PAM/NSS Configuration

NSS is a basic component of the system, is used for control of accounts POSIX, to be able to use LDAP for accounts POSIX (of the system), we will use NSS_LDAP, that can be downloaded of http://www.padl.com/OSS/nss_ldap.html , we decompressed it in /usr/src and executed:

The basic configuration of NSS are in /etc/nsswitch.conf and must be left like this for which we want.


NSSWITCH Configuration

passwd: files ldap	# These are the lines that we changed so that ldap makes requests
group: files ldap	#
shadow: files ldap	#

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
End

The NSS-LDAP configuration is saved in /etc/nss-ldap.conf and a valid configuration for GOsa would be this:


NSS Configuration

host ip.servidor.ldap	# Here we will put our LDAP server LDAP
base ou=people,dc=CHAOSDIMENSION,dc=ORG	# Here is where are going to go the users and
	# their passwords. OU means organizational
	# unit and OU=people is the place where
	# GOsa save the characteristics of the users
ldap_version 3	# Supported Version of LDAP
	# (the use of version 3 is recommended)
nss_base_passwd ou=people,dc=CHAOSDIMENSION,DC=ORG?one	# Where we search for POSIX characteristics
nss_base_shadow ou=people,dc=CHAOSDIMENSION,DC=ORG?one	# Where we search for the passwords
nss_base_group ou=groups,dc=CHAOSDIMENSION,DC=ORG?one	# Where is the POSIX group characteristics
End

PAM (Pluggable Authentication Modules) is a package of dynamic libraries that allow to system administrators to choose in which way the applications authenticates the users.

PAM is in all the distributions, save the configurations of each module in /etc/pam.d and have the dynamic libraries in /lib/security.

We are going away to concentrate in one of the PAM modules: pam_ldap. This module will serve to us so that the applications that don't use LDAP and use the system base of authentication and control of sessions, indirectly accede to LDAP like authentication source.

With PAM_LDAP and the infrastructure of PAM we gain that POSIX users of the system, work through LDAP and they can be created with GOsa.

#./configure && make && make install

The configuration of this module will be in /etc/pam_ldap.conf, a basic working configuration will be like this:


PAM Configuration

host ip.servidor.ldap	# Here we put where will be our LDAP server
base ou=people,dc=CHAOSDIMENSION,dc=ORG	# Here is where are going to go the users and their passwords.
	# OU means organizational unit
	# and OU=people is the place where GOsa
	# save the users characteristics
ldap_version 3	# Supported Version of LDAP (very recommended version 3)
scope one	# In gosa the users are at the same level, we did not need to descend.
rootbinddn cn=ldapadmin,dc=solaria,dc=es	# Here is the LDAP administrator DN of the server,
	# is necessary, since the server
	# will give access to the encrypted passwords to the administrator.
pam_password md5	# Indicate as password are encrypted.
End

In the file /etc/secret we will put the LDAP administrator password, this file, like the previous one only could be accessible by root.

Now, in order to be able to use authentication LDAP with the services, we will have to be concentrated in three archives:
Control of accounts /etc/pam.d/common-account:


PAM common-auth Configuration

auth sufficient pam_unix.so	# Authentication Standar
auth sufficient pam_ldap.so try_first_pass	# LDAP Authentication in the first attempt
auth required pam_env.so
auth required pam_securetty.so
auth required pam_unix_auth.so
auth required pam_warn.so
auth required pam_deny.so
End


PAM common-session Configuration

session required pam_limits.so
session required pam_unix.so	# Standar UNIX session
session optional pam_ldap.so	# LDAP based session
End


PAM common-account Configuration

account required pam_unix.so	# Always required
account sufficient pam_ldap.so	# The calls to ldap
End