LDAP Authentication in Linux

hausmasta writes "HowtoForge has published a walkthrough to show you how to store your users in LDAP and authenticate some of the services against it. It will not show how to install particular packages, as it is distribution/system dependent, instead it will focus on pure configuration of all components needed to have LDAP authentication/storage of users. The howto assumes that you are migrating from a regular passwd/shadow authentication, but it is also suitable for people who do it from scratch."

Re:Why would one want to do this?

[Anonymous Coward]

You could now have several machines authenticating against one machine(although I know there are other ways).
You can also have all your software that is LDAP aware authenticating against the same username/password (assuming they don't already support the stuff like PAM or the like).

If you really want to, you can also setup samba to use it and you can have XP machines join the domain, get the users in the domain all that fun stuff. (Was going to do this in a small lab I help at, ended up not because I realized it wasn't necessary for anything we did down there).

Ldap on its own is not enough

[Anonymous Coward]

Really, you need to add kerberos to the mix, especially the heimdall kerberos implementation is attractive, since it allows you to store its settings inside the ldap tree, providing a true centralised secure single signon enviroment.

Using ldap itself is really not much better than using NIS, aside from the fact that it can contain much more than just the user database.

Re:Password only

[Imagix]

Because if you reject a "taken password", you now know another user's password. You can then use it to login as them.

I always wondered...

[Lispy]

Ever since I rolled out an LDAPed Samba domain for a customer I was wondering why this is not beeing used for more stuff?
Its relatively eay to setup and quite stable. This in combination with PAM should be the once and for all way of authentication.
If you have a directory like this you can add virtually everything to it, be it intranet pages, mailserver authentication, hell even an inhouse Jabber client for employees. This should be unified and used much more often.

The management is a blast with the ability to choose whatever LDAP-Frontend you might wanna use and worstcase you can go back to browserbased or console. Its really flexible, elegant and in a Unix style a tool for the job.

Who can enlighten me why this is still rather a niche? are Unixadmins simply too used to the passwd/shadow style auth?
Oh yeah: In case you are going to set it up stay the hell away from BerkeleyDB 4.3.
It can have some nasty surprises. :) Been there...

LDAP for everything

[linuxkrn]

I use LDAP at work for everything and life is so much better now.

Windows Desktops (Samba PDC and BDC -> LDAP)
Linux pam_ldap + nss -> LDAP and NFS shares

You can log into either a windows desktop or linux box and have the same file shares open. Windows has H: and Linux is /home/username. Public drives are mapped as well.

Then for email, postfix + dovecot -> ldap. You can store not only use the same username password as for linux, but you can add unlimited number of real-time mail aliases to each user. Also supports virtual domains.

Directory services for phone numbers, room locations, etc. in ldap. Mapped to email clients search/contact lists.

squid + ldap and apache + ldap, secure login to website.

Squirrelmail/horde both use ldap as well. Auth is done via imap, but horde can do much more with ldap. Both can use it for directory services.

Admin can be done either via CLI smbldap-tools, php ldap admin, gq (ldap tree browser), or ldapmodify if you're hard core. Plus with sync'ing data to other sites they have a copy of the data for their BDC/etc. If I need to add/modify a user there is only one place that needs to be modified. And I can do it from home. =)

Re:I always wondered...

[antlope]

Because the sites that could most benifit already run NIS or similar for Unix, and have working AD systems for windows. With a larger site (100+ servers) the admin groups are usually hard presses for time anyway and have to justify this kind of switch to a manager who most of the time doesn't fully see the advantage of spending all those man hours switching systems.

Sad, but often true.

/Anthony Whitehead
NordicEdge AB

Re:Why would one want to do this?

[Anonymous Coward]

It is broke' when it comes to managing a work group. With a proper LDAP setup, you can go to any workstation on the network and login as though you were sitting at your desktop machine (requires exporting the home directories from a server). I have that setup in my lab and it is a huge improvement over NIS or password-file-per-machine. In fact, I would like to see LDAP become the default account mechanism (at least in my preferred distro). Slapd is relatively lightweight so even standalone installations would not notice a big hit. Most users would not even know they were using LDAP. Now add a nice friendly "share user accounts" setup menu and viola, instant work group. (Nice if it was also configured to work out-of-the-box with SAMBA!)

Nested groups

[Yag]

The big problem with ldap is that most of autentication plugins (apache, pam and the others) matches only first level group members, not nested groups, normally used, expecially, in big micro$oft directories. This creates a lot of "difficul to mantain" groups containing very big lists of accounts. I know that filters or organizational units can be used to group them, but most of the times this is not enaugh. For this reason i usually prefer radius which integrates well *nix and m$ worlds (even if i still use ldap for apache cause radius mod for apache is not so customizable).

Re:Why would one want to do this?

[rmallico]

i work for a company that handles large enterprises single sign on and user id consolidation needs... (as well as small/medium ones as well)

you are right on... when it comes to compliance and SOX requirements, getting all of your machines authenticating against one directory (AD or otherwise) makes perfect sense. I am sure there are a few sys admins here who have been asked for login failure and share access permissions across all of their network machines. adding more 'directories' makes it even more fun to gather these reports, comb through logs, look for changes across all the flavors of *nix and then the msft event logs, even network syslog...

There are a few companies out there who have built product lines that allow unix machines to authenticate against AD, their machine accounts can have Windows Group Polices and managed under one single console, they have the ability to appear in SMS as any other machine for reporting and hardware inventory and also to send their performance metrics over to MSFT MOM...

Why in the HELL would anyone want to authenticate against AD? well, it is simple really.. MSFT DID do the LDAP/Kerberos thing right and have been doing it right for a long time. They also have the whole pass-through, single id thing going and it works just fine in AD (when its an all windows network)... and its EVERYWHERE... how many LARGE companies are using whitepages/ldap type directories for authentication and how many are using AD? its a valid question to ask and what is happening is that most ARE already on AD or are moving to AD and they ARE using Exchange and this put AD into a space of being one of the main components of an enterprise. So why not just toss the unix machines in there as well?

yes, it empowers windows AD... but the first solution below (from quest) does not take anything out of the unix guys bag of tricks... in fact it allows for the unix guy to actually do things against AD that before was a pain to setup/admin...

anyway... sunday, should be out walking the dog and playing frisbee with the kids or working on my short game... check out http://www.quest.com/landing/?ID=531 [quest.com] or http://www.centrify.com/ [centrify.com] for some good info on two companies that are doing this for the *nix world now...

 

Re:I always wondered...

[93 Escort Wagon]

Ah, I was about to ask this same question...

One of our former (and rather forward-looking) sysadmins moved our servers over to a centralized Kerberos+LDAP (via PAM) authentication and authorization system. He left for greener pastures; and since then I've seen a series of (mostly pretty young) sysadmins that just have this innate dislike for any sort of centralized management. It usually starts with complaints about OpenLDAP; but pretty soon you realize it's not the app, since they view any replacements with equal disdain - it's the whole concept that they don't like.

I see the same sort of thing when it comes to centralized server maintenance/management systems. A lot of guys seem to prefer to just configure and run each server totally independently, even though it takes a rediculous chunk of time compared to a distributed management system. It's obviously inefficient, and the end result often is out of date kernels and/or other packages. So why this fascination with trying to run your workplace servers as if they're no different than the hobby servers in your basement?

I pride myself ...

[Zombie Ryushu]

I believe I have one of the most advanced LDAP/Kerberos/Samba/Bind "Open Directory" setups. I have two Samba 3 Domain Controllers, both Kerberos and Bind Enabled. with OpenLDAP and MIT Kerberos. I have no need for NFS.

My OpenLDAP stores:

POSIX User Attributes
Samba User Attributes
Radius User Attributes
eGroupware User Attributes (Egroupware accounts.)
DNS Information for our internal DNS Server
DHCP Lease information.

I use Kerberos with ssh-agent to distribute software RPMS for Mandriva Linux to mass distibute RPMs with a single command.

I have Samba Kerberos enabled so that Samba will not repeatedly ask for usernames and passwords, and requires zero configuration.

I have had the code to Egroupware modified so that eGroupware, and Nagios can use Apache's mod_auth_kerb addon to authenticate eGroupware users with a single click instead of a whole second login process.

I'm currently workong on creating a Samba Authenticated gateway with NTLM-SPNEGO support so that kerberos will handle Squid too.

All I need now is for someone to make the modifications nesessary to eGroupware's XMLRPC so that Kontact could use Kerberos and I would have the "Exchange Killer" I always wanted.

All of my users use Samba for network browsing under KDE's Konqueror, with Kerberos and LDAP, it just works.

I consider this my shining accomplishment.
I like to have myself believe that I accomplished "Active Direrctory" under Linux now. I don't use Windows at all in this network, so keep that in mind. The eGroupware people can attest to what a past I am. bugging them to include Kerberos detection in session management. But it all works.

Reliability

[Gaima]

Yep centralised user management, great, no doubt.
But, what happens when the LDAP service isn't available?
I say service to not distinguish between a physical server, a cluster of servers, a crashed openLDAP process, broken network link, yadda, yadda, yadda.

With AD if a PDC isn't there, you can still login if you've logged on before.
The article really should have mentioned nss_updatedb and pam_ccreds from PADL [padl.com] (I don't know if there are any other alternatives, nor do I know if that actually work, sounds like they do though).

Re:Reliability

[myowntrueself]

But, what happens when the LDAP service isn't available?

Indeed...

