linux poison RSS
linux poison Email

LDAP Client Authentication

Posted by DevOps
  1. This file "/etc/ldap.conf" is the 1st file that has to be modified as this is the file that tells the system which ldap server to authenticate too.

    host yourdomain.com
base dc=yourdomain,dc=com
uri ldap://yourdomain.com/
ldap_version 3
rootbinddn cn=Manager,dc=yourdomain,dc=com
scope sub
timelimit 5
bind_timelimit 5
nss_reconnect_tries 2
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
pam_password exop
nss_base_passwd  ou=People,dc=yourdomain,dc=com
nss_base_shadow  ou=People,dc=yourdomain,dc=com
  2. Now we have to add the passwd in this file "/etc/ldap.secret" so that we can authenticate to the ldap server

    password
    3. 

  3. Now we have to modify this file "/etc/nsswitch.conf"
    

    

    passwd:         files ldap
group:          files ldap
hosts:          dns ldap
services:   ldap [NOTFOUND=return] files
networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files
netmasks:   files
bootparams: files
publickey:  files
automount:  files
sendmailvars:   files
netgroup:   ldap [NOTFOUND=return] files

    

    4. 

  4. Now it is time to modify the files in /etc/pam.d/ directory.
    
First file to be modified is "/etc/pam.d/login"
    

    

    

     
    
auth    		 sufficient pam_ldap.so 
    

     account sufficient pam_ldap.so 
    

     password sufficient pam_ldap.so 
    

     session sufficient pam_ldap.so 
    

    auth            requisite       pam_securetty.so
auth            requisite       pam_nologin.so
auth            sufficient      pam_ldap.so
auth            required        pam_unix.so use_first_pass
auth            required        pam_tally.so onerr=succeed file=/var/log/faillog
account         required        pam_access.so
account         required        pam_time.so
account         required        pam_unix.so
account         sufficient      pam_ldap.so
password        sufficient      pam_ldap.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         required        pam_unix.so
session         required        pam_env.so
session         required        pam_motd.so
session         required        pam_limits.so
session         optional        pam_mail.so dir=/var/spool/mail standard
session         sufficient      pam_ldap.so
session         optional        pam_lastlog.so

    

    5. 

  5. Now we modify "/etc/pam.d/shadow"
    

    

    

     auth sufficient pam_ldap.so 
    

     account sufficient pam_ldap.so 
    

     password sufficient pam_ldap.so 
    

     session sufficient pam_ldap.so 
    

    auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
auth            sufficient      pam_ldap.so use_first_pass
account         required        pam_unix.so
account         sufficient      pam_ldap.so
session         required        pam_unix.so
session         sufficient      pam_ldap.so
password        sufficient      pam_ldap.so
password        required        pam_permit.so


    

    

    6. 

  6. Now we modify "/etc/pam.d/passwd"
    

    

    

     password sufficient pam_ldap.so 
    

    password        sufficient      pam_ldap.so
password        required        pam_unix.so shadow nullok


    

    

    7. 

  7. Now we modify "/etc/pam.d/su"
    

    

    

     auth sufficient pam_ldap.so 
    

     account sufficient pam_ldap.so 
    

     session sufficient pam_ldap.so 
    

    auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so


    

    

    8. 

  8. Now we modify "/etc/pam.d/sudo"
    

    

    

     auth sufficient pam_ldap.so 
    

    auth            sufficient      pam_ldap.so
auth            required        pam_unix.so use_first_pass
auth            required        pam_nologin.so

    

    9. 

  9. In this file "/etc/pam.d/sshd" you have to add 3 entries, one for auth, one for account, and one for session. 
    

    

     auth sufficient pam_ldap.so 
    

     account sufficient pam_ldap.so 
    

     password required pam_ldap.so 
    


    

    

    auth            required        pam_nologin.so
auth            sufficient      pam_ldap.so
auth            required        pam_env.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         required        pam_time.so
password        required        pam_ldap.so
password        required        pam_unix.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         required        pam_unix_session.so
session         sufficient      pam_ldap.so
session         required        pam_limits.so

    10. 
























0
comments:












Post a Comment



























Subscribe to:
Post Comments (Atom)







Related Posts with Thumbnails