LDAP Client configuration: PAM
Most of the pam configuration is not terribly difficult, but that last 10% took us a solid 2 days go nail down. I hope this saves someone some time.
PAM-ldap module Configuration
On most unix machines, this configuration is included in /etc/ldap.conf. (debian users should look in /etc/pam_ldap.conf)
uri ldaps://ldap.example.com ssl on base dc=example,dc=com ldap_version 3 scope one timelimit 30 bind_timelimit 30 # Filter to AND with uid=%s pam_filter objectclass=posixAccount pam_login_attribute uid #dont use the host: attr to control logins. pam_check_host_attr no #UID restrictions. pam_min_uid 1000 pam_max_uid 60000 pam_password md5
With a little bit of configuration, the above config file will allow all of your ldap users to connect to the client. What if you dont want all of your users to be able to connect? Well, that's going to take a bit more configuration.
The following two config options can be used in your pam_ldap configuration file to require users to be listed as members of a specific LDAP group before they are allowed to log in.
This next example requires the user's dn be listed as a uniqueMember of the 'admins' group (which happens to be a groupofuniquenames ).
# example of enforcing group membership. pam_groupdn cn=admins,ou=groups,dc=example,dc=com pam_member_attribute uniqueMember
However, this alone is not enough to enforce group membership, since login behaviour is not controlled entirely by the pam_ldap module. We still need to tell pam that we want these controls enforced.
Now that the pam_ldap module is configured, we still need to tell pam how our users should be authenticated.
Ideally, the ldap users in the specified group should be able to log in to the host (these users will be authenticated by pam_ldap.so). Local users, like root, should also be able to log in. However, if you are using the nss-ldap module as well, ldap users are visible to the pam_unix.so pam module, so the group restrictions will fail.
The answer: Only try pam_unix.so when the user is unknown to pam_ldap.so.
In order to get this set up properly, we need to configure pam's authentication and authorization. pam calls these facilities auth and account, respectively.
This configuration can either go in the pam configuration for the specific service you wish to configure (/etc/pam.d/<servicename>), or into the common configs used in some linux distributions (/etc/pam.d/common-auth and /etc/pam.d/common-account).
The following examples will tell pam to first attempt pam_ldap.so, and only attempt pam_unix.so if the user is not known to ldap.
auth [success=done new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] pam_ldap.so auth sufficient pam_unix.so use_first_pass auth required pam_deny.so
account [success=done new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] pam_ldap.so account required pam_unix.so
For the curious, the pam controls (the part inside the brackets) are equivalent to the keyword sufficient, with the addition of user_unknown=ignore.