Setting-up PAM and LDAP
by Sebastien Mirolo on Tue, 15 May 2012I wanted to setup my web app to authenticate through PAM as a general authentication mechanism. Since users are allowed to register and update password through the web app directly, I indented to use LDAP to hold user profile information. So I delve into setting-up PAM and LDAP.
As it turns out, libpam-ldapd is used in conjunction with posixAccount objectClasses DNs. I wanted my user DNs to solely require inetOrgPerson and thus in the end, I authenticated to LDAP directly. None-the-less here are my notes on setting-up PAM and LDAP.
Enabling PAM debugging
Debugging authentication setups is often a pain. Many times you get an "authentication failed" error message with little help on what went wrong. First thing is thus to figure out how to enable debug messages in the system logs.
# Enable debugging for all modules: $ touch /etc/pam_debug # Adding "debug" at the end of lines in pam.d/*app* files, ex: $ diff -u prev /etc/pam.d/common-auth -auth required pam_unix.so +auth required pam_unix.so debug # Logging of debug messages in syslog $ touch /var/log/debug.log $ chmod 666 /var/log/debug.log $ diff -u prev /etc/rsyslog.conf +*.debug /var/log/debug.log $ service rsyslog restart
using LDAP for PAM authentication
First we need to populate our LDAP server as done in a previous post.
# To find out what is associated to cn=config. $ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep '^#' # {0}core, schema, config # {1}cosine, schema, config # {2}nis, schema, config # {3}inetorgperson, schema, config $ ldapadd -Y EXTERNAL -H ldapi:/// \ -f /etc/ldap/slapd.d/backend.example.com.ldif $ ldapadd -x -W -D cn=admin,dc=example,dc=com \ -f /etc/ldap/slapd.d/frontend.example.com.ldif # Add a user account $ cat john.doe.ldif dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1001 gidNumber: 1001 userPassword: password gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com $ ldapadd -x -W -D cn=admin,dc=example,dc=com -f john.doe.ldif # list all people in LDAP database $ ldapsearch -x -W -D cn=admin,dc=example,dc=com \ -b ou=people,dc=example,dc=com $ getent passwd
There are two packages that seem to fit the bill of setting PAM with LDAP. Following advices in here, I went with libpam-ldapd.
$ aptitude search ldap | grep pam p libpam-ldap - Pluggable Authentication Module for LDAP p libpam-ldapd - PAM module for using LDAP as an authentica $ aptitude install libpam-ldapd $ cat /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=example,dc=com $ grep -rl ldap /etc/pam.d/ /etc/pam.d/common-session-noninteractive /etc/pam.d/common-password /etc/pam.d/common-auth /etc/pam.d/common-session /etc/pam.d/common-account $ diff -u prev /etc/nsswitch.conf -passwd: compat -group: compat -shadow: compat +passwd: compat ldap +group: compat ldap +shadow: compat ldap $ sudo /etc/init.d/nscd restart $ sudo /etc/init.d/nslcd restart # Enabling ldap debugging (in case) $ diff -u prev /etc/default/slapd -LAPD_OPTIONS="" +LAPD_OPTIONS="-d 1 -s 1"