Welcome to the DjaoDjin Blog!

A place to share experiences in building Software-as-a-Service.

Setting-up PAM and LDAP

by Sebastien Mirolo on Tue, 15 May 2012

I wanted to setup my web app to authenticate through PAM as a general authentication mechanism. Since users are allowed to register and update password through the web app directly, I indented to use LDAP to hold user profile information. So I delve into setting-up PAM and LDAP.

As it turns out, libpam-ldapd is used in conjunction with posixAccount objectClasses DNs. I wanted my user DNs to solely require inetOrgPerson and thus in the end, I authenticated to LDAP directly. None-the-less here are my notes on setting-up PAM and LDAP.

Enabling PAM debugging

Debugging authentication setups is often a pain. Many times you get an "authentication failed" error message with little help on what went wrong. First thing is thus to figure out how to enable debug messages in the system logs.


# Enable debugging for all modules:
$ touch /etc/pam_debug

# Adding "debug" at the end of lines in pam.d/*app* files, ex:
$ diff -u prev /etc/pam.d/common-auth
-auth    required  pam_unix.so
+auth    required  pam_unix.so debug

# Logging of debug messages in syslog
$ touch /var/log/debug.log
$ chmod 666 /var/log/debug.log
$ diff -u prev /etc/rsyslog.conf
+*.debug /var/log/debug.log
$ service rsyslog restart

using LDAP for PAM authentication

First we need to populate our LDAP server as done in a previous post.


# To find out what is associated to cn=config.
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep '^#'
# {0}core, schema, config
# {1}cosine, schema, config
# {2}nis, schema, config
# {3}inetorgperson, schema, config
$ ldapadd -Y EXTERNAL -H ldapi:/// \
      -f /etc/ldap/slapd.d/backend.example.com.ldif
$ ldapadd -x -W -D cn=admin,dc=example,dc=com \
      -f /etc/ldap/slapd.d/frontend.example.com.ldif

# Add a user account
$ cat john.doe.ldif
dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1001
gidNumber: 1001
userPassword: password
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@example.com
$ ldapadd -x -W -D cn=admin,dc=example,dc=com -f john.doe.ldif

# list all people in LDAP database
$ ldapsearch -x -W -D cn=admin,dc=example,dc=com \
      -b ou=people,dc=example,dc=com

$ getent passwd

There are two packages that seem to fit the bill of setting PAM with LDAP. Following advices in here, I went with libpam-ldapd.


$ aptitude search ldap | grep pam
p   libpam-ldap                     - Pluggable Authentication Module for LDAP
p   libpam-ldapd                    - PAM module for using LDAP as an authentica

$ aptitude install libpam-ldapd
$ cat /etc/nslcd.conf
uri ldap://127.0.0.1/
base dc=example,dc=com

$ grep -rl ldap /etc/pam.d/
/etc/pam.d/common-session-noninteractive
/etc/pam.d/common-password
/etc/pam.d/common-auth
/etc/pam.d/common-session
/etc/pam.d/common-account

$ diff -u prev /etc/nsswitch.conf
-passwd:         compat
-group:          compat
-shadow:         compat
+passwd:         compat ldap
+group:          compat ldap
+shadow:         compat ldap

$ sudo /etc/init.d/nscd restart
$ sudo /etc/init.d/nslcd restart

# Enabling ldap debugging (in case)
$ diff -u prev /etc/default/slapd
-LAPD_OPTIONS=""
+LAPD_OPTIONS="-d 1 -s 1"