ldap ubuntu centos LDAP authenticatoin

lightway directory access protocol

LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.

ldap provides an easy way for centralized authentication server.

ldap allows to connect to directory server.

LDAP connects to directory server , directory server is hierarchical in its setup ( like DNS)

lisa.certification.com - dns way of writing


dc - container, not a live object cn - common name, live object

ldap notation:
cn=lisa,dc=certification,dc=com

when setting up connection to LDAP server we use base context.
Base context is like search domain in DNS, it's starting point where your clients start looking for objects, like user objects

base context example:
dc=certification,dc=com

login binary is used to connect to everything
[root@localhost ~]# which login
/bin/login

The login binary is pretty straightforward (in principle). It's just a program that runs as root user (started, indirectly through getty or an X display manager, from init, the first user-space process). It performs authentication of the logging-in user, and if that is successful, changes user (using one of the setuid() family of system calls), sets appropriate environment variables, umask, etc, and exec()s a login shell.

find libraries which are used by binary login


[root@localhost ~]# ldd /bin/login

linux-vdso.so.1 =>  (0x00007fff851e3000)

libpam.so.0 => /lib64/libpam.so.0 (0x00007fe455e43000)

libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00007fe455c3f000)

libaudit.so.1 => /lib64/libaudit.so.1 (0x00007fe455a16000)

libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe4557ef000)

libc.so.6 => /lib64/libc.so.6 (0x00007fe45542e000)

libdl.so.2 => /lib64/libdl.so.2 (0x00007fe455229000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007fe455023000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fe454dc2000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe456066000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe454ba5000)

Linux Pluggable Authentication Modules (PAM) provide dynamic authentication support for applications and services in a Linux or GNU/kFreeBSD system. Linux PAM is evolved from the Unix Pluggable Authentication Modules architecture

[root@localhost ~]# ls /etc/pam.d
atd          cups                 gdm-launch-environment  liveinst       password-auth-ac  ppp        smartcard-auth     su           system-auth-ac
chfn         fingerprint-auth     gdm-password            login          pluto             remote     smartcard-auth-ac  sudo         systemd-user
chsh         fingerprint-auth-ac  gdm-pin                 other          polkit-1          runuser    smtp               sudo-i       vlock
config-util  gdm-autologin        gdm-smartcard           passwd         postlogin         runuser-l  smtp.postfix       su-l         vmtoolsd
crond        gdm-fingerprint      ksu                     password-auth  postlogin-ac      setup      sshd               system-auth  xserver
[root@localhost ~]#

[root@localhost ~]# cat /etc/pam.d/login 
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
[root@localhost ~]#


[root@localhost ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

[root@localhost ~]#

Set client authentication
[root@localhost ~]# yum install nscd nss-pam-ldapd pam_ldap -y

yum install authconfig-gtk





su - ldapuser5

user is not in /etc/passwd but accessible via su - ldapuser5


ubuntu@ubuntu:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 ubuntu
192.168.154.134 example.com

192.168.154.134 example1.com

sudo apt-get update
sudo apt-get install slapd ldap-utils



ubuntu@ubuntu:~$ sudo dpkg-reconfigure slapd
 * Stopping OpenLDAP slapd                                                            [ OK ]
  Moving old database directory to /var/backups:
  - directory unknown... done.
  Creating initial configuration... done.
  Creating LDAP directory... done.
 * Starting OpenLDAP slapd                                                            [ OK ]

Processing triggers for libc-bin (2.19-0ubuntu6.9) ...


ubuntu@ubuntu:~$ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1


ubuntu@ubuntu:~$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
dn: dc=example,dc=com

dn: cn=admin,dc=example,dc=com

ubuntu@ubuntu:~$ 


Comments

Popular posts from this blog

HAproxy logging

teamcity Automatic Agent Start under Linux

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all