Setup for SSH access
This is a guide to a simple pam_ldap setup. It can be used to allow SSH logins to a Linux system by authenticating with an LDAP server. It is for SSH access only.
Some commands are included. They tend to be Debian/Ubuntu-specific. Due to the nature of this task, they should always be performed with root privileges. This is indicated by the use of the '#' prompt, e.g.:
# apt-get install foobar
You can use sudo for each command if you wish.
Other text, such as text to be changed by editing configuration files, is displayed without the '#' prompt, like this:
passwd: files ldap
Things not covered in this guide
- How to set up an ldap server. However, note that each user who will log in must have a POSIX account configured in his or her LDAP record.
- LDAP client configuration in /etc/ldap.conf. The settings in this file vary widely. It must be configured correctly before pam_ldap can be used.
Files to modify
The following files may be changed (other than software installation):
Configure LDAP client access
As stated above, this is not covered in this guide. However, it must be accomplished first. So do it now.
Some files that may be modified in this step are:
Configure Name Service Switch
Edit /etc/nsswitch.conf and change the lines beginning with "passwd" and "group":
passwd: files ldap group: files ldap
If you installed nscd previously, you should restart it after making this change:
# /etc/init.d/nscd restart
pam_ldap is required.
nscd, the name service caching daemon, is optional but highly recommended. If you do not install nscd, the LDAP server will be queried every time a UID or GID is to be mapped to a username or group name - for example, when doing "ls -l".
# apt-get install libpam-ldap nscd
You will be asked for LDAP configuration information. It does not matter what you answer, because you are about to overwrite the configuration file entirely.
# yast -i pam_ldap
For this configuration, you must allow password logins. Edit /etc/ssh/sshd_config and ensure that PasswordAuthentication is either commented out or set to "yes".
Then restart sshd:
# /etc/init.d/ssh restart
Configure PAM's sshd module
Edit /etc/pam.d/sshd and insert the following lines BEFORE any other configuration lines:
# PAM configuration for the Secure Shell service auth sufficient pam_ldap.so account sufficient pam_permit.so
Configure PAM's common-session
Edit /etc/pam.d/common-session and have it make a home directory automatically when people first log in. Add this line to the file. The location of this line isn't important.
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Configure PAM's common-password
This step depends on whether you have the right to change LDAP records from the system you're configuring.
If you do NOT have that right, you should inform users that they cannot change the password from this system. You might want to give them a hint as to what they should do. In /etc/pam.d/common-password, comment out all other lines and add the following:
password optional pam_echo.so Please visit https://identity-manager.subdomain.dom/ to change your password. password required pam_deny.so
If you DO have that right, you would put something like this (this is not tested):
account sufficient pam_ldap.so password sufficient pam_ldap.so use_authtok
Invalid user/Invalid credentials
If you cannot log in, and in the server's /var/log/auth.log you see:
Feb 12 21:25:22 localhost sshd: Invalid user username from ip-address Feb 12 21:25:22 localhost sshd: Failed none for invalid user username from ip-address port 48383 ssh2 [...] Feb 12 21:25:22 localhost sshd: pam_ldap: error trying to bind as user "uid=XXXXXX,ou=People,dc=YYYYYY,dc=ZZZ" (Invalid credentials)
The key element of the above log entries is "invalid user". This means that the name service could not identify the user. As a result, sshd will refuse to provide the actual password to the LDAP PAM module. But even if it did, you still wouldn't be able to log in.
The solution is as follows:
- Set up /etc/nsswitch.conf as described above.
- If you are using nscd, restart it:
# /etc/init.d/nscd restart