Linux – PAM LDAP configuration for non-local user authentication

authenticationldaplinuxpam

I have a requirement to allow non-local user accounts to be logged in via LDAP authentication.
Meaning, the user that is trying to login is allowed access, if the user account exists in LDAP server database, there is no need to have local user.

I'm able to achieve this if I run NSLCD(/usr/sbin/nslcd).

Would like to know if we can do this with any configuration in /etc/pam.d/sshd or /etc/pam_ldap.conf without the use of running NSLCD.

Please let me know your suggestions

Thanks,
Sravani

Best Answer

No, it's not possible to do this with only PAM.

PAM is a library for authentication, authorization, and related accounting tasks. It's not a low level library; if a program does not include explicit calls to PAM, it sits around doing nothing.

Lookups of uid and gid are routed through a system called NSS (Name Service Switch). This is configured via /etc/nsswitch.conf. If you are not providing a library for NSS to talk to LDAP, the low level C libraries can't perform lookups against it.

It is possible to use a different NSS library for LDAP that doesn't rely on nslcd (this is how the old LDAP library supplied by PADL operated), but it's almost certainly a bad idea. Without a daemon running in the background, every call to NSS must open up a new connection to the LDAP server and immediately release it. This is extremely wasteful and makes it impossible for the libraries to track the state of the remote server, i.e. every NSS lookup must individually time out during a network outage.

Related Solutions

Ldap – FreeBSD LDAP authentication, pam_ldap, can’t bind

Here's how LDAP authentication works, in a nutshell:

You SSH in as joeblow. Your client gives that name to the server, along with your password (that you enter).
The server starts walking the PAM list saying "does anyone vouch for this guy?", looking for either an OK or a NO. (PAM modules can deny as well as allow). In your case:
1. It checks pam_opie.so. You've said this is sufficient, so it will just move on if it isn't found. I imagine it's not in this case.
2. It checks pam_opieaccess.so. In this case, it's required, so pam_opieaccess.so has to say "yeah, he's ok". I imagine this module is just checking a list of accounts that are marked "has to auth via OPIE", which joeblow isn't on. It says OK.
3. /usr/local/lib/pam_ldap.so gets a turn. This is the part you care about.
  1. First it binds to the server with your binddn and bindpw, to ask "hey, I've got this joeblow here, what's his real name?" The server answers uid=joeblow,ou=Users,dc=corp,dc=example,dc=org.
  2. pam_ldap.so disconnects, and tries to bind as uid=joeblow,ou=Users,dc=corp,dc=example,dc=org with the password you gave. If it can bind, you're in. If not, not.

So the error you're getting means that step 2.3.2 there is failing, probably because the password is incorrect. It's possible that there is some other problem with joeblow binding to the server, check the LDAP server logs for more details.

Ldap – Mapping User and Group Ownership through LDAP

I was overthinking this. No need to use pam_ldap and sssd. According to the sssd and CentOS lists, generally one uses one or the other.

In the end, I recreated a system from my VM template and used authconfig, which edits the appropriate system files.

authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldap.mydomain.edu --ldapbasedn="dc=mydomain,dc=com" --update

The only weakness in authconfig is that it doesn't cleanly disable options you use it to enable. So it is far from safe to experiment with since you can easily host your system.

Best Answer

Related Solutions

Ldap – FreeBSD LDAP authentication, pam_ldap, can’t bind

Ldap – Mapping User and Group Ownership through LDAP

Related Topic