linux poison RSS
linux poison Email

LDAP Client Authentication

  1. This file "/etc/ldap.conf" is the 1st file that has to be modified as this is the file that tells the system which ldap server to authenticate too.

    host yourdomain.com
    base dc=yourdomain,dc=com
    uri ldap://yourdomain.com/
    ldap_version 3
    rootbinddn cn=Manager,dc=yourdomain,dc=com
    scope sub
    timelimit 5
    bind_timelimit 5
    nss_reconnect_tries 2
    pam_login_attribute uid
    pam_member_attribute gid
    pam_password md5
    pam_password exop
    nss_base_passwd  ou=People,dc=yourdomain,dc=com
    nss_base_shadow  ou=People,dc=yourdomain,dc=com
    
    
    
  2. Now we have to add the passwd in this file "/etc/ldap.secret" so that we can authenticate to the ldap server

    password
  3. Now we have to modify this file "/etc/nsswitch.conf"

    passwd:         files ldap
    group:          files ldap
    hosts:          dns ldap
    services:   ldap [NOTFOUND=return] files
    networks:   ldap [NOTFOUND=return] files
    protocols:  ldap [NOTFOUND=return] files
    rpc:        ldap [NOTFOUND=return] files
    ethers:     ldap [NOTFOUND=return] files
    netmasks:   files
    bootparams: files
    publickey:  files
    automount:  files
    sendmailvars:   files
    netgroup:   ldap [NOTFOUND=return] files
    
    
    
  4. Now it is time to modify the files in /etc/pam.d/ directory.
    First file to be modified is "/etc/pam.d/login"


    auth
    sufficient pam_ldap.so
    account sufficient pam_ldap.so
    password sufficient pam_ldap.so
    session sufficient pam_ldap.so
    auth            requisite       pam_securetty.so
    auth            requisite       pam_nologin.so
    auth            sufficient      pam_ldap.so
    auth            required        pam_unix.so use_first_pass
    auth            required        pam_tally.so onerr=succeed file=/var/log/faillog
    account         required        pam_access.so
    account         required        pam_time.so
    account         required        pam_unix.so
    account         sufficient      pam_ldap.so
    password        sufficient      pam_ldap.so
    session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
    session         required        pam_unix.so
    session         required        pam_env.so
    session         required        pam_motd.so
    session         required        pam_limits.so
    session         optional        pam_mail.so dir=/var/spool/mail standard
    session         sufficient      pam_ldap.so
    session         optional        pam_lastlog.so
    
    
    
  5. Now we modify "/etc/pam.d/shadow"

    auth sufficient pam_ldap.so
    account sufficient pam_ldap.so
    password sufficient pam_ldap.so
    session sufficient pam_ldap.so
    auth            sufficient      pam_rootok.so
    auth            required        pam_unix.so
    auth            sufficient      pam_ldap.so use_first_pass
    account         required        pam_unix.so
    account         sufficient      pam_ldap.so
    session         required        pam_unix.so
    session         sufficient      pam_ldap.so
    password        sufficient      pam_ldap.so
    password        required        pam_permit.so
    


  6. Now we modify "/etc/pam.d/passwd"

    password sufficient pam_ldap.so
    password        sufficient      pam_ldap.so
    password        required        pam_unix.so shadow nullok
    


  7. Now we modify "/etc/pam.d/su"

    auth sufficient pam_ldap.so
    account sufficient pam_ldap.so
    session sufficient pam_ldap.so
    auth            sufficient      pam_ldap.so
    auth            sufficient      pam_rootok.so
    auth            required        pam_unix.so use_first_pass
    account         sufficient      pam_ldap.so
    account         required        pam_unix.so
    session         sufficient      pam_ldap.so
    session         required        pam_unix.so
    


  8. Now we modify "/etc/pam.d/sudo"

    auth sufficient pam_ldap.so
    auth            sufficient      pam_ldap.so
    auth            required        pam_unix.so use_first_pass
    auth            required        pam_nologin.so
    
    
    
  9. In this file "/etc/pam.d/sshd" you have to add 3 entries, one for auth, one for account, and one for session.
    auth sufficient pam_ldap.so
    account sufficient pam_ldap.so
    password required pam_ldap.so


    auth            required        pam_nologin.so
    auth            sufficient      pam_ldap.so
    auth            required        pam_env.so
    auth            required        pam_unix.so use_first_pass
    account         sufficient      pam_ldap.so
    account         required        pam_unix.so
    account         required        pam_time.so
    password        required        pam_ldap.so
    password        required        pam_unix.so
    session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
    session         required        pam_unix_session.so
    session         sufficient      pam_ldap.so
    session         required        pam_limits.so
    


0 comments:

Post a Comment

Related Posts with Thumbnails