lldap/example_configs/pam
Roman a2ba71ac19
Some checks failed
Rust / pre_job (push) Has been cancelled
Rust / cargo test (push) Has been cancelled
Rust / cargo clippy (push) Has been cancelled
Rust / cargo fmt (push) Has been cancelled
Rust / Code coverage (push) Has been cancelled
example_configs: Update PAM integration
* Add more information for PAM integration:

* Add info that custom attributes only work on nightly
* Add sample lldap-cli command to set attribute

* Modify nslcd to use unix-uid/gid directly as it is now supported

* Add readme for PAM integration, removing the need for is-unix-user/group.
2024-09-17 00:19:03 +02:00
..
nslcd.conf example_configs: Update PAM integration 2024-09-17 00:19:03 +02:00
README.md example_configs: Update PAM integration 2024-09-17 00:19:03 +02:00

Important

The integration requires custom ldap properties which are not supported on stable (as of 2024-09-19), please use nightly/latest tag.

Configure lldap

You MUST use LDAPS. You MUST NOT use plain ldap. Even over a private network this costs you nearly nothing, and passwords will be sent in PLAIN TEXT without it.

[ldaps_options]
enabled=true
port=6360
cert_file="cert.pem"
key_file="key.pem"

You can generate an SSL certificate for it with the following command. The subjectAltName is REQUIRED. Make sure all domains are listed there, even your CN.

openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 36500 -nodes -subj "/CN=lldap.example.net" -addext "subjectAltName = DNS:lldap.example.net"

Install the client packages.

This guide used libnss-ldapd (which is different from libnss-ldap).

PURGE the following ubuntu packages: libnss-ldap, libpam-ldap

Install the following ubuntu packages: libnss-ldapd, nslcd, nscd, libpam-ldapd

Configure the client's nslcd settings.

Edit /etc/nslcd.conf. Use the provided template.

You will need to set tls_cacertfile to a copy of the public portion of your LDAPS certificate, which must be available on the client. This is used to verify the LDAPS server identity.

You will need to add the binddn and bindpw settings.

The provided implementation uses custom attributes to mark users and groups that should be included in the system (for instance, you don't want LDAP accounts of other services to have a matching unix user).

Tip

You can create custom attributes in the Web UI, but to provide values, you need to communicate with the API, see scripting. Example using lldap-cli: ./lldap-cli user update set example-user unix-uid 5000

For users, you need to add an (integer) unix-uid attribute to the schema, and manually set the value for the users you want to enable to login with PAM.

For groups, you need an (integer) unix-gid attribute, similarly set manually to some value.

If you want to change this representation, update the filter passwd and filter group accordingly.

You should check whether you need to edit the pam_authz_search setting. This is used after authentication, at the PAM account stage, to determine whether the user should be allowed to log in. If someone is an LDAP user, even if they use an SSH key to log in, they must still pass this check. The provided example will check for membership of a group named YOUR_LOGIN_GROUP_FOR_THIS_MACHINE.

You should review the map settings. These contain custom attributes that you will need to add to lldap and set on your users.

Configure the client OS.

Ensure the nslcd and nscd services are installed and running. nslcd provides LDAP NSS service. nscd provides caching for NSS databased. You want the caching.

systemctl enable --now nslcd nscd

Configure PAM to create the home directory for LDAP users automatically at first login.

pam-auth-update --enable mkhomedir

Edit /etc/nsswitch.conf and add "ldap" to the END of the "passwd" and "group" lines.

You're done!

Clearing nscd caches.

If you want to manually clear nscd's caches, run nscd -i passwd; nscd -i group.