Yolinux.com Tutorial

LDAP Client Computer Login Authentication

This tutorial covers the configuration required to authenticate computer system logins to an LDAP directory server. Computer system clients include Linux and MS/Windows.
Tutorial Contents:

Related YoLinux Tutorials:

°LDAP server configuration

°Apache and LDAP authentication

°LDAP bind authentication

°Extending LDAP an schema

°LDAP schema for MS/Outlook

°AWebDap: LDAP web interface

°NIS authentication

°YoLinux Tutorials Index




Free Information Technology Magazines and Document Downloads
TradePub link image


   

    Bookmark and Share


Advertisements




LDAP Object and Attribute Schema for Authentication:

The following login authentication methods require that an LDAP object schema be included which supports login. For Unix/Linux and MS/Windows one must include the object classes posixAccount and shadowAccount. (Defined in /etc/openldap/schema/nis.schema)

If using Samba one must also include a schema to support Samba (sambaSamAccount, sambaGroupMapping, sambaUnixIdPool, sambaIdmapEntry, sambaSidEntry, ...) and the appropriate attributes. See description of /etc/openldap/schema/samba.schema file Samba 3.0 LDAP Howto for more info.

While LDAP is preferred over NIS (Network Information Services), NIS is supported by legacy Unix systems. For more on NIS authentication and configuration see the YoLinux.com NIS tutorial.


LDAP Authentication for Red Hat Linux:

Use command: /usr/bin/authconfig (console) or /usr/bin/system-config-authentication (GUI)

Console screen of /usr/bin/authconfig:
Red Hat authconfig 1
Red Hat authconfig 2

GUI /usr/bin/system-config-authentication:

Red Hat authconfig GUI 1
Red Hat authconfig GUI 2

This will create the file: /etc/ldap.conf

host XXX.XXX.XXX.XXX          - IP address of LDAP server
base dc=domain,dc=org
ssl no
pam_password md5

If using older SGI MIPS/IRIX systems in the mix you may have to use "clear" instead of "md5".

File: /etc/nsswitch.conf

..
...
passwd files ldap
shadow files ldap
group  files ldap
...
..

[Potential Pitfall]: You may have to reboot in order for LDAP authentication to begin.

[Potential Pitfall]: If using the Sun One LDAP authentication server, note that any entry for the following attributes will result in the requirement that the Linux user change their password each and every time they login. (annoying) Set the following LDAP attributes to blank (not zero):

  • shadowmin
  • shadowmax
  • shadowwarning

[Potential Pitfall]: The user IDs (uid) and group IDs (gid) are cached by the Linux client after authenticating to the LDAP server. If changes are made to the LDAP directory you may have to reboot the client system to pick up the changes. This is also true for NIS authentication.


Note: If using the Linux GUI desktop and mounting Linux home directories to an NFS server you may have to mount with the option "nolock". This will be required if the NFS server does not support rpc.statd or rpc.lockd locking daemons which support NFS file locking services.
File: /etc/fstab

   ...
   nfs-server:/export/home  /export/home  nfs  rw,soft,bg,nolock   0 0
   ...

Also be sure to copy essential files and directories from /etc/skel/...which enable desktop use.


LDAP Authentication for Windows 2000:

Authenticate MS/Windows using PGina: http://www.pgina.org/
Downloads: http://www.pgina.org/?page_id=21
i.e. download pGina: pGina170a.exe

Run pGina170a.exe to install.
Install to C:\pGina and accept defaults.

Download LDAP Auth:
Downloads: LDAP auth plugin
Download instaler i.e.: ldapauth12.exe

Run to install.

Configure pGina: Select: Start + Programs + pGina + Configuration Tool

  • Pluggin Path: C:\pGina\plugins\ldapauth\ldapauth_plus.dll
    Accept rest of defaults.
  • Select configure plugin button:
    [LDAP configure screenshot]
    • LDAP Server: IP-address-goes-here
    • Port: 389 (default)
    • PrePend: uid=
    • Append: ou=people,dc=megacorp,dc=com
    • Admin User: "cn=AdminManager,dc=megacorp,dc=com"
    • Admin password: *******
    The "Admin User" and "Admin Pass" are not required for "Map Mode". A bind using the user login/password will take place if the Admin user/password are omitted.
  • Select radio button "Map Mode" then select "OK". (Panel closes)
  • Select Save + Exit
    (On main config panel)

Uses LDAP "Search mode".

PGINA screen

Select option "Scramble Passwords on Logout". This forces LDAP authentication for each login. After an initial login, the login/password become resident locally so that subsequent logins are authenticated locally. This option forces a scramble of the password upon logout forcing Windows/pGina to authenticate with the LDAP server and NOT locally.

Optional test: Download plugin_tester.exe from Pgina LDAP auth
[LDAP authentication test tool screenshot]

  • Select: Start + PRograms + pGina + Plugin tester
  • Pluggin Path: C:\pGina\plugins\ldapauth\ldapauth_plus.dll
  • Use login and passsword to test.

Reconfigure Windows 2000 not to authenticate against PDC:

  • Right click on "My Computer" + System Properties
  • Select "Network Identification" tab + "Properties" button.
  • Select "Workgroup" radio buton and remove workgroup.
  • Reboot and you are ready to login with LDAP authentication.

Note:

  • Do not use false (which can't be resolved) or a real domain (real or real but fails).
  • pGina recognizes local logins if the login id can not be found in the LDAP directory.
  • pGina does not support "roaming profile".

To remove pGina: Start + Control Panel + Add/Remove program + select pGina

Links:


Samba and LDAP:

Samba 3.0 can authenticate using LDAP. Download and compile OpenLDAP (even if you are using Sun ONE or some other LDAP server) and the berkley DB source. These libraries will be required when compiling Samba 3.0 for use with LDAP. Compile Samba with the configure option "--with-ldapsam". (./configure --prefix=/opt/samba --with-ldapsam)

We use pGina for login authentication so that all LDAP security rules are followed. (i.e. password length, duration between changes, reuse of passwords, ...) If MS/Windows authenticating with Samba (which in turn is authenticating with LDAP), then many of the LDAP password rules will not be supported. It is for this reason we use pGina. After SAMBA 3.0.7 was available, many of the rules required and supported in pGina are available using SAMBA and the native MS/Windows login. (i.e. Lockout after 5 failed logins) The login/password is held by the MS/windows OS and will be used when accessing Samba shares. Samba will then authenticate the access to the shared drive using LDAP. This replaces the need for a local Samba password database. (created with smbpasswd)

In this configuration we did not use the Samba PDC.

File snippet: smb.conf

...
passwd backend = ldapsam: ldap://Ip-address-of-LDAP-server/
ldap admin dn = "cn=sambaadmin, ou=people"
ldap suffix = "dc=megacorp,dc=com"
ldap user suffix = "ou=people"
...

Note: DNS resolvable names are required for all client and server computers which are part of the Samba domain.

Links:


SGI IRIX/MIPS Authentication and Host Lookup Using LDAP:

IRIX OS releases and LDAP/PAM:

IRIX versionPAM comments
6.5.21-LDAP support
No PAM support.
6.5.22LDAP support
Limited PAM support. Many of the utilities and services were not supported by PAM.
6.5.23+LDAP support
Full PAM support.

IRIX 6.5.21 configuration:

Client configuration file: /var/ns/ldap.conf

; SECURITY

security   ssl                    - Options are none or ssl
cipher     RSA_RC4_40_MD5
domain                            - An empty domain identifies the local domain

; LDAP server specifications

server XXX.XXX.XXX.XXX     - IP address of LDAP server
version 2                         - Open LDAP is considered V2 while Sun One considers themselves to be V3
base    "dc=sub-Domain,dc=domain,dc=com"
scope   subtree                   - Options are subtree, onelevel or sbase
password-hash {CRYPT}
binddn  "cn=AdminManager,dc=sub-Domain,dc=domain,dc=com"
bindpwd secret-password

Note:

  • The "bindpwd" is in clear text and NOT encrypted. When connecting to the server it will use a clear text password. This is required on IRIX 6.5.20.
  • {Potential Pitfall]: If no binddn/bindpwd are supplied in this configuration file, then your whole system is opened up for login without authentication. It may look like you logged in with a password but a correct one will not be required. BEWARE!
  • See "man ldap.conf" for more information.

