prompt | Answer |
|---|---|
| Should debconf…? | Yes |
| LDAP URI | Your GLAuth instance fqdn and port number |
| Distinguished Name | dc=glauth,dc=com (replace with your org’s DN) |
| LDAP version | 3 |
| Make local root database admin | Yes |
| Does the LDAP db require login? | No |
| LDAP account for root | cn=serviceuser,ou=service,dc=glauth,dc=com |
| LDAP root password | |
| Encryption | crypt |
You can reconfigure this later:
sudo dpkg-reconfigure ldap-auth-configIn /etc/nsswitch.conf:
passwd: ldap compat systemdgroup: ldap compat systemdshadow: ldap compatgshadow: filesIn /etc/pam.d/common-session:
session required pam_mkhomedir.so skel=/etc/b-skel umask=0077Yes, this does create a home directory for each user being authenticated. We use a strong mask so that we can start storing sensitive info, if needed, in their home directory.
Note that we should also create our skeleton directory:
sudo mkdir /etc/b-skelIn /etc/pam.d/common-password, remove use_authtok if present.
Allow password login. Make sure you have, in /etc/ssh/sshd_config:
PasswordAuthentication yesSecurity
Now, let’s say that you are connecting to GLAuth using LDAPS, but you are using a self-signed cert. Change /etc/ldap/ldap.conf accordingly:
TLS_REQCERT neverYou can also restrict access to certain groups.
In /etc/pam.d/common-auth:
auth required pam_access.soIn /etc/security/access.conf:
-:ALL EXCEPT root (admin):ALL EXCEPT LOCALDebugging
To debug authentication issues:
sudo tail -f /var/log/auth.logYou can also check from the command line:
sudo getent passwdsudo getent groupfinger {username} # if finger is installed