Pam_ldap detailed configuration

This article is transferred from pam_ldap detailed configuration

 

Configure nss_ldap, pam_ldap, OpenLDAP and add SSL/TLS Security Authentication in fedora 6
The nss_ldap-253-1 contains two modules: nss_ldap and pam_ldap
Nss_ldap: the NSS is the name service switch. nss_ldap module used to connect to the LDAP server, allowing the system to identify users and groups in LDAP.
Pam_ldap: Pam is the plug-in authentication module. It integrates many authentication methods. pam_ldap is one of them. It calls LDAP to verify the user's identity. Here, I use OpenLDAP.

Pay attention to the backup when configuring each file, so that the file can be restored after an error occurs.

First, set/etc/sysconfig/authconfig. This file is used to track whether a specific authentication mechanism is enabled. We can expect the values of the following items to be "yes ":

Useldap = Yes
Useldapauth = Yes
Usemd5 = Yes
Useshadow = Yes
Uselocauthorize = Yes

Configure the/etc/nsswitch. conf file:
Set
Passwd: Files
Shadow: Files
GROUP: Files
Changed:
Passwd: Files LDAP
Shadow: Files LDAP
GROUP: Files LDAP
Allows the system to recognize users and groups in LDAP.

Configure/etc/ldap. conf:
(Note: There is also a/etc/OpenLDAP/ldap. conf file in Linux, which is the client configuration file of OpenLDAP.
/Etc/ldap. conf is the configuration file to be called by nss_ldap and pam_ldap)
Do not consider adding SSL first
Add:
Base Dc = myserver, Dc = com
Uri LDAP: // myserver.com (the URI of the LDAP server, myserver.com must be resolved, and nss_ldap calls it to connect to the LDAP server. This setting is equivalent to "host myserver.com". You can set one of them. However, this is flexible. When SSL is enabled, it can be set to "LDAPS: // myserver.com", and the host won't work)
Binddn Cn = manager, Dc = myserver, Dc = com (optional, anonymous binding by default)
Bindpw secret

Configure/etc/PAM. d/system. Auth:
System. Auth is the configuration file for system authentication. There are many files in the Pam. D folder, such as sshd and login. After opening the file, you will find these statements: AUTH include system-auth.
The authentication (auth) module of SSH calls the settings of the (auth) authentication module in the system-auth file. So when we set the system-auth file, we actually set many other files, such as SSH and login.

Statement format: Service-name module-type control-flag module-path arguments

Service-name indicates the service name, such as telnet, login, and FTP. The service name "other" indicates all other services that are not explicitly configured in this file.

There are four module types: AUTH, account, session, and password, which correspond to the four management modes supported by pam. The same service can call multiple PAM modules for authentication. These modules constitute a stack. The four modules are as follows:
1 Auth: authentication management is mainly used to accept the user name and password, then authenticate the user's password and set the user's secret information.

2 account: account management mainly checks whether the account is allowed to log on to the system, whether the account has expired, and whether there is a time limit for account logon.

3 password: password management is mainly used to modify a user's password.

4 session: session management mainly provides session management and accounting ).

Control-flag is used to tell the PAM library how to handle the success or failure of the PAM module related to the service. It has four possible values: required, requisite, sufficient, and optional.

1 required indicates that this module must return a successful message to pass the authentication. However, if this module returns a failure, the failure result will not be immediately notified to the user, instead, the failure result is returned to the application after all the modules in the same stack are executed. It can be considered as a necessary condition.

2 requisite is similar to required. This module must return a success message to pass authentication. However, once this module returns a failure, it will no longer execute any modules in the same stack, instead, the control is directly returned to the application. Is a necessary condition. Note: Only RedHat and Solaris are supported.

3. Sufficient indicates that the returned result of this module is sufficient to pass identity authentication. You do not have to execute other modules in the same stack. However, if the returned result of this module fails, ignore this issue. It can be considered as a sufficient condition.

4 optional indicates that this module is optional. The success or failure of this module generally does not play a key role in identity authentication, and its return value is generally ignored.

For control-flag, a new syntax is supported from the Linux-PAM-0.63 version, see the linuxpam documentation.

Module-path is used to specify the path name of the program file corresponding to this module. Generally, the absolute path is used. If no absolute path is provided, the file is under the directory/usr/lib/security by default.

Arguments is a parameter passed to this module. Generally, the parameters of each module are different and can be defined by the developers of this module. However, the following common parameters are also available:

Debug this module should use syslog () to write debugging information to the system log file.

No_warn indicates that the module should not send the warning information to the application.

