By now you should have a functional LDAP server, a properly configured client, and the ability to authenticate against your server. However, the last couple \u201ccogs in the wheel\u201d are left to manage.<\/p>\n\n\n\n
Generally speaking, when you add a user in UNIX-land, part of the process of the adduser command also sets their shell, creates a home directory for them and so forth. As you may notice, there is no particular method to make this happen in Linux-LDAP. You just have a store and a tool to manage the store.<\/p>\n\n\n\n
Have no fear, it\u2019s PAM to the rescue.<\/p>\n\n\n\n
As we said in our first installment, the following packages are all that is necessary to have the basic plumbing of LDAP to work:<\/p>\n\n\n\n
openldap
openldap-servers
openldap-clients
openldap-devel<\/p>\n\n\n\n
While that is true, there are a couple more packages that put the finishing touches on this to make it sing. Those are:<\/p>\n\n\n\n
nss nss_ldap nscd<\/p>\n\n\n\n
NSS is a glibc mechanism or interface allowing access to the common UNIX databases such as the password or hosts database. It is most commonly used to provide an interface to both local \/etc\/passd and \/etc\/shadow files and usually for the purposes of interfacing with LDAP or NIS.<\/p>\n\n\n\n
NSS_LDAP is a set of C library extensions which allows X.500 and LDAP directory servers to be used as a primary source of name service information such as users, hosts, groups, and other such data historically managed via local flat files or a NIS infrastructure.<\/p>\n\n\n\n
NSCD is a name services caching daemon that provides a cache for the most common name requests. While useful in speeding up response to queries, nscd has it\u2019s own set of problems. I\u2019ll cover only some of it\u2019s usefulness, and you should circumspectly determine whether you will need caching at all based on your organization\u2019s size and the size of your serving infrastructure.<\/p>\n\n\n\n
Home Directories<\/strong><\/p>\n\n\n\n First and foremost, to make the login process as pleasurable\/smooth an experience as possible, there are some things that we generally do in standard administration practices that ease the user\u2019s experience. Namely, we setup a standard set of configuration and environment files to provide a consistent user experience of the shell. These are usually their home directory files such as:<\/p>\n\n\n\n .bashrc .bash_profile .bash_logout .vimrc .mozilla<\/p>\n\n\n\n Usually these are handled in the usual way via the useradd command, which also copies one of everything from the \/etc\/skel directory to your user\u2019s home.<\/p>\n\n\n\n As you can see, simply adding a user to the LDAP store would not give occasion for this to happen. PAM to the rescue! PAM contains a module that is their \u201cmkhomedir\u201d module. Depending on your architecture, this lives in the \/lib or the \/lib64 directories under \u201csecurity\u201d:<\/p>\n\n\n\n \/lib\/security\/pam_mkhomedir.so \/lib64\/security\/pam_mkhomedir.so<\/p>\n\n\n\n What these modules do when properly invoked is on the first connection of a user that is validated as a proper user\/password combination via LDAP, PAM sees that they have no home directory, and creates the home directory for them just as if you, the administrator had created it with the adduser <\/strong>script.<\/em><\/p>\n\n\n\n This, by far, is one of the handiest modules provided by PAM.<\/p>\n\n\n\n Turning on the PAM<\/strong><\/p>\n\n\n\n To turn on the mkhomedir facility for your servers and clients, simply do the following:<\/p>\n\n\n\n In \/etc\/pam.d there are a number of configuration files for handling login defs for varying circumstances. What we are interested in is system-auth<\/em>. System-auth is also sourced by the sshd option, so this will work for both console logins and ssh\/remote logins.<\/p>\n\n\n\n The last stanza of the system-auth configuration file is the \u201csession\u201d section. On the second-to-last line between the pam_unix and pam_ldap designations, add the following:<\/p>\n\n\n\n session required pam_mkhomedir.so<\/p>\n\n\n\n This is a keyword set that tells Linux to load up and perform the functions offered by the pam_mkhomedir module. Now, whenever you connect to a system configured in this way, it will automatically create the user\u2019s skel information and change ownerships to the proper settings so the user can login.<\/p>\n\n\n\n Security<\/strong><\/p>\n\n\n\n You may note that I also referred to using group-based security. In LDAP\/PAM-land, this is just as simple as the above PAM setup. Look into the individual system\u2019s \/etc\/security directory for a file called access.conf. This file allows you to grant\/deny access to individual users, groups, and also where they can connect to this machine from. The syntax is clearly explained in the file itself, but here\u2019s an example.<\/p>\n\n\n\n Let\u2019s say I only want root, wheel, and the admins group to be able to access a certain system. let\u2019s say they can access this system from anywhere. Now let\u2019s say I also want the backup group to access the same system, but only from one host. The setup is quite simple. First, let\u2019s allow complete access to the people we wish to be able to connect from everywhere. At the end of the \/etc\/security\/access.conf file, add the following line:<\/p>\n\n\n\n +: root wheel admins : ALL<\/p>\n\n\n\n This tells the system to add access for root, wheel, and admins from ALL hosts. Now, let\u2019s put in those backup admins, but only allow them to connect from the host we want them to come from:<\/p>\n\n\n\n +: backup : 10.1.10.10<\/p>\n\n\n\n This means the backup group can access this host, but only from the host 10.1.10.10. There are many other methods of allowing and denying access in this file. The documentation is contained within the file, so feel free to look through it for more information.<\/p>\n\n\n\n The MOST important line is the last line, however. After you\u2019ve setup all the people you WANT to access the system, that does no good if all access is still left on for everyone, everywhere. The final line in the file should be to deny all access to anyone else not specified above, and would look like this:<\/p>\n\n\n\n Simply stated, this removes (or subtracts) all access for ALL other users from ALL other hosts. This line is evaluated last after the preceding lines are, and will take the preceding lines into account when setting up it\u2019s rules in memory.<\/p>\n\n\n\n At the very worst, if you mis-order the lines here, you may not be able to login to the system and will need to boot to single-user mode and then use the article here on this site entitled \u201cA Neat Trick\u201d to make \/etc read\/write so you can change the configuration and then reboot back into your system\u2019s default runlevel, but if you\u2019re careful, this will be quite easy to configure and manage.<\/p>\n\n\n\n Closing Thoughts<\/strong><\/p>\n\n\n\n I\u2019m sure there\u2019s a few things I left out, and I will be revising this series at some point in time to allow for any omissions I\u2019ve made. I will also be adding in feature suggestions and will be following this up with a sudo article so you can overlay the \u201con-box\u201d security set you\u2019d like to see happen in your environment after<\/em> your LDAP infrastructure is in place.<\/p>\n\n\n\n Feel free to drop me a note if you see anything amiss, and I\u2019ll be sure to correct it and give you props.<\/p>\n","protected":false},"excerpt":{"rendered":" By now you should have a functional LDAP server, a properly configured client, and the ability to authenticate against your server. However, the last couple \u201ccogs in the wheel\u201d are left to manage. Generally speaking, when you add a user in UNIX-land, part of the process of the adduser command also sets their shell, creates […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[8],"tags":[],"class_list":["post-317","post","type-post","status-publish","format-standard","hentry","category-open-source"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/posts\/317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/comments?post=317"}],"version-history":[{"count":3,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/posts\/317\/revisions"}],"predecessor-version":[{"id":320,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/posts\/317\/revisions\/320"}],"wp:attachment":[{"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/media?parent=317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/categories?post=317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/tags?post=317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n