noqqe


blog | sammelsurium | projects | about

OpenLDAP PAM Auth

2013-03-06 @ OpenLDAP, Software

Administrativer Account anlegen für Modify:

ldapmodify -a -xWD "cn=admin,dc=example,dc=com" << EOF
> dn: cn=auth,dc=example,dc=com
> objectClass: organizationalRole
> objectClass: simpleSecurityObject
> cn: auth
> userPassword: {SSHA}hNQpve/j+JYBCLG8m29XTx4bJ0Qi7Kmq
> EOF
Enter LDAP Password:
adding new entry "cn=auth,dc=example,dc=com"

Lesender Account anlegen für Auth und lesen:

ldapmodify -a -xWD "cn=admin,dc=example,dc=com" << EOF
dn: cn=rauth,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: rauth
userPassword: {SSHA}hNQpve/j+JYBCLG8m29XTx4bJ0Qi7Kmq
EOF

Enter LDAP Password:
adding new entry "cn=rauth,dc=example,dc=com"

Dann das PAM Module installieren

aptitude install libpam-ldap

Ich bin da nur dem Dialog gefolgt. Was ich bisher finden konnte:

unterhalb pam.d:

common-account

account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so
account	[success=1 default=ignore]	pam_ldap.so
account	requisite			pam_deny.so
account	required			pam_permit.so

common-auth

auth	[success=2 default=ignore]	pam_unix.so nullok_secure
auth	[success=1 default=ignore]	pam_ldap.so use_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so

common-password

password	[success=2 default=ignore]	pam_unix.so obscure sha512
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so use_authtok try_first_pass
password	requisite			pam_deny.so
password	required			pam_permit.so

common-session

session	[default=1]			pam_permit.so
session	requisite			pam_deny.so
session	required			pam_permit.so
session	required	pam_unix.so
session	optional        pam_ldap.so

common-session-noninteractive

session	[default=1]			pam_permit.so
session	requisite			pam_deny.so
session	required			pam_permit.so
session	required	pam_unix.so
session	optional			pam_ldap.so

In der /etc/pam_ldap.conf

base dc=example,dc=com
uri ldaps://10.10.0.29/
ldap_version 3
binddn cn=rauth,dc=example,dc=com
bindpw foobar
rootbinddn cn=auth,dc=example,dc=com
pam_password crypt
scope sub