LDAP Server: slapd.conf
(Linux: /etc/openldap/slapd.conf)

database      ldbm
password-hash {CRYPT}
suffix        "dc=sub-Domain,dc=domain,dc=com"
rootdn        "cn=AdminManager,"dc=sub-Domain,dc=domain,dc=com"
rootpw        {CRYPT}yDtKCHnyyDtKC
Notes:
  • Only crypt passwords are allowed in the IRIX implementation. Don't use MD5.
  • Note the associations:
    Server attributeClient attribute
    suffixbase
    rootdnbinddn
    rootpw
    (crypt)
    bindpwd
    (clear text)

Client nsswitch: /etc/nsswitch.conf

hosts:  ldap files nis dns
passwd: ldap files(compat) [notfound=return] nis

Note:

  • To reactivate new settings:
        [root]# nsadmin flush
        [root]# nsadmin restart
        

IRIX 6.5.22+ configuration:

Same as above except that the ldap.conf file location is /etc/ldap.conf and the entries "binddn" and "bindpwd" are not required. The entries in /etc/ldap.conf for IRIX 6.5.22+ resemble those for Linux. Bind is done using anonymous bind.


Sun SOLARIS Authentication and Host Lookup Using LDAP:

Configure with the Sun SOLARIS admin tool: ldapclient


IBM/AIX Authentication and Host Lookup Using LDAP:

System Authentication for AIX (and Linux)


Encryption scheme:

It is important to choose the same encryption scheme across platforms. By default Solaris uses CRYPT (DES: Data Encryption Standard) but allows multiple schemes, Redhat and FreeBSD (V4.2+) use MD5 and Suse uses Blowfish.

EncryptionHash prefix
MD5$1$ plus 12 character salt followed by encrypted password.
Blowfish (blf)$2$ or $2a$ plus 16 character salt followed by encrypted password.
CRYPT (standard DES)Two character salt at beginning of hash followed by encrypted password. Does NOT start with "$". (No consistent prefix.)
CRYPT (extended DES)Nine character salt at beginning of hash followed by encrypted password. Does NOT start with "$". (No consistent prefix.)

Configuration file where encryprion scheme is set:

OSConfig file
RedHat Linux/etc/libuser.conf
/etc/pam.d/system-auth

(configured using installation)
FreeBSD/etc/login.conf
/etc/auth.conf
/etc/master.passwd
Solaris/etc/security/policy.conf
See: CRYPT_ALGORITHMS_ALLOW
Multiple encryption schemes allowed concurently.

YoLinux.com LDAP Tutorials:

Links:

 


LDAP Book ListBooks:
Understanding And Deploying LDAP Directory Services "Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good,
ISBN 0672323168, Addison-Wesley Pub Co

Second edition. It is general in nature but complete in that it covers all concepts in depth. It is a good book for those wanting to understand everything about LDAP, schema development and its' capabilities.

Amazon.com
Understanding And Deploying LDAP Directory Services "Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good,
ISBN 1-57870-070-1, MacMillan Technical Publishing

First edition out of print. (Used only) See second edition above. This is the largest LDAP book I own. It is general in nature but complete in that it covers all concepts in depth. It is NOT a good programmers reference but it is good for those wanting to understand everything about LDAP, schema development and its' capabilities. Netscape centric.

Amazon.com
Programming Directory-Enabled Applications with Lightweight Directory Access Protocol "Programming Directory-Enabled Applications with Lightweight Directory Access Protocol"
by Timothy A. Howes,Phd and Mark C. Smith
ISBN 1-57870-000-0, MacMillan Technical Publishing

Excellent programmers reference for those using the LDAP C language API. Also covers search filters and LDAP URL's. The OpenLDAP source code is so poorly commented that I found this book often was the only source for an explanation of what was happening in the code.

Amazon.com
Implementing LDAP "Implementing LDAP",
Mark Wilcok
ISBN 1-861002-21-1, WROK Press

This book covers all aspects of LDAP from LDIF to the LDAP SDK in C, PERL and JAVA. It has a strong Netscape Directory server bias.

Amazon.com
LDAP System Administration "LDAP System Administration",
Gerald Carter
ISBN 1565924916, O'Reilly & Associates

This book covers the use of OpenLDAP and the integration of services.

Amazon.com
LDAP Programming, Management and Integration "LDAP Programming, Management and Integration",
Clayton Donley
ISBN 1930110405, Manning Publications; 1st edition

This book covers LDAP administration as well as introductory information. It covers the directory services markup language (DSML), PERL LDAP module as well as JAVA JNDI.

Amazon.com
book image "Understanding LDAP - Design and Implementation" - IBM-Redbooks
Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman
IBM Redbook #SG24-4986-00

A reference to ldap, available as PDF as well. This book has a bias towards IBM's E-network LDAP Directory server. Tight, terse, but covers everything.

IBM Redbook #SG24-6193-00 "LDAP Implementation and Practical Use"
IBM Redbook #SG24-6193-00

Copyright © 2003, 2004, 2010 Greg Ippolito