Use_first_pass indicates that the module does not prompt the user to enter the password. Instead, use the password obtained from the previous module.

Try_first_pass indicates that the module should first use the password obtained from the user from the previous module. If the verification fails, the user is prompted to enter a new password.

Use_mapped_pass this module does not prompt the user to enter the password, but uses the ing password.

Expose_account allows this module to display the user's account name and other information. It can only be used in a secure environment, because leaking the user name can pose a threat to security.

The configuration is as follows:
Auth required pam_env.so
Auth sufficient pam_unix.so nullok try_first_pass (pam_unix.so authenticates users in the Local System)
Auth requisite pam_succeed_if.so uid> = 500 quiet (uid = 500 users must perform LDAP verification whether or not they are in LDAP)
Auth sufficient pam_ldap.so use_first_pass (pam_ldap.so authenticates users in LDAP)
Auth required pam_deny.so

Account required pam_unix.so broken_shadow
Account sufficient pam_succeed_if.so uid = 500 users will not work, because these users will perform the following LDAP verification, LDAP cannot be verified when it is not started, so fail will be performed)
Account [default = bad success = OK user_unknown = ignore] pam_ldap.so
Account required pam_permit.so

Password requisite pam_cracklib.so try_first_pass retry = 3 (Change Password)
Password sufficient pam_unix.so MD5 shadow nullok try_first_pass use_authtok (use_authtok enforces the password of the previous statement, applicable to the password being changed)
Password sufficient pam_ldap.so use_authtok
Password required pam_deny.so

Session Optional pam_keyinit.so revoke
Session required pam_limits.so
Session [success = OK default = ignore] pam_succeed_if.so service in crond quiet use_uid
Session required pam_unix.so
Session required pam_mkhomedir.so skel =/etc/skel/umask = 0022 (create a root directory for the user)
Session Optional pam_ldap.so

To log on to LDAP using login and SSH, you must add uidnumber and gidnumber to the LDAP user. You can use the following script to create users and groups:
Users. ldif:

DN: uid = test, Dc = myserver, Dc = com
UID: Test
CN: Test
SN: Test
Mail: test@163.com
Userpassword: yourpassword
Uidnumber: 1104
Gidnumber: 1104
Homedirectory:/home/test
Loginshell:/bin/bash
Objectclass: organizationalperson
Objectclass: inetorgperson
Objectclass: posixaccount
Objectclass: Top

Group. ldif:

DN: Cn = test, Dc = myserver, Dc = com
CN: Test
Gidnumber: 1104
Objectclass: posixgroup

Ldapadd-X-d "cn = manager, Dc = myserver, Dc = com"-w-F users. ldif
Ldapadd-X-d "cn = manager, Dc = myserver, Dc = com"-w-F group. ldif

Start the OpenLDAP Server:
/Usr/local/libexec/slapd
Then run ID Test
The result uid = 1104 (TEST) gid = 1104 (TEST) groups = 1104 (test) is displayed)
This indicates that the user test can be recognized by the user.
In this way, the test user can log on to the system. The PAM Authentication Service obtains the user name test from the user. Pam first looks for the test user from the local system,
Auth sufficient pam_unix.so nullok try_first_pass
In this case, test is in LDAP. Next, perform LDAP verification to retrieve the identified name (DN) entries from the LDAP server. DN: uid = test, Dc = myserver, Dc = com .. Pam then obtains the password from the user. Pam then tries to bind the DN and password to the LDAP server. Both the DN and password are sent to the LDAP server in plain text format. After the password is hashed, if the server allows the user to log on, it will report to Pam that the binding has been successful. Successful binding can fully meet the criteria for Pam to successfully report to the pam_ldap module. If all other Pam standards have been met, users are allowed to log on to the system.

The current user password is transmitted in plain text format and cannot meet the security authentication requirements. You need to set SSL/TLS to ensure secure transmission.
OpenSSL must be installed.
Use the CA script provided by OpenSSL to issue the certificate by yourself:
Step 1:
Run/usr/share/SSL/MISC/CA. Sh-newca
Display:
CA certificate filename (or enter to create)

Making CA certificate...
Using configuration from/etc/SSL/OpenSSL. CNF
Generating a 1024 bit RSA private key
...
...
Writing new private key to './democa/private/./cakey. pem'
Enter PEM pass phrase:
Verifying password-enter PEM pass phrase:
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [au]: US
State or province name (full name) [some-State]: Texas
Locality name (eg, city) []: Austin
Organization Name (eg, company) [Internet widgits Pty Ltd]: Example org
Organizational unit name (eg, section) []: Example Unit
Common name (eg, your name) []: example.com
Email Address []:.
%
Democa/cacert. PEM and democa/private/cakey. Pem (CA certificate and private key) are generated)

