LDAP Client configuration: PAM

Most of the pam configuration is not terribly difficult, but that last 10% took us a solid 2 days go nail down. I hope this saves someone some time.

PAM-ldap module Configuration

On most unix machines, this configuration is included in /etc/ldap.conf. (debian users should look in /etc/pam_ldap.conf)

uri ldaps://ldap.example.com
ssl on
base dc=example,dc=com
ldap_version 3
scope one

timelimit 30
bind_timelimit 30

# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
pam_login_attribute uid

#dont use the host: attr to control logins.
pam_check_host_attr no

#UID restrictions.
pam_min_uid 1000
pam_max_uid 60000

pam_password md5

With a little bit of configuration, the above config file will allow all of your ldap users to connect to the client. What if you dont want all of your users to be able to connect? Well, that's going to take a bit more configuration.

The following two config options can be used in your pam_ldap configuration file to require users to be listed as members of a specific LDAP group before they are allowed to log in.

This next example requires the user's dn be listed as a uniqueMember of the 'admins' group (which happens to be a groupofuniquenames ).

# example of enforcing group membership. 
pam_groupdn cn=admins,ou=groups,dc=example,dc=com
pam_member_attribute uniqueMember

However, this alone is not enough to enforce group membership, since login behaviour is not controlled entirely by the pam_ldap module. We still need to tell pam that we want these controls enforced.

PAM Configuration

Now that the pam_ldap module is configured, we still need to tell pam how our users should be authenticated.

Ideally, the ldap users in the specified group should be able to log in to the host (these users will be authenticated by pam_ldap.so). Local users, like root, should also be able to log in. However, if you are using the nss-ldap module as well, ldap users are visible to the pam_unix.so pam module, so the group restrictions will fail.

The answer: Only try pam_unix.so when the user is unknown to pam_ldap.so.

In order to get this set up properly, we need to configure pam's authentication and authorization. pam calls these facilities auth and account, respectively.

This configuration can either go in the pam configuration for the specific service you wish to configure (/etc/pam.d/<servicename>), or into the common configs used in some linux distributions (/etc/pam.d/common-auth and /etc/pam.d/common-account).

The following examples will tell pam to first attempt pam_ldap.so, and only attempt pam_unix.so if the user is not known to ldap.

  • auth
auth    [success=done new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] pam_ldap.so
auth    sufficient      pam_unix.so use_first_pass
auth    required        pam_deny.so

  • account
account [success=done new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] pam_ldap.so
account required        pam_unix.so

For the curious, the pam controls (the part inside the brackets) are equivalent to the keyword sufficient, with the addition of user_unknown=ignore.

Unless otherwise noted, all content is copyright Marc Dougherty and is subject to a Creative Commons license.