Where I work one of my 'genius' predecessors set up a Linux fileserver with LDAP 'authentication' (nice euphemism that). LDAP is only used for samba fileshares... and for login.

The LDAP server runs on the fileserver itself, so at least it doesn't have to connect to a remote LDAP server.

He did a lovely piece of work, hacking it into place on a debian woody system, butchering the PAM config to make it appear to work.

He is long gone but his legacy remains; if the LDAP system falls over you can't log onto the server at all.

Not as root, not on the console, not remotely, not even via a remote logon with ssh keys.

Fantastic. What a genius.

The best one can do is reboot it and hope that the LDAP system does come back up.

I'd fix it but its so hacked together and my LDAP knowledge is limited (as, evidently, was his) and the server is no longer mission critical (I'm about to strip it for parts).

I would never, *ever* use LDAP for logon 'authentication'. Maybe for samba but I'd be very careful about getting LDAP involved with a console logon.

LDAP is a pain in the arse

[SnapperHead]

Few years ago, this was a common setup I would put in place. When I had a number of users accessing all different types of devices or services, I would setup an LDAP server and have everything auth against it. It worked well, but has 2 major flaws.

Total pain in the ass to setup
Total pain in the ass to maintain

Now, I am using radius for the same thing. It works a lot better, because lets face it. PostgreSQL or MySQL is a hell of a lot easier to work with then LDAP.

LDAP does have its place. If you are looking to tie more then just auth into a profile, then LDAP is the choice. If you just want auth, use something Radius.

Of course, if you are a total LDAP guru, you are gonna recommend LDAP. But for average admins, or quick setups. LDAP isn't the way to go.
 

Re:Why would one want to do this?

[Schraegstrichpunkt]

Unix login doesn't have separate "username" and "domain" prompts like WinNT does. So here's what you do: Make "root" always a local user, and if you need an centralized "administrator" user, you create another user and add it to the "wheel" group or to /etc/sudoers or whatever, and that user can run "su" or "sudo -s" to get a root shell when necessary.

Funny story: A few years ago, we were testing Active Directory on some Win2K boxes. One of the security policies you can set is "disable the local administrator account". This can be set on the domain controller and propagated to all the clients. The problem with this is that, if you take a Windows workstation, and have it join a domain with this setting enabled, then almost immediately have it leave the domain, the "disable the local administrator account" will stay set. If you log out, you won't be able to log in again, and without logging in as an administrator, you can't re-join the domain.

It's a nice way to hose a Windows install.

This rocks

[PenguinX]

We switched to ldap authentication on our UNIX systems about a year ago, and basically it rocks. Providing single-sign-on between all of your device of varying operating systems and utility (i.e. servers, routers, switches, terminal/console servers, a lot of applications, and even kvm's) is great when you have a multi-teared support organization, and even if you don't you can still save yourself a lot of useradd / usermod /userdel commands if you centralize.

Why does it rock so much? LDAP seems unique that, unlike almost every other authentication method under the sun (NIS, NIS+ radius) it can be used on a number of devices. Additionally LDAP tends to be a great back-end for other authentication protocols (i.e. radius) can use an LDAP backend.

Practically speaking, often times all someone needs to do is have read access to a device to find out if an interface is up but many system admins give up if they don't have the ability to centralize and allow the company to become altogether too dependent on them. LDAP basically gets rid of this hassle and the administration is minimal. This means that the system admin gets paged less and more people can get work done with better efficiency.

Re:Why would one want to do this?

[shayne321]

Amen.. This is such a no-brainer to me. I implemented a similar service at a previous employer back before AD was even heard of (1997 or so). Basically I wrote a web UI which the helpdesk could access to add/change/delete accounts, which only updated entries in a mysql database (the web app never talks directly to individual servers, for security reasons). Each server in turn queries the DB once an hour and updates the local passwd, shadow, smbpasswd, sasldb, group, etc files as accounts are added/changed/removed. The only drawback is it takes up to an hour for a change to fully propogate though all servers. The good thing though is that to the apps the authentication is local (they just use the local files), so if the DB server poops its pants those services (samba, dovecot, sendmail, etc) are still available. Plus, the apps don't need to have intelligence about the DB, LDAP, NIS, etc.. They just use their local files like always. I rounded this out with freeradius with an sql module (for wireless, vpn, and dial up), and mod_auth_mysql for apache for the intranet. This allowed us to offer ONE username/password for every possible service on the network, and fine grained control via the web UI of each user's access to each service. Through the web UI we could enforce strong passwords, auto-generate the user's login, etc, etc. I *never* had to touch servers for accounts (other than root, which was never handled from the db), and the helpdesk really liked having an easy to use UI rather than being forced to ssh or telnet directly to servers (which would have been a nightmare). The only issue with this setup is each server needs to be able to talk directly to your SQL server, but as long as you manage this correctly (restricted permissions, etc) it's workable.