If you're working as Linux sys-admin in a small or middle-sized company (80-300 people) whose personal and hosted infrastructure is quicly growing, you will soon face a requirement that all running Linux servers hosting applications requires unification in existing single / clustered Users Applications to be able to Login with same User / Password across all company Linux / UNIX servers.
Having single id / passwords across multiple servers is also handy for various routine sys-admin purposes as this simplifies daily maintanance tasks and deployment of "one view" server monitoring and bunch of software easily to be replicated on new server nodes.
This is where LDAP ( Lightweight Directory Access Protocol ) comes at help. LDAP authentication with use of PAM (Pluggable Authentication Module), allows to easily achieve a common centralized login mechanism across a Linux server "farm" using SSH or Xlogin (if X some kind of GUI environment) is to be used.
Configuring Linux servers to use a centralized LDAP server to store user / passwords and other user information is also very useful whenever you want to have a common login mechanism of a group of users across both Heterogenous network with Windows / Linux and UNIX servers. By keeping the users into a centralized LDAP server, users have access with same User / Pass to both Windows / Linux ,UNIX Sun OS / HP-UX / Unix / FreeBSD etc. Centralized LDAP for Production environment and a Testing one is a common thing to see in large IT infrastructure (hosting / support) companies such as IBM / HP / Google / Yahoo etc. .
LDAP credentials centralization is common in Telecommunication companies, many universities such as Berkley / MIT and in all kind of big business-es or anywhere where its needed to have in a common database replicated across servers hundreds of thousands of users.
Here is how to Configure SSH LDAP Linux login authentication:
1. Install LDAP client and configuring it to use remote LDAP server on Debian / Ubuntu Linux
– On Debian Linux servers install the classical way to configure LDAP authentication is:
apt-get install –yes libpam-ldap libnss-ldap nscd ldap-utils
You will be asked a variety of configuration questions in the good old ncurses on LDAP server to be used:
- LDAP server Uniform Resource Identifier: ldap://LDAP-server-IP-Address
- Change the initial string from "ldapi:///" to "ldap://" before inputing your server's information
- Distinguished name of the search base:
- LDAP version to use: 3
- Make local root Database admin: Yes
- Does the LDAP database require login? No
- LDAP account for root:
- LDAP root account password: Your-LDAP-root-password
If you have inputted some wrong data to make the configuration interface pop-up again issue as root:
dpkg-reconfigure ldap-auth-config
Then to make aware the system LDAP database is to be used to through NSS (Name Services Switch) configured in /etc/nsswitch.conf
vim /etc/nsswitch.conf
To make /etc/passwd /etc/shadow and /etc/group not be queried from local system but to query LDAP defined server
passwd: ldap compat
group: ldap compat
shadow: ldap compat
Linux makes authentication to remote LDAP server through PAM (Pluggable Authentication Module) that provides authentication via series of modules which return Yes / No responce in Windows NT / XP something similar was called GINA in Windows 7 / 8 / 2012 a similar technology is used called Credential Provider.
LDAP authentication is done by using PAM, to make it possible:
vim /etc/pam.d/common-session
Place
session required pam_mkhomedir.so skel=/etc/skel umask=0022
This line makes PAM on login to create home directory for logged in user via LDAP and copy all files from /etc/skel/* to /home/username/*
To make new settings affective restart nscd service (handles passwd, group and host lookups caching previous credential results).
/etc/init.d/nscd restart
However this method of configuration is probably to be soon be obsoleted in future Debian releases the modern way to configure servers to authenticate to central LDAP server is with SSSD, i.e.
apt-get install sssd libnss-sss libpam-sss
apt-get remove nscd
vim /etc/sssd/sssd.conf
domains = LDAP
[…]
[domain/LDAP]
enumerate = true
id_provider = ldap
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
#ldap_schema = rfc2307
ldap_uri = ldap://server1.mydom.com/
ldap_search_base = dc=mydom,dc=intern
#ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ldap/ssl/cacert.pem
2. Install LDAP client and configuring it to use remote LDAP server on CentOS / Fedora / RPM based Linux
yum -y install libpam-ldap nscd ldap-utils
On client machines, both /etc/ldap.conf and /etc/openldap/ldap.conf need to contain the proper server and search base information for the organization.
There is a quick way to configure LDAP use with authconfig
[root@www ~]# authconfig –enableldap
–enableldapauth
–ldapserver=dlp.server.world
–ldapbasedn="dc=server,dc=world"
–enablemkhomedir
–update
Starting nslcd: [ OK ]
[root@www ~]# exit
logout
CentOS Linux release 7.0.1406 (Core)
3.10.0-123.4.2.el7.x86_64 on an x86_64
www login:ldap-user # LDAP user
Password:# password
Creating directory '/home/rldap-user'.
[ldap-user@www ~]$ # logined normally
[ldap-user@www ~]$ passwd # change LDAP user password (LDAP server will be notified about change)
Changing password for user redhat.
Enter login(LDAP) password: # current password
New password: # new password
Retype new password:
LDAP password information changed for redhat
passwd: all authentication tokens updated successfully.
When using authconfig to configure LDAP server authentication will be managed by SSSD (System Security Services) Daemon for more check out man sssd.
To be working sssd will require you to have following list of RPM packages installed
sssd-client
sssd-common
sssd-common-pac
sssd-ldap
sssd-proxy
python-sssdconfig
authconfig
authconfig-gtk
SSSD configuration includingn the filled in LDAP server hostname generated by authconfig is stored in /etc/sssd/sssd.conf
To reload new SSSD settings:
systemctl restart sssd
Using sssd is the new way to enable LDAP Linux authentication and people who use it should not use the old already obsolete nslcd method
3. Enabling Apache web application to authenticate to LDAP server
If you further want LDAP authorization to also work on installed and functioning Apache webserver on the host you need to load mod_auth_ldap.so
in httpd.conf
vim /etc/httpd/conf/httpd.conf
There should be a record like:
LoadModule mm_auth_ldap_module modules/mod_auth_ldap.so
On Debian / Ubuntu Linux to enable LDAP auth in Apache2:
root@www:~# a2enmod ldap authnz_ldap
Enabling module ldap.
Considering dependency ldap for authnz_ldap:
Module ldap already enabled
Enabling module authnz_ldap.
To activate the new configuration, you need to run:
service apache2 restart
Finally to make Apache load new config:
On Redhat based distro:
/etc/init.d/httpd restart
On Debian
/etc/init.d/apache2 restart
If you want to use LDAP auth within PHP/ Perl applications you will also need to install php5-ldap, libnet-ldap-perl (debs)- on Debian / Ubuntu or php-ldap, perl-LDAP.noarch (rpm) on CentOS / Fedora.
To set LDAP credentials authentication from LDAP, in Virtualhost/s or .htaccess of certain directory use config like:
AuthName "Restricted"
AuthType Basic
AuthLDAPURL ldap://ldap.domain.com:389/ou=People,dc=domain,dc=com?uid
AuthLDAPBindDN "cn=Manager,dc=domain,dc=com"
AuthLDAPBindPassword "your_secret_secret_password_to_ldap_admin"
require valid-user
4. Debug Test LDAP server remote connection
Once LDAP auth is setup to debug / test users within server use ldapsearch (part of ldap-uitls):
ldapsearch -h <ldapserver>
-b dc=<your> ,dc=<domain> -x uid=<username>