LDAP for an internet project. Part 4

    I apologize for the break in writing the last part of the article, continue!
    Links to other parts: one , two , three , five
    In this part we will learn how to log in to our Linux / Unix servers.

    As I said, it’s not so difficult to configure authorization, how difficult it is to plan the structure of our catalog. I have done it this way:
    I store users in objects of type posixAccount, unix groups in objects of posixGroup.
    Users themselves are stored in containers like ou = developers, ou = shell-users, dc = habr, dc = ru

    Servers are not objects, but containers in which objects of type groupOfUniqueNames are stored to determine user access to this server, objects for sudo rights. It is also convenient to store information about IP and so on. For example, a DN object that stores users with access to the server:
    cn = developers, ou = dev.habr.ru, ou = datacenter01, ou = servers, dc = habr, dc = en
    My example may not be convenient in your case, one way or another, you need to draw a structure.

    We proceed directly to the configuration:
    For authorization, the nss_ldap and pam_ldap modules developed by the company with the sonorous name PADL are used .
    Install the necessary packages: The
    apt-get install libpam-ldap libnss-ldap
    installer will set the following issues:
    • LDAP URI - write ldap: //ldap.habr.ru
    • Search base - write ou = shell-users, dc = habr, dc = ru
    • LDAP Version - 3
    • Local root database admin - we do not need, answer No
    • The next question about the need for a clone for the local database - we answer No
    • An account for managing LDAP - we don’t need it either, we have configured authorization for anonymous users. Otherwise, enter cn = admin, dc = habr, dc = ru
    • And the password for this account, if you selected the second in the previous paragraph

    You can check the settings in the files /etc/pam_ldap.confand /etc/libnss-ldap.conf
    I have the same ones, so I made symbolic links:
    ln -sf /etc/libnss-ldap.conf /etc/pam_ldap.conf
    If you entered the password for the administrator, then:
    ln -sf /etc/libnss-ldap.secret /etc/pam_ldap.secret

    Next we need to correct the PAM configuration ( be careful ):
    cat > /etc/pam.d/common-account << "EOF"
    account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
    account required pam_unix.so

    cat > /etc/pam.d/common-auth << "EOF"
    auth sufficient pam_ldap.so
    auth required pam_unix.so nullok_secure

    cat > /etc/pam.d/common-password << "EOF"
    password sufficient pam_ldap.so
    password required pam_unix.so nullok obscure min=4 max=8 md5

    cat > /etc/pam.d/common-session << "EOF"
    session required pam_mkhomedir.so umask=0077 skel=/etc/skel/ silent #эта строка создаёт home-директорию, если её нет
    session sufficient pam_ldap.so
    session required pam_unix.so

    Edit the file /etc/nsswitch.conf:
    passwd: files ldap
    group: files ldap
    shadow: files ldap

    Actually after that, the system will skip any user located in ou = shell-users, dc = habr, dc = ru and below, but after all we need to let users in by a certain sign - there are several options:
    Use groupOfUniqueNames in / etc /pam_ldap.conf write the following lines:
    pam_groupdn cn=developers,ou=dev.habr.ru,ou=datacenter01,ou=servers,dc=habr,dc=ru
    pam_member_attribute uniqueMember

    Everything seems to be fine, except that there can only be one such group.
    Use the additional PAM module - pam_listfile or pam_succed_if
    These modules can check the user for the attributes user, group, rhost, tty ...
    But here the group will be posixGroup - this is not very convenient, although you can adapt. I did not like.
    Actually this is the first option, but with a special patch from padl.com, which allows you to use several pam_groupdn entries in the configuration. This is done like this:
    apt-get install build-essential fakeroot dpkg-dev
    cd /usr/src
    apt-get source libpam-ldap
    apt-get build-dep libpam-ldap
    cd /usr/src/libpam-ldap-184 (может отличаться, в зависимости от версии debian)
    wget "http://bugzilla.padl.com/attachment.cgi?id=227" -O - | sed s=orig/pam=pam= | sed s=new/pam=pam= > debian/patches/99pam_ldap.patch
    dpkg-buildpackage -rfakeroot -uc -b
    dpkg -i ../libpam-ldap*.deb

    For Debian Squeeze patches are applied a little differently:
    wget -q "http://bugzilla.padl.com/attachment.cgi?id=227" -O - | sed s=orig/pam=pam= | sed s=new/pam=pam= > debian/patches/multi_groupdn
    echo multi_groupdn >> debian/patches/series

    Actually everything.
    We restore our symbolic links to /etc/pam_ldap.conf (I’ll overwrite them with dpkg): And we write the necessary pam_groupdn:
    ln -sf /etc/libnss-ldap.conf /etc/pam_ldap.conf
    ln -sf /etc/libnss-ldap.secret /etc/pam_ldap.secret

    pam_groupdn cn=developers,ou=dev.habr.ru,ou=datacenter01,ou=servers,dc=habr,dc=ru
    pam_groupdn cn=admins,dc=habr,dc=ru

    Check authorization - rejoice.

    There was still a question about sudo, there is quite a lot of material - apparently you will have to go beyond 4 topics.
    Thanks for attention!

    Also popular now: