SWL Network (III): Debian Wheezy and ClearOS. LDAP authentication

fico

5 minutes

Hello friends!. We are going to make a network with several desktop computers, but this time with the Debian 7 "Wheezy" Operating System. As a server he clearOS. As a data, let us observe that the project Debian-Edu use Debian on your servers and workstations. And that project teaches us and makes it easier to set up a complete school.

It is essential to read before:

  • Introduction to a Network with Free Software (I): Presentation of ClearOS

We will see:

  • Example network
  • We configure the LDAP client
  • Configuration files created and / or modified
  • The /etc/ldap/ldap.conf file

Example network

  • Domain Controller, DNS, DHCP, OpenLDAP, NTP: ClearOS Enterprise 5.2sp1.
  • Controller Name: centos
  • Domain Name: friends.cu
  • Controller IP: 10.10.10.60
  • ---------------
  • Debian version: wheezy.
  • Name of the team: debian7
  • IP adress: Using DHCP

debian7-dhcp-ip

We configure the LDAP client

We must have the OpenLDAP server data on hand, which we obtain from the ClearOS administration web interface in «Directory »->« Domain and LDAP«:

LDAP Base DN: dc = friends, dc = cu LDAP Bind DN: cn = manager, cn = internal, dc = friends, dc = cu LDAP Bind Password: kLGD + Mj + ZTWzkD8W

We install necessary packages. As the user root we execute:

aptitude install libnss-ldap nscd finger

Notice that the output of the previous command also includes the package libpam-ldap. During the installation process they will ask us several questions, which we must answer correctly. The answers would be in the case of this example:

LDAP server URI: ldap: //10.10.10.60
The distinguished name (DN) of the search base: dc = friends, dc = cu
LDAP version to use: 3
LDAP account for root: cn = manager, cn = internal, dc = friends, dc = cu
Password for the root LDAP account: kLGD + Mj + ZTWzkD8W

Now he announces that the file /etc/nsswitch.conf it is not managed automatically, and that we must modify it manually. Do you want to allow the LDAP administrator account to behave as the local administrator ?: Si
Is a user required to access the LDAP database ?: No
LDAP administrator account: cn = manager, cn = internal, dc = friends, dc = cu
Password for the root LDAP account: kLGD + Mj + ZTWzkD8W

If we are wrong in the previous answers, we execute as the user root:

dpkg-reconfigure libnss-ldap
dpkg-reconfigure libpam-ldap

And we adequately answer the same questions asked before, with the only addition of the question:

Local encryption algorithm to use for passwords: md5

Eye when replying because the default value offered to us is Crypt, and we must declare that it is md5. It also shows us a screen in console mode with the output of the command pam-auth-update executed as root, which we must accept.

We modify the file /etc/nsswitch.conf, and we leave it with the following content:

# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference 'and` info' packages installed, try: # `info libc" Name Service Switch "'for information about this file. passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts: files mdns4_minimal [NOTFOUND = return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis

We modify the file /etc/pam.d/common-session to automatically create user folders when logging in in case they don't exist:

[----]
session required pam_mkhomedir.so skel = / etc / skel / umask = 0022

### The above line must be included BEFORE
# here are the per-package modules (the "Primary" block) [----]

We execute in a console as the user root, Just to Check, pam-auth-update:

debian7-pam-auth-update

We restart the service nscd, and we do checks:

: ~ # service nscd restart
[ok] Restarting Name Service Cache Daemon: nscd. : ~ # finger strides
Login: strides Name: Strides El Rey Directory: / home / strides Shell: / bin / bash Never logged in. No mail. No Plan. : ~ # getent passwd strides
Strides: x: 1006: 63000: Strides El Rey: / home / strides: / bin / bash: ~ # getent passwd legolas
legolas: x: 1004: 63000: Legolas The Elf: / home / legolas: / bin / bash

We modify the re-connection policy with the OpenLDAP server.

We edit as the user root and very carefully, the file /etc/libnss-ldap.conf. We look for the word «hard«. We remove the comment from the line #bind_policy hard and we leave it like this: bind_policy soft.

The same change mentioned before, we make it in the file /etc/pam_ldap.conf.

The above modifications eliminate a number of LDAP-related messages during boot and at the same time streamline it (the boot process).

We restart our Wheezy because the changes made are essential:

: ~ # reboot

After rebooting, we can log in with any user registered in ClearOS OpenLDAP.

We recommend that then the following is done:

  • Make external users a member of the same groups as the local user created during the installation of our Debian.
  • Using the command visudo, executed as root, give the necessary execution permissions to external users.
  • Create a bookmark with the address https://centos.amigos.cu:81/?user en Iceweasel, to have access to the personal page in ClearOS, where we can change our personal password.
  • Install the OpenSSH-Server -if it is not selected when installing the system- to be able to access our Debian from another computer.

Configuration files created and / or modified

The LDAP topic requires a lot of study, patience and experience. The last one I don't have. We highly recommend that packages libnss-ldap y libpam-ldap, in the case of a manual modification that causes the authentication to stop working, be reconfigured correctly using the command dpkg-reconfigure, that is generated by DEBCONF.

The related configuration files are:

  • /etc/libnss-ldap.conf
  • /etc/libnss-ldap.secret
  • /etc/pam_ldap.conf
  • /etc/pam_ldap.secret
  • /etc/nsswitch.conf
  • /etc/pam.d/common-sessions

The /etc/ldap/ldap.conf file

We haven't touched this file yet. However, the authentication works correctly due to the configuration of the files listed above and the PAM configuration generated by pam-auth-update. However, we must also configure it properly. It makes it easy to use commands like ldapsearch, provided by the package ldap-utils. The minimum configuration would be:

BASE dc = friends, dc = cu URI ldap: //10.10.10.60 SIZELIMIT 12 TIMELIMIT 15 DEREF never

We can check if the OpenLDAP server of ClearOS works correctly, if we execute in a console:

ldapsearch -d 5 -L "(objectclass = *)"

The command output is copious. 🙂

I love Debian! And the activity is over for today, Friends !!!

debian7.amigos.cu


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   elav said
    ago 10 years

    Excellent article, direct to my tips drawer

    Reply to elav
    1.    Federico Antonio Valdes Toujague said
      ago 10 years

      Thanks for commenting Elav… more fuel 🙂 and wait for the next one that tries to authenticate using sssd against an OpenLDAP.

      Reply to Federico Antonio Valdés Toujague
  2.   Euphoria said
    ago 10 years

    Thank you very much for sharing, looking forward to the other delivery 😀

    Reply to Euphoria
    1.    Federico Antonio Valdes Toujague said
      ago 10 years

      Thanks for comment !!!. It seems that the mental inertia of authenticating against a Microsoft domain is strong. Hence the few comments. That is why I write about the true free alternatives. If you look at it carefully, they are easier to implement. A bit conceptual at first. But nothing.

      Reply to Federico Antonio Valdés Toujague