Nslcd: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) (Initial version of a HowTo describing how to setup and configure nslcd with LDAP and pam_ldap) |
Mmuehlfeld (talk | contribs) m (Changed information about nested groups) |
||
Line 13: | Line 13: | ||
* Requires nslcd and pam_ldap to be installed on your system. |
* Requires nslcd and pam_ldap to be installed on your system. |
||
* The resolving of nested groups is only supported in newer version of nslcd (check the manpage). |
|||
* Nested groups can't be resolved. |
|||
Revision as of 23:10, 26 August 2013
Advantages / Disadvantages
Because people may find that some of the disadvantages are advantages or vice versa in their environment, we won't classify here.
- Fast and easy to configure.
- Requires central storage of posix data (UID/GID, home directory, shell, etc.) in AD. Your domain have to be provisioned/upgraded with --use-rfc2307 to store this data. Accounts/groups can be administrated e. g. via ADUC on Windows then.
- UIDs/GIDs are the same on every server.
- Doesn't require the machine to be joined to the domain. A simple LDAP connection to the DC (389/tcp for LDAP or 646/tcp for LDAPs) is enough.
- Requires nslcd and pam_ldap to be installed on your system.
- The resolving of nested groups is only supported in newer version of nslcd (check the manpage).
Installation
Most distributions already ship nslcd in their default installation. In RHEL6 the package is named nss-pam-ldapd.
If you want to authenticate local *nix services on your server against AD, additionaly you require pam_ldap.
Configuring nslcd
The following basic example let nslcd retrieve it's information from AD through an separate account. nslcd is also capable to use Kerberos. This would not be part of this HowTo.
- Create a new user account in your AD, nslcd uses to bind via LDAP and retrieve it's information. Make sure, that you configure this account with the „password never expires“ option! Remember the DN (distinguished name) of the new user. The following example uses the DN „cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com“.
- Currently not all required posix information could be retrieved via LDAP (Bug report #9788), because of incorrect directory ACLs. As a workaround, simply add the following to your smb.conf on the DC, nslcd is connecting to and restart Samba:
[global] ... acl:search = no
- Use the following content in your /etc/nslcd.conf:
#Mappings for Active Directory pagesize 1000 referrals off # Passwd filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID # Groups filter group (&(objectClass=group)(gidNumber=*)) map group uniqueMember member # User/group with which the daemon should run (must be a local account!) uid nslcd gid ldap # LDAP server settings uri ldap://127.0.0.1:389/ base dc=SAMDOM,dc=example,dc=com # Account in AD that is used from nslcd to bind to the directory binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com bindpw xxxxx
- Start the nslcd daemon.
- Append ldap to the passwd and group entry of your /etc/nsswitch.conf, to let the system query LDAP for this this databases.
passwd: files ldap group: files ldap
- All accounts/groups are now available to the local system.
Testing
- Test 1: Retrieving accounts via getent. This should show local and domain accounts (which have the required posix attributes).
# getent passwd ... Administrator:*:10000:513::/home/Administrator:/bin/bash demo1:*:10002:513:Demo User1:/home/demo1:/bin/false
- Test 2: Retrieving groups via getent. This should show local and domain groups (which have the required posix attributes).
# getent group ... Domain Users:*:10000:demo1 demo-group:*:10003:demo1
- Test 3: Change owner/group of of a file to a domain user/group:
# touch /tmp/testfile # chown Administrator:"Domain Users" /tmp/testfile # ls -l /tmp/testfile -rw-r--r-- 1 Administrator Domain Users 0 26. Aug 22:35 /tmp/testfile
Configuring PAM (pam_ldap)
To authenticate local services (SSH, FTP, etc.) which uses PAM, you can setup pam_ldap to authenticate against AD via LDAP.
- Edit /etc/pam_ldap.conf:
base dc=SAMDOM,dc=example,dc=com binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com bindpw xxxxx bind_policy soft pam_login_attribute sAMAccountName uri ldap://127.0.0.1:389:389/ ssl no
- Edit your PAM configuration file(s) corresponding to the services you want to hook up. The following is an example for a PAM configuration, that can be used e. g. for ssh (/etc/pam.d/sshd). But be carefull: Change take effect immediately!
#%PAM-1.0M-1.0 auth required pam_nologin.so auth sufficient pam_ldap.so auth required pam_unix.so use_first_pass # set_secrpc account required pam_unix.so password required pam_pwcheck.so password required pam_ldap.so use_authtok password required pam_unix.so use_first_pass use_authtok session required pam_unix.so session required pam_limits.so session required pam_env.so
Testing
- Test 1: Try accessing a service or log into a service, you have configured to use pam_ldap. Example for ssh:
# ssh demo1@DC1 demo1@dc1's password: Last login: Mon Aug 26 22:59:40 2013 from pc01.samdom.example.com [demo1@DC1 ~]$