Configuring LDAP Authentication for Debian

NSS-LDAP Setup

1. Install the nscd package

Do 'apt-get install nscd' to install the libc caching daemon. This makes a performance difference but it will work without it.

QUESTION: Wouldn't it make more sense to do this after you are sure everything is working correctly?

POSSIBLE ANSWER: I can remember apt-get saying something about 'detecting nscd' when configuring libnss-ldap. In the case nscd was installed, it wouldn't install the libnss-ldap configuration file readable to all. So it could be wise to install nscd first. But I agree, when testing you should keep in mind wether its running or not.

There is a debconf-note while installing nss_ldap "Note: As a sanity check, libnss-ldap will check if you have nscd installed and will only set the mode to 0600 if nscd is present." -- Balu, 2004-07-28

2. Install the [libnss-ldap] and [ldap-utils] packages

Do 'apt-get install libnss-ldap ldap-utils' to install the NSS LDAP package and ldapsearch utility.

Be sure to read the docs that are installed here: /usr/share/doc/libnss-ldap/

3. Edit the LDAP configuration file

Edit /etc/ldap/ldap.conf to make life easier when using LDAP utilities to include:

  BASE dc=<yourhost>,dc=<your>,dc=<domain>
  URI ldap://yourhost.your.domain

4. Edit the hosts configuration file

Edit /etc/hosts so that it includes both the client and LDAP server. Without this nasty things happen on bootup as things attempt to use LDAP which recurses on itself looking up the hostname. Some documents claim to solve this by putting DNS before LDAP in /etc/nsswitch.conf, but my experience suggests otherwise (Segfaults requiring rebooting in single to fix things)... I think the reason is NSS is needed to do host lookups before DNS is available (I use DHCP on my clients). You don't need to do this if you don't use LDAP for hosts, because this early host lookup just fails instead of causing NSS/LDAP to recurse on itself.

5. Edit the {{{libnss-ldap}}} configuration file

Edit /etc/libnss-ldap.conf to include the following, and put the LDAP admin password in /etc/ldap.secret with mode 600 (rw-------). Note that the default Debian debconf setup does not set rootbinddn for libnss-ldap.conf (but libpam-ldap does in /etc/pam_ldap.conf, and will create /etc/ldap.secret for you). Without this, NSS does not have read access to passwords as root, and hence cannot authenticate users. This is not necessarily a problem as authentication could be performed in PAM by LDAP, but I have chosen to use NSS for authentication instead. This seems to more closely follow the non-LDAP approach of giving root access to passwords in /etc/shadow:

  # Your LDAP server. Must be resolvable without using LDAP.
  host yourhost.your.domain
  #
  # The distinguished name of the search base.
  base dc=yourhost,dc=your,dc=domain
  #
  # The LDAP version to use (defaults to 3 if supported by client library)
  ldap_version 3
  #
  # The distinguished name to bind to the server with if the effective user ID is root.
  # Password is stored in /etc/ldap.secret (mode 600)
  rootbinddn cn=admin,dc=yourhost,dc=your,dc=domain

Note that 'yourhost.your.domain' had better be in /etc/hosts, otherwise use the LDAP servers IP address. Only the 'rootbinddn' setting is not automatically configured in Debian.

6. Edit the NSS configuration file

Edit /etc/nsswitch.conf to use LDAP as follows. Note that I do not use the example nsswitch.conf provided with the stable (a.k.a. 'woody') libnss-ldap package because it seems to be overkill. I do not bother using LDAP for protocols, services, ethers, or rpc even though I imported them into LDAP:

  passwd:         files ldap
  group:          files ldap
  shadow:         files ldap
  #
  hosts:          files dns ldap
  networks:       files ldap
  #
  protocols:      db files
  services:       db files
  ethers:         db files
  rpc:            db files
  #
  netgroup:       nis

7. Reboot

I needed a reboot at this point to make sure the nss-ldap setup was fully working. Editing /etc/nsswitch.conf and reloading 'nscd' seems to have immediate affect though so it might not be needed. If everything goes awry after reboot you will need to boot in single-user mode (put 'single' on kernel command line) to undo the changes to /etc/nsswitch.conf. Note: the nscd instructions only apply if you installed it above.

8. Verify NSS is operational

A. Test One

Check that NSS is seeing things from LDAP using 'getent' as described in ?"LDAPAuthenticationTools".

 # getent shadow

should show you accounts from LDAP that are not in the shadow file. Question. What do you do if it doesn't, or it does show the accounts but there are no passwords?

B. Test Two

[http://www.metaconsultancy.com/whitepapers/ldap-linux.htm This page] outlined another way to test and see if NSS is working right.

--- start quote ---

There is a simple way to verify that your name service subsystem is using your LDAP server as instructed. Assign a file to be owned by a user that exists only in the LDAP database, not in /etc/passwd. If an ls -l correctly shows the username, then the name service subsystem is consulting the LDAP database; if it just shows the user number, something is wrong. For example, if the user john, with user number 1001, exists only in LDAP, we can try

 # touch /tmp/test
 # chown 1001 /tmp/test 
 # ls -l /tmp/test
 -rw-r-----     1 john     users         0 Jan  1 12:00 test

to determine whether the the name service is using LDAP.

--- end quote ---

Note that 'nscd' can mask problems with your NSS setup. This is because it runs as root (the super-user), and hence allows programs to use 'nsswitch as root. This allows things like 'ls' to see LDAP user and group names, even though 'getent passwd' cannot see them. I am uncertain how many things might break with this setup, but things will certainly break when 'nscd' is stopped.

This is why it is a good practice to use nscd. nscd runs as root, and can read the ldap-configuration files (with possibele sensitive information) when they are chmodded '600'. This way, normal users doesn't need read access to that files.


See Also: