LDP/LDP/howto/docbook/Ldap-Implementation-HOWTO/section-pamnss.sgml

<SECT1 ID="pamnss"><TITLE>LDAP authentication using pam_ldap and nss_ldap</TITLE>
<PARA>For the standard services to work with LDAP, three things are neccesary:<ITEMIZEDLIST><LISTITEM><PARA>All programs that should get their authentication from LDAP need to be pamified. That is, they need to work with the pam-libraries to get their authentication. On RedHat systems, pam is used by default since version 5.2. Slackware has had no pam support as I know of. With debian I'm not sure, but version 2.1 and up do have pam support.</PARA></LISTITEM>
<LISTITEM><PARA>The pam_ldap libraries must be installed, and the files in <FILENAME MOREINFO="NONE">/etc/pam.d</FILENAME> must be adapted to use the pam_ldap module.</PARA></LISTITEM>
<LISTITEM><PARA>The nss_ldap libraries must be installed, the /etc/nsswitch.conf must be adapted to use the nss_ldap library.</PARA></LISTITEM></ITEMIZEDLIST></PARA>
<SECT2><TITLE>Installation</TITLE>
<PARA>RedHat 6.2 has a rpm for this, nss_ldap. It contains both the nss_ldap and the pam_ldap libraries. If this rpm needs a different configuration from the one described below, I don't know yet.</PARA>
<SECT3><TITLE>pam_ldap</TITLE>
<PARA>R$ead and edit the <FILENAME MOREINFO="NONE">Make.defs</FILENAME>. You have to define where the libraries will be installed, and you have to comment out the netscape LDAP include and definition lines, and uncomment the openLDAP lines. Openldap version 1.2.9 uses the V2 API, so you should change the CDEFS line too. You should install the module under <FILENAME MOREINFO="NONE">/lib/security</FILENAME>. After that you can simply install with</PARA>
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
bash# make -f Makefile.linux
bash# make -f Makefile.linux install</PROGRAMLISTING></PARA>
<PARA>This will install <FILENAME MOREINFO="NONE">/lib/security/pam_ldap.so.1</FILENAME> and the various symlinks. Don't forget to run <COMMAND MOREINFO="NONE">ldconfig</COMMAND> afterwards.</PARA></SECT3>
<SECT3><TITLE>nss_ldap</TITLE>
<PARA>After you've unpacked the sources, check the makefile. For most configurations, it doesn't need to be edited. In any case, you should not commment out the LIBS line in the makefile, although it is not explicitly said it is needed when compiling for OpenLDAP. When you make and install it with</PARA>
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
bash# make -f Makefile.linux
bash# make -f Makefile.linux install</PROGRAMLISTING></PARA>
<PARA>it installs <FILENAME MOREINFO="NONE">/lib/libnss_ldap.so</FILENAME>, which is the nss_ldap library, and a set of example configuration files, <FILENAME MOREINFO="NONE">/etc/nsswitch.ldap</FILENAME> and <FILENAME MOREINFO="NONE">/etc/ldap.conf</FILENAME>, in case they do not exist already.</PARA></SECT3></SECT2>
<SECT2><TITLE>Configuration</TITLE>
<SECT3><TITLE>pam_ldap</TITLE>
<PARA>For pam_ldap to work correctly, the files in /etc/pam.d should be configured to use ldap. You can use the example configuration files that come with the pam_ldap sources. These work on most systems. If you are concerned about security, you might want to tweak them to your specific needs. See the pam documentation for this.<NOTE><PARA>In the example <FILENAME MOREINFO="NONE">pam.d</FILENAME> directory, a <FILENAME MOREINFO="NONE">sshd</FILENAME> file is not present, so unless you create one, you will be unable to login via ssh, if it uses pam.</PARA></NOTE></PARA></SECT3>
<SECT3><TITLE>nss_ldap</TITLE>
<PARA>For nss_ldap to work correctly, the <FILENAME MOREINFO="NONE">/etc/nsswitch.conf</FILENAME> file needs a little editing. Take a look at the example <FILENAME MOREINFO="NONE">nsswitch.ldap</FILENAME> to see how it's done there. I would suggest adding the <OPTION>ldap</OPTION> flags to the appropriate lines manually, to preserve the rest of the settings in your <FILENAME MOREINFO="NONE">nsswitch.conf</FILENAME>. In order to make the standard services work, there are three lines that need to be changed.</PARA>
<PARA>This is how they look on my system. I do not use nis or nisplus.</PARA>
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
passwd: files ldap
shadow: files ldap
group:  files ldap</PROGRAMLISTING></PARA>
<PARA>Beware when using ldap as backup for your dns lookups. If dns cannot resolve the hostname, we're in infinite recursion, because libldap calls gethostbyname(). [ from the nsswitch.ldap]</PARA>
<PARA>Secondly, there must be a <FILENAME MOREINFO="NONE">/etc/ldap.conf</FILENAME> file that is correct, but if you have installed ldap correctly, it should already be in place.</PARA></SECT3></SECT2></SECT1>
lih Initial import 2000-09-13 22:25:31 +00:00			`<SECT1 ID="pamnss"><TITLE>LDAP authentication using pam_ldap and nss_ldap</TITLE>`
			`<PARA>For the standard services to work with LDAP, three things are neccesary:<ITEMIZEDLIST><LISTITEM><PARA>All programs that should get their authentication from LDAP need to be pamified. That is, they need to work with the pam-libraries to get their authentication. On RedHat systems, pam is used by default since version 5.2. Slackware has had no pam support as I know of. With debian I'm not sure, but version 2.1 and up do have pam support.</PARA></LISTITEM>`
			`<LISTITEM><PARA>The pam_ldap libraries must be installed, and the files in <FILENAME MOREINFO="NONE">/etc/pam.d</FILENAME> must be adapted to use the pam_ldap module.</PARA></LISTITEM>`
			`<LISTITEM><PARA>The nss_ldap libraries must be installed, the /etc/nsswitch.conf must be adapted to use the nss_ldap library.</PARA></LISTITEM></ITEMIZEDLIST></PARA>`
			`<SECT2><TITLE>Installation</TITLE>`
			`<PARA>RedHat 6.2 has a rpm for this, nss_ldap. It contains both the nss_ldap and the pam_ldap libraries. If this rpm needs a different configuration from the one described below, I don't know yet.</PARA>`
			`<SECT3><TITLE>pam_ldap</TITLE>`
			`<PARA>R$ead and edit the <FILENAME MOREINFO="NONE">Make.defs</FILENAME>. You have to define where the libraries will be installed, and you have to comment out the netscape LDAP include and definition lines, and uncomment the openLDAP lines. Openldap version 1.2.9 uses the V2 API, so you should change the CDEFS line too. You should install the module under <FILENAME MOREINFO="NONE">/lib/security</FILENAME>. After that you can simply install with</PARA>`
			`<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">`
			`bash# make -f Makefile.linux`
			`bash# make -f Makefile.linux install</PROGRAMLISTING></PARA>`
			`<PARA>This will install <FILENAME MOREINFO="NONE">/lib/security/pam_ldap.so.1</FILENAME> and the various symlinks. Don't forget to run <COMMAND MOREINFO="NONE">ldconfig</COMMAND> afterwards.</PARA></SECT3>`
			`<SECT3><TITLE>nss_ldap</TITLE>`
			`<PARA>After you've unpacked the sources, check the makefile. For most configurations, it doesn't need to be edited. In any case, you should not commment out the LIBS line in the makefile, although it is not explicitly said it is needed when compiling for OpenLDAP. When you make and install it with</PARA>`
			`<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">`
			`bash# make -f Makefile.linux`
			`bash# make -f Makefile.linux install</PROGRAMLISTING></PARA>`
			`<PARA>it installs <FILENAME MOREINFO="NONE">/lib/libnss_ldap.so</FILENAME>, which is the nss_ldap library, and a set of example configuration files, <FILENAME MOREINFO="NONE">/etc/nsswitch.ldap</FILENAME> and <FILENAME MOREINFO="NONE">/etc/ldap.conf</FILENAME>, in case they do not exist already.</PARA></SECT3></SECT2>`
			`<SECT2><TITLE>Configuration</TITLE>`
			`<SECT3><TITLE>pam_ldap</TITLE>`
			<PARA>For pam_ldap to work correctly, the files in /etc/pam.d should be configured to use ldap. You can use the example configuration files that come with the pam_ldap sources. These work on most systems. If you are concerned about security, you might want to tweak them to your specific needs. See the pam documentation for this.<NOTE><PARA>In the example <FILENAME MOREINFO="NONE">pam.d</FILENAME> directory, a <FILENAME MOREINFO="NONE">sshd</FILENAME> file is not present, so unless you create one, you will be unable to login via ssh, if it uses pam.</PARA></NOTE></PARA></SECT3>
			`<SECT3><TITLE>nss_ldap</TITLE>`
			<PARA>For nss_ldap to work correctly, the <FILENAME MOREINFO="NONE">/etc/nsswitch.conf</FILENAME> file needs a little editing. Take a look at the example <FILENAME MOREINFO="NONE">nsswitch.ldap</FILENAME> to see how it's done there. I would suggest adding the <OPTION>ldap</OPTION> flags to the appropriate lines manually, to preserve the rest of the settings in your <FILENAME MOREINFO="NONE">nsswitch.conf</FILENAME>. In order to make the standard services work, there are three lines that need to be changed.</PARA>
			`<PARA>This is how they look on my system. I do not use nis or nisplus.</PARA>`
			`<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">`
			`passwd: files ldap`
			`shadow: files ldap`
			`group: files ldap</PROGRAMLISTING></PARA>`
			`<PARA>Beware when using ldap as backup for your dns lookups. If dns cannot resolve the hostname, we're in infinite recursion, because libldap calls gethostbyname(). [ from the nsswitch.ldap]</PARA>`
			`<PARA>Secondly, there must be a <FILENAME MOREINFO="NONE">/etc/ldap.conf</FILENAME> file that is correct, but if you have installed ldap correctly, it should already be in place.</PARA></SECT3></SECT2></SECT1>`