[Cialug] Simple LDAP auth?

Zachary Kotlarek zach at kotlarek.com
Mon Mar 25 20:08:35 CDT 2013 

On Mar 25, 2013, at 5:38 PM, Matthew Nuzum <newz at bearfruit.org> wrote:

> Has anyone seen a good, easy tutorial on centralizing ssh access via LDAP? I've reviewed a few tutorials but I just don't have the patience for them. What would be awesome is if there was a package for Ubuntu that I could install, it would ask me a few questions, and then I'd be done, I'd have an LDAP server and the local machine would be configured to authenticate against it. Then I could install a similar package on other machines and point them to this server for authentication.


There are really only 3 files you need to make a machine use LDAP for user accounts:
	/etc/ldap.conf
	/etc/nsswitch.con
	/etc/pam.d/*
and of course you need to the nss_ldap and pam_ldap modules installed; they may or may not be installed by default depending on your distro.

So on a client machine you probably just need to get those files setup and added to whatever system you currently use to distribute configuration data. You could package them if that's the way you like to do things, but they will (or at least should) conflict with existing packages on your system because most of them are necessary in non-LDAP configurations and files like nsswtich.conf don't lend themselves to the user-config-subdirectory option that packages typically use to avoid such conflicts.

--

In terms of the LDAP server, I suspect the default install of slapd (or whatever you server prefer) will provide 97% of what you want. All you need to create for user accounts is a record with the class posixAccount in a location where /etc/ldap.conf knows where to find it.

A number of passwd->ldap conversion scripts exist, if you intend to transfer users from an existing /etc/passwd file. Even if you're not converting many users the scripts are a good place to start, as they will give you examples of the kind of records you need to build. The folks who write nss_ldap provide a set of scripts called "MigrationTools" to convert a number of different files to LDIF, for import to LDAP.

You can probably user automate that conversion if you're interested, but unless you're planning to run a lot of independent LDAP servers I wouldn't bother. It's super easy to lock yourself out of a system when you're mucking with accounts and auth, and you probably won't catch all the error cases the first time through your automation attempts.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20130325/88110938/attachment.bin>

More information about the Cialug mailing list