ldap ubuntu centos LDAP authenticatoin
lightway directory access protocol
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.
ldap provides an easy way for centralized authentication server.
ldap allows to connect to directory server.
LDAP connects to directory server , directory server is hierarchical in its setup ( like DNS)
lisa.certification.com - dns way of writing
dc - container, not a live object cn - common name, live object
ldap notation:
cn=lisa,dc=certification,dc=com
when setting up connection to LDAP server we use base context.
Base context is like search domain in DNS, it's starting point where your clients start looking for objects, like user objects
base context example:
dc=certification,dc=com
login binary is used to connect to everything
[root@localhost ~]# which login
/bin/login
[root@localhost ~]# ls /etc/pam.d
atd cups gdm-launch-environment liveinst password-auth-ac ppp smartcard-auth su system-auth-ac
chfn fingerprint-auth gdm-password login pluto remote smartcard-auth-ac sudo systemd-user
chsh fingerprint-auth-ac gdm-pin other polkit-1 runuser smtp sudo-i vlock
config-util gdm-autologin gdm-smartcard passwd postlogin runuser-l smtp.postfix su-l vmtoolsd
crond gdm-fingerprint ksu password-auth postlogin-ac setup sshd system-auth xserver
[root@localhost ~]#
[root@localhost ~]# cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
[root@localhost ~]#
[root@localhost ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@localhost ~]#
Set client authentication
[root@localhost ~]# yum install nscd nss-pam-ldapd pam_ldap -y
yum install authconfig-gtk
su - ldapuser5
user is not in /etc/passwd but accessible via su - ldapuser5
ubuntu@ubuntu:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 ubuntu
192.168.154.134 example.com
192.168.154.134 example1.com
sudo apt-get update
sudo apt-get install slapd ldap-utils
ubuntu@ubuntu:~$ sudo dpkg-reconfigure slapd
* Stopping OpenLDAP slapd [ OK ]
Moving old database directory to /var/backups:
- directory unknown... done.
Creating initial configuration... done.
Creating LDAP directory... done.
* Starting OpenLDAP slapd [ OK ]
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...
ubuntu@ubuntu:~$ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.
ldap provides an easy way for centralized authentication server.
ldap allows to connect to directory server.
LDAP connects to directory server , directory server is hierarchical in its setup ( like DNS)
lisa.certification.com - dns way of writing
dc - container, not a live object cn - common name, live object
ldap notation:
cn=lisa,dc=certification,dc=com
when setting up connection to LDAP server we use base context.
Base context is like search domain in DNS, it's starting point where your clients start looking for objects, like user objects
base context example:
dc=certification,dc=com
login binary is used to connect to everything
[root@localhost ~]# which login
/bin/login
The
login binary is pretty straightforward (in principle). It's just a program that runs as root user (started, indirectly through getty or an X display manager, from init, the first user-space process). It performs authentication of the logging-in user, and if that is successful, changes user (using one of the setuid() family of system calls), sets appropriate environment variables, umask, etc, and exec()s a login shell.
find libraries which are used by binary login
[root@localhost ~]# ldd /bin/login
linux-vdso.so.1 => (0x00007fff851e3000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007fe455e43000)
libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00007fe455c3f000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007fe455a16000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe4557ef000)
libc.so.6 => /lib64/libc.so.6 (0x00007fe45542e000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fe455229000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007fe455023000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fe454dc2000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe456066000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe454ba5000)
Linux Pluggable Authentication Modules (PAM) provide dynamic authentication support for applications and services in a Linux or GNU/kFreeBSD system. Linux PAM is evolved from the Unix Pluggable Authentication Modules architecture
[root@localhost ~]# ls /etc/pam.d
atd cups gdm-launch-environment liveinst password-auth-ac ppp smartcard-auth su system-auth-ac
chfn fingerprint-auth gdm-password login pluto remote smartcard-auth-ac sudo systemd-user
chsh fingerprint-auth-ac gdm-pin other polkit-1 runuser smtp sudo-i vlock
config-util gdm-autologin gdm-smartcard passwd postlogin runuser-l smtp.postfix su-l vmtoolsd
crond gdm-fingerprint ksu password-auth postlogin-ac setup sshd system-auth xserver
[root@localhost ~]#
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
[root@localhost ~]#
[root@localhost ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@localhost ~]#
Set client authentication
[root@localhost ~]# yum install nscd nss-pam-ldapd pam_ldap -y
yum install authconfig-gtk
su - ldapuser5
user is not in /etc/passwd but accessible via su - ldapuser5
127.0.0.1 localhost
127.0.1.1 ubuntu
192.168.154.134 example.com
192.168.154.134 example1.com
sudo apt-get install slapd ldap-utils
ubuntu@ubuntu:~$ sudo dpkg-reconfigure slapd
* Stopping OpenLDAP slapd [ OK ]
Moving old database directory to /var/backups:
- directory unknown... done.
Creating initial configuration... done.
Creating LDAP directory... done.
* Starting OpenLDAP slapd [ OK ]
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...
ubuntu@ubuntu:~$ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
ubuntu@ubuntu:~$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
dn: dc=example,dc=com
dn: cn=admin,dc=example,dc=com
ubuntu@ubuntu:~$
Comments
Post a Comment