Step 2: The server signs the request (CSR)
Run OpenSSL req-newkey RSA: 1024-nodes-keyout newreq. pem-out newreq. pem

Using configuration from/etc/SSL/OpenSSL. CNF
Generating a 1024 bit RSA private key
...
...
Writing new private key to 'newreq. pem'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [au]: US
State or province name (full name) [some-State]: Texas
Locality name (eg, city) []: Austin
Organization Name (eg, company) [Internet widgits Pty Ltd]: Example org
Organizational unit name (eg, section) []: Example org Unit
Common name (eg, your name) []: myserver.com
Email Address []: ldap@myserver.com

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []: An optional company name []:.
%
Note that the common name must be the domain name of the LDAP server, such as myserver.com. This is very important. If an error is entered, SSL authentication will fail.
Generate newreq. pem

Step 3: Sign (CSR)
Run usr/share/SSL/MISC/CA. Sh-sign

Using configuration from/etc/SSL/OpenSSL. CNF
Enter PEM pass phrase:
Check that the request matches the signature
Signature OK
The subjects distinguished name is as follows
Countryname: printable: 'us'
Stateorprovincename: printable: 'texas'
Localityname: printable: 'austin'
Organizationname: printable: 'example org'
Organizationalunitname: printable: 'example org unit'
CommonName: printable: 'myserver. com'
Emailaddress: ia5string: 'ldap @ myserver.com'
Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days)
Sign the certificate? [Y/n]: Y

1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base updated
Certificate:
Data:
Version: 3 (0x2)
Serial number: 1 (0x1)
Signature Algorithm: md5withrsaencryption
Issuer: c = us, St = Texas, L = Austin, O = example org, ou = example unit, Cn = example.com
Validity
Not before: Apr 11 18:58:58 2003 GMT
Not after: Apr 10 18:58:58 2004 GMT
Subject: c = us, St = Texas, L = Austin, O = example org, ou = example org unit, Cn = myserver.com/email?ldap@myserver.com
Subject Public Key info:
Public Key algorithm: rsaencryption
RSA public key: (1024 bit)
Modulus (1024 bit ):

Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 basic constraints:
CA: false
Netscape comment:
OpenSSL generated Certificate
X509v3 Subject Key Identifier:
D0: C0: 9d: 46: 30: 65: 2a: 9C: 63: 63: 6a: E6: Fe: e4: AC: F7: 21: F8: 33: 61
X509v3 Authority Key Identifier:
Keyid: 31: 2E: 0d: FB: A0: 74: 5A: 0b: 4b: C5: C4: E0: 69: 7f: 32: 6d: AF: 46: 82: f1
Dirname:/C = US/ST = Texas/L = Austin/o = example ORG/ou = example unit/CN = example.com
Serial: 00

Signature Algorithm: md5withrsaencryption

----- Begin certificate -----

----- End certificate -----
Signed certificate is in newcert. pem
%
Generate newcert. pem

Step 4:
% CP democa/cacert. PEM/usr/var/openldap-data/cacert. pem
% MV newcert. PEM/usr/var/openldap-data/servercrt. pem
% MV newreq. PEM/usr/var/openldap-data/serverkey. pem
% Chmod 400/usr/var/openldap-data/serverkey. Pem (set the private key to read-only)

Set OpenLDAP

Server Side settings (slapd. conf ):
Need to join
Tlsciphersuite high: Medium: + SSLv2
Tlscacertificatefile/usr/var/openldap-data/cacert. pem
Tlscertificatefile/usr/var/openldap-data/servercrt. pem
Tlscertificatekeyfile/usr/var/openldap-data/serverkey. pem
The complete slapd. conf is as follows:
######################################## ###############################
# $ OpenLDAP: www/pages/pub/ksoper/openldap_tls.html, v 1.1 2007/10/09 21:28:09 Kurt exp $
#
# See slapd. conf (5) for details on configuration options.
# This file shoshould not be world readable.
#
Include/usr/etc/OpenLDAP/Schema/CORE. Schema
Include/usr/etc/OpenLDAP/Schema/cosine. Schema
Include/usr/etc/OpenLDAP/Schema/inetorgperson. Schema
Include/usr/etc/OpenLDAP/Schema/Misc. Schema
Include/usr/etc/OpenLDAP/Schema/OpenLDAP. Schema

# Define global ACLs to disable default read access.

# Do not enable referrals until after you have a working directory
# Service and an understanding of referrals.
# Referral LDAP: // root.openldap.org

