Pam ldap

From LQWiki
Jump to: navigation, search

pam_ldap is a PAM module for interfacing with LDAP servers.

Setup for SSH access

This is a guide to a simple pam_ldap setup. It can be used to allow SSH logins to a Linux system by authenticating with an LDAP server. It is for SSH access only.

Some commands are included. They tend to be Debian/Ubuntu-specific. Due to the nature of this task, they should always be performed with root privileges. This is indicated by the use of the '#' prompt, e.g.:

# apt-get install foobar

You can use sudo for each command if you wish.

Other text, such as text to be changed by editing configuration files, is displayed without the '#' prompt, like this:

passwd:   files ldap

Things not covered in this guide

  • How to set up an ldap server. However, note that each user who will log in must have a POSIX account configured in his or her LDAP record.
  • LDAP client configuration in /etc/ldap.conf. The settings in this file vary widely. It must be configured correctly before pam_ldap can be used.

Files to modify

The following files may be changed (other than software installation):

  • /etc/ldap.conf
  • /etc/ldap.secret
  • /etc/ssh/sshd_config
  • /etc/pam.d/ssh
  • /etc/pam.d/common-session
  • /etc/pam.d/common-password
  • /etc/nsswitch.conf

Configure LDAP client access

As stated above, this is not covered in this guide. However, it must be accomplished first. So do it now.

Some files that may be modified in this step are:

  • /etc/ldap.conf
  • /etc/ldap.secret

Configure Name Service Switch

Edit /etc/nsswitch.conf and change the lines beginning with "passwd" and "group":

passwd:         files ldap
group:          files ldap

If you installed nscd previously, you should restart it after making this change:

# /etc/init.d/nscd restart

Install software

pam_ldap is required.

nscd, the name service caching daemon, is optional but highly recommended. If you do not install nscd, the LDAP server will be queried every time a UID or GID is to be mapped to a username or group name - for example, when doing "ls -l".

For Debian/Ubuntu

# apt-get install libpam-ldap nscd

You will be asked for LDAP configuration information. It does not matter what you answer, because you are about to overwrite the configuration file entirely.


For the SUSE Linux distribution, use:

# yast -i pam_ldap

Configure sshd

For this configuration, you must allow password logins. Edit /etc/ssh/sshd_config and ensure that PasswordAuthentication is either commented out or set to "yes".


#PasswordAuthentication no

or this:

PasswordAuthentication yes

Then restart sshd:

# /etc/init.d/ssh restart

Configure PAM's sshd module

Edit /etc/pam.d/sshd and insert the following lines BEFORE any other configuration lines:

# PAM configuration for the Secure Shell service

auth    sufficient
account sufficient

Configure PAM's common-session

Edit /etc/pam.d/common-session and have it make a home directory automatically when people first log in. Add this line to the file. The location of this line isn't important.

session     required skel=/etc/skel umask=0022

Configure PAM's common-password

This step depends on whether you have the right to change LDAP records from the system you're configuring.

If you do NOT have that right, you should inform users that they cannot change the password from this system. You might want to give them a hint as to what they should do. In /etc/pam.d/common-password, comment out all other lines and add the following:

password optional Please visit https://identity-manager.subdomain.dom/ to change your password.
password required

If you DO have that right, you would put something like this (this is not tested):

account    sufficient
password   sufficient use_authtok


Invalid user/Invalid credentials

If you cannot log in, and in the server's /var/log/auth.log you see:

Feb 12 21:25:22 localhost sshd[32179]: Invalid user username from ip-address
Feb 12 21:25:22 localhost sshd[32179]: Failed none for invalid user username from ip-address port 48383 ssh2
Feb 12 21:25:22 localhost sshd[32179]: pam_ldap: error trying to bind as user "uid=XXXXXX,ou=People,dc=YYYYYY,dc=ZZZ" (Invalid credentials)

The key element of the above log entries is "invalid user". This means that the name service could not identify the user. As a result, sshd will refuse to provide the actual password to the LDAP PAM module. But even if it did, you still wouldn't be able to log in.

The solution is as follows:

  1. Set up /etc/nsswitch.conf as described above.
  2. If you are using nscd, restart it:
# /etc/init.d/nscd restart

See also