License

Copyright (C) 2008-2021 Oliver Bohlen.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled "GNU Free Documentation License".

Introduction

This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Howto: OpenLDAP System authentication for Gentoo Linux

This is an example how you can authenticate your System-Accounts over PAM or SASLAuthD against LDAP. Users can change their passwords in LDAP with the passwd command as usual.

If you want to use this solution you need the following howto(s) finished:

• OpenLDAP

Required software

The required software has to be installed with the following command(s):

emerge sys-auth/pam_ldap
emerge sys-auth/nss_ldap

Changes in /etc/conf.d/saslauthd

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/saslauthd

Changed on 18.05.09
Issued by olli
Beginning line 22

If you are using SASL for some authentications you should point to a configuration file with your LDAP settings.

Before change

SASLAUTHD_OPTS="-a pam"

After change

SASLAUTHD_OPTS="-O /etc/saslauthd.conf -a ldap"

Changes in /etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/crontab

Changed on 02.12.09
Issued by olli
Beginning line 37

Run the checkusers-script hourly

42 * * * *      root    /usr/local/sbin/checkusers.sh 2>&1 | ifne mail -s "Checkusers-Script" root

Changes in /etc/ldap.conf.old

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/ldap.conf.old

Changed on 18.05.09
Issued by olli
Beginning line 18

The LDAP BaesDN

Before change

base dc=padl,dc=com

After change

base dc=example,dc=com

Changed on 18.05.09
Issued by olli
Beginning line 137

This is for accepting a self-signed SSL/TLS certificate

pam_login_attribute uid:caseExactMatch:
tls_reqcert allow

Changes in /etc/nsswitch.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/nsswitch.conf

Changed on 18.05.09
Issued by olli
Beginning line 56

The order how to check for passwd, shadow and group

Before change

group:      files
gshadow:    files

After change

group:      files ldap
#gshadow:    files

Changed on 18.05.09
Issued by olli
Beginning line 68

The order how to check for passwd, shadow and group

Before change

#passwd:     files

After change

passwd:     files ldap

Changed on 18.05.09
Issued by olli
Beginning line 76

The order how to check for passwd, shadow and group

Before change

shadow:     files

After change

shadow:     files ldap

Changes in /etc/pam.d/system-auth

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/pam.d/system-auth

Changed on 18.05.09
Issued by olli
Beginning line 2

Authenticate with LDAP

Before change

auth            required        pam_unix.so try_first_pass likeauth nullok

After change

auth            sufficient   	pam_unix.so try_first_pass likeauth nullok
auth       	sufficient   	pam_ldap.so use_first_pass
#auth            optional        pam_smbpass.so migrate use_first_pass
auth       	required     	pam_deny.so

Changed on 18.05.09
Issued by olli
Beginning line 16

Authenticate with LDAP

account    	sufficient   	pam_ldap.so

Changes in /etc/pam.d/system-auth

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/pam.d/system-auth

Changed on 18.05.09
Issued by olli
Beginning line 29

Authenticate with LDAP

Before change

password        required      pam_unix.so try_first_pass use_authtok nullok sha512 shadow

After change

password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password   	sufficient 	pam_ldap.so use_authtok use_first_pass
password   	required     	pam_deny.so

Changed on 18.05.09
Issued by olli
Beginning line 42

Authenticate with LDAP

session		optional     	pam_ldap.so

Changes in /etc/saslauthd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/saslauthd.conf

Changed on 18.05.09
Issued by olli
Beginning line 1

If you are using SASL for some authentications you should configure the LDAP access for SASL here.

ldap_servers: ldaps://127.0.0.1:636
ldap_search_base: ou=Users,ou=People,dc=example,dc=com
ldap_scope: one
ldap_uidattr: uid
ldap_filter: uid:caseExactMatch:=%U

Changes in /usr/local/sbin/checkusers.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/checkusers.sh

Changed on 02.12.09
Issued by olli
Beginning line 2

This is a script I use to create a HomeDir and a Mailbox if a new LDAP-User is created. I depends on your environment if you can use ist.

#!/bin/bash
. /etc/profile
nscd --invalidate=group
nscd --invalidate=passwd
for i in `getent passwd | cut -d":" -f 3`
do
 if [ $i -gt 999 ]
 then
  if [ $i -lt 8999 ]
  then
   # Get Infos
   USER=`getent passwd $i | cut -d":" -f 1`
   USERID=`getent passwd $i | cut -d":" -f 3`
   HOMEDIR=`getent passwd $i | cut -d":" -f 6`
   GROUP=`getent passwd $i | cut -d":" -f 4`
   LNAME="`getent passwd $i | cut -d':' -f 5`"
   #echo "Checking User $USER"
   # Check for non existing HomeDir
   if ! [ -d $HOMEDIR ]
   then
    echo "Creating Homedir $HOMEDIR for $USER ($i)"
    mkdir -p $HOMEDIR
    chown $USER:$GROUP $HOMEDIR
    chmod 0700 $HOMEDIR
   fi
   # Check for existing Backup-Dir
   if ! [ -d /srv/share/Backups/home/$USER ]
   then
    echo "Creating BackupDir /srv/share/Backups/home/$USER for $USER ($i)"
    mkdir -p /srv/share/Backups/home/$USER
    chown $USER:$GROUP /srv/share/Backups/home/$USER
    chmod 0700 /srv/share/Backups/home/$USER
   fi
   # SSH KEYs
   if ! [ -e $HOMEDIR/.ssh/id_ed25519 ]
   then
    echo "Generating openssh-key $USER for pubkey Auth e.g. for backups"
    su - $USER -c "ssh-keygen -q -t ed25519 -f $HOMEDIR/.ssh/id_ed25519 -N ''"
   fi
#   if ! [ -e $HOMEDIR/.ssh/dropbear.key ]
#   then
#    echo "Generating dropbear-key for pubkey Auth e.g. for syncopoli-backups"
#    mkdir -p $HOMEDIR/.ssh
#    su - $USER -c "dropbearkey -t ecdsa -f $HOMEDIR/.ssh/dropbear.key 2>/dev/null | grep ecdsa >>$HOMEDIR/.ssh/authorized_keys"
#    chown -R $USER:$GROUP $HOMEDIR/.ssh
#    chmod 644 $HOMEDIR/.ssh/authorized_keys
#    chmod 600 $HOMEDIR/.ssh/dropbear.key
#    chmod 700 $HOMEDIR/.ssh
#   fi
   # Check weather a mailbox exists
   if ! [ $USER = "admin" ]
   then
    if /usr/local/sbin/cyr-show-mailboxes | grep "^user.$USER" >/dev/null 
    then
     echo "Mailbox for User $USER OK" >/dev/null
    else
     echo "Creating Mailbox for $USER"
     /usr/local/sbin/cyr-create-mbox user/$USER 100
    fi
    # Check/Recreate removed folders like Trash
    /usr/local/sbin/cyr-create-mbox user/$USER
   fi
   # DMS User
   if id $USER | grep -q '2023(dms)'
   then
    if ! [ -d /home/${USER}/DMS ]
    then
     echo "Creating DMS mailbox/dirs/files for $USER"
     /usr/local/sbin/cyr-create-mbox user/${USER}dms
     mkdir -p /home/${USER}/DMS/Upload /home/${USER}/DMS/.done
     touch /home/${USER}/DMS/.dmsdel /home/${USER}/DMS/control
     chown -R ${USER} /home/${USER}/DMS
    fi
   fi
  fi
 fi
done

chmod 700 /home/*
su - mailman -c "/usr/local/sbin/maillists.sh >/dev/null 2>&1"

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Here you can find the official Gentoo Linux Forums where you can find a lot of answers.

Here a link to the official Gentoo Linux Homepage.

Edit Howto

About / Impressum

Click here for About / Impressum

Wishlist

If you want to support my work you can find my Amazon whishlist here