LDAP Client Setup

From SingletonMillerWiki
Jump to: navigation, search


This HowTo provides the steps needed to get your user to authenticate against an existing LDAP database. It will allow any existing LDAP user to log in to the Raspberry Pi with any need to create the user. My primary use for this is to provide an easy mechanism for the user to access his / her network shares.

What is LDAP

LDAP [1] is one method by which a user can authenticate against a central record. Often this is done for the purposes of accessing user specfic data shares or services.

Client Setup

Recent changes to the LDAP client packages have greatly simplified the installation and set-up of LDAP. You can use a RaspberryPi to be the LDAP server and excellent example of how to do this can be found [2]

Preparation

The following informaion is required to access you LDAP server.

  1. LDAP homes name or IP Address , example 192.168.0.123
  2. base DN, example dc=MYWORKGROUP,dc=local

Installation

sudo apt-get update
sudo apt-get install libpam-ldapd libnss-ldapd

This will install the packages and dependencies needed.

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  bind9-host geoip-database ldap-utils libbind9-80 libdns88 libgeoip1 libisc84
  libisccc80 libisccfg82 liblwres80 nscd nslcd
Suggested packages:
  geoip-bin kstart
The following NEW packages will be installed:
  bind9-host geoip-database ldap-utils libbind9-80 libdns88 libgeoip1 libisc84
  libisccc80 libisccfg82 liblwres80 libnss-ldapd libpam-ldapd nscd nslcd
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,534 kB of archives.
After this operation, 9,221 kB of additional disk space will be used.
Do you want to continue [Y/n]?

Approve the installation and wait. Once the packages are installed they will spawn the LDAP client configuration wizard asking for the LDAP address and base DN.

add LDAP server address
add base DN to LDAP

Lastly the wizard will ask for the services which you wish to access. These depend on you LDAP configuration but its not unreasonable to select everything.

User Home

When logging in with a user not already installed on the RPi, it is necessary to create a folder in /home for the user. Append session required pam_mkhomedir.so umask=0022 skel=/etc/skel to the file /etc/pam.d/common-session, using the following.

sudo nano /etc/pam.d/common-session

add session required pam_mkhomedir.so umask=0022 skel=/etc/skel to the end of the file

# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	[success=ok default=ignore]	pam_ldap.so minimum_uid=1000
session	optional			pam_ck_connector.so nox11
# end of pam-auth-update config
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Testing

LDAP users

Type the following command to show the last 5 users on the pi, your LDAP users should be at the end of the list.

sudo getent passwd | tail -n 5
lightdm:x:106:109:Light Display Manager:/var/lib/lightdm:/bin/false
nslcd:x:107:110:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
raspberrypi:x:1000000:1000000:temporary pi user:/home/raspberrypi:
jack:x:1000001:1000000:jack:/home/jack:
jill:x:1000002:1000000:jill:/home/jill:

Here I have 3 LDAP users 'raspberrypi', 'jack' & 'jill'.

Search

ldapsearch -H ldap://<LDAP Server>/ -b dc=WORKGROUP,dc=local -x '(objectclass=*)'

This should report the properties of the data base. starting with

# extended LDIF
#
# LDAPv3
# base <dc=WORKGROUP,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

su

To test log in with an LDAP user. Use "su - <LDAPUSER>".

pi@raspberrypi ~ $sudo su - jