LDAP based user login

Caution

In this exercise you'll modify your system's Pluggable Authentication Modules (PAM). You may easily get locked out due to an unintended misconfiguration. Stick to the following procedures avoiding this type of mishap:

  1. Create a backup /root/pam.tgz of your working PAM configuration being represented by /etc/pam.conf and files below /etc/pam.d beforehand:

    cd /etc
    tar zcf /root/pam.tgz pam.conf pam.d

    Check the resulting archive to contain something like:

    root@sdi12b:~# tar ztf /root/pam.tgz 
    pam.conf
    pam.d/
    pam.d/newusers
    pam.d/sshd
    ...
    pam.d/chfn
    pam.d/chsh
  2. Always keep an independent (emergency) shell open when tinkering with PAM. In case you are no longer able to log in i.e. using ssh this one allows for restoring your working configuration:

    cd /etc
    mv pam.d pam.d.orig        # Save your current (not working) PAM
    mv pam.conf pam.conf.orig  # configuration for later inspection.
    
    tar zxf /root/pam.tgz      # Restore your working PAM configuration

    After this try to log in again.

  3. Prior to rebooting (and thus loosing your emergency login shell) always try logging in thereby testing your system's accessibility.

Configure your second VM (the one without LDAP Server) to allow for user login purely based on LDAP.

  • Activation of OS level LDAP user, group and password support is being outlined in Configure LDAP Client on Ubuntu.

  • LDAP user entry DN's must be addressed by uid e.g. uid=ldaptest,ou=people,... . On successful configuration you should see:

    $ id ldaptest
    uid=1001(ldaptest) gid=1001(ldaptest) groups=1001(ldaptest)

    A id: ‘ldaptest’: no such user message indicates your LDAP setup does not (yet) work.

    Tip

    • /etc/nsswitch.conf should contain:

      passwd:         files ldap
      group:          files ldap
      shadow:         files ldap

      What does this mean?

    • Shut down you nscd daemon. Why?

    • Your Secure Shell Daemon configuration /etc/ssh/sshd_config should contain:

      PasswordAuthentication yes
    • After changing your configuration a reboot might be required.

    • For debugging login attempts you may want setting your LDAP server's logging level to at least including conns, config and stats.

  • Create the required user home directory manually beforehand setting owner and group accordingly.

Tip

LDAP user information (uid, common name, numerical id, group information ...) will reside on your LDAP Server rather than locally in /etc/passwd, /etc/group and /etc/shadow.