Ubuntu LDAP authentication goodness
Monday 30 July 2007 - Filed under Software
I just made a modification to the Ubuntu Wiki regarding Ubuntu LDAP server and client.
Matt Oquist has written some scripts that automate making a Samba+LDAP server and client. It works well on Ubuntu (for me). With this you get near instant LDAP server and client with full domain controller goodness, and Samba file sharing. So nice. So easy. Sure, there are lots of ways to do this, but this is the single command way of doing it. Nice.
Also, the tidbit I found on the Ubuntu Community Wiki documentation on LDAP clients was very useful for auto-creating home directories when a new user logs into an LDAP-auth-enabled machine.
Just edit /etc/pam.d/common-session to look like this:
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so session optional pam_foreground.so
The other thing I wanted to add was host-based authentication. As I say on the wiki:
Host based authentication allows you to restrict who can log into a machine that uses LDAP for authentication. The basic gist is you add an attribute to each LDAP user’s record that includes hostnames that they are allowed to log in to. Each client system then checks this field against its own hostname and either allows or denies login based upon the attribute field.
On the LDAP server, you need to add an attribute that will hold hostnames. If your schema allows, you can use the host attribute. To add that attribute, you can use a web tool such as phpldapadmin, or you can create a modification LDIF such as:
dn: uid=user_to_change,ou=Users,dc=example,dc=com changetype: modify add: host host: thehostname
and make the change using:
ldapmodify -H ldap://localhost -D "cn=admin,dc=example,dc=com" -x -W -f your_file.ldif
On the client side, simply modify /etc/pam_ldap.conf to include these lines:
pam_check_host_attr yes pam_filter |(host=client_hostname)(host=*)
“client_hostname” should match the output from the hostname command. When in doubt, check the slapd logs on the server.
FYI, using smbldapinstaller and the smbldap tools to add users means that you will not have users that have the account structure, so you can’t, by the default schemas, add the host attribute. So, instead of hacking the scripts or schemas, I just picked something that the posixAccount schema has, the attribute l. Yes, “EL”. Works for me.
2007-07-30 » mark
2 September 2007 @ 8:11 am
[...] LDAP authentication, run the smbldap-installer for the client, and follow the instructions on my Ubuntu LDAP Authentication Goodness post to get host-based authentication [...]
24 October 2007 @ 1:54 pm
[...] more here [...]