Pidfile/usr/var/slapd. PID
Argsfile/usr/var/slapd. ARGs

# Load dynamic backend modules:
# Modulepath/usr/libexec/OpenLDAP
# Moduleload back_bdb.la
# Moduleload back_ldap.la
# Moduleload back_ldbm.la
# Moduleload back_passwd.la
# Moduleload back_shell.la

# Sample security restrictions
#
# Disallow clear text exchange of passwords
# Disallow bind_simple_unprotected
#
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# Security SSF = 1 update_ssf = 112 Simple_Bind = 64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub) entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow Anonymous Users to authenticate
# Directives needed to implement policy:
# Access to DN. base = "" by * read
# Access to DN. base = "cn = subschema" by * read
Access to ATTR = userpassword
By Anonymous auth
By self write
By * None
Access *
By self write
By * read

# If no access controls are present, the Default policy is:
# Allow read by all
#
# Rootdn can always write!

# Ca signed certificate and server Cert entries:

Tlsciphersuite high: Medium: + SSLv2
Tlscacertificatefile/usr/var/openldap-data/cacert. pem
Tlscertificatefile/usr/var/openldap-data/servercrt. pem
Tlscertificatekeyfile/usr/var/openldap-data/serverkey. pem

# Use the following if client authentication is required
Tlsverifyclient demand
#... Or not desired at all
# Tlsverifyclient never

######################################## ###############################
# Ldbm database Definitions
######################################## ###############################

Database ldbm
# Suffix "DC = My-domain, Dc = com"
# Rootdn "cn = manager, Dc = My-domain, Dc = com"
Suffix "DC = myserver, Dc = com"
Rootdn "cn = manager, Dc = myserver, Dc = com"

# Cleartext passwords, especially for the rootdn, shocould
# Be Avoided. See slappasswd (8) and slapd. conf (5) for details.
# Use of strong authentication encouraged.
# Rootpw secret
Rootpw {ssha}/nm76xvhqgbymf/mplwz4eup6ejspcfc

# The database directory must exist prior to running slapd and
# Shoshould only be accessible by the slapd and slap tools.
# Mode 700 recommended.
Directory/usr/var/openldap-Data

# Indices to maintain
Index objectclass EQ

Client settings:
/Etc/OpenLDAP/ldap. conf
Host myserver.com
Port 636

Tls_cacert/usr/var/openldap-data/cacert. pem
Tls_reqcert demand
If the client and server are not on the same machine, copy the cacert. pem file to the client machine.

In addition, you must add and modify in/etc/ldap. conf:
Change uri ldap: // myserver.com to Uri LDAPS: // myserver.com
Add:
# OpenLDAP SSL mechanism, start_tls mechanism uses the normal LDAP port 389
SSL on (if start_tls is used, the default port 389 is used, and SSL on uses port 636)
# Require and verify server certificate
Tls_checkpeer Yes
# CA certificates for server certificate verification
Tls_cacertfile/usr/var/openldap-data/cacert. pem
Pam_password MD5

The complete/etc/ldap. conf file is as follows:
Base Dc = myserver, Dc = com
Uri LDAPS: // myserver.com
Binddn Cn = manager, Dc = myserver, Dc = com
Bindpw secret
# OpenLDAP SSL mechanism, start_tls mechanism uses the normal LDAP port 389
SSL on
# Require and verify server certificate
Tls_checkpeer Yes
# CA certificates for server certificate verification
Tls_cacertfile/usr/var/openldap-data/cacert. pem
Pam_password MD5

Restart the LDAP server:
/Usr/local/libexec/slapd-h "LDAPS :///"

Available on the client
OpenSSL s_client-connect myserver.com: 636-showcerts-state-cafile/usr/var/openldap-data/cacert. pem
Test whether an SSL connection can be used.

Use ldapsearch-X-B 'Dc = myserver, Dc = com'-d "cn = manager, Dc = myserver, Dc = com" '(objectclass = *) '-h ldaps: // myserver.com-W
Test whether the LDAP server can be connected.

Log On with the test user to see if the test user is successful.

If the client and server are the same machine, the machine will pause for a long time when starting the system message bus. It seems that nss_ldap is connecting to ldapserver, since the LDAP server has not been started, it takes several minutes to connect until the last connection fails.
If the client and server are not on the same machine, this problem will not occur.

 

References:

Use LDAP to manage users and groups
Http://gnawux.bokee.com/4721705.html
Use OpenLDAP to centrally manage user accounts
Http://linux.chinaitlab.com/administer/519684.html
Openldap sever with server-side SSL/TLS and Client Authentication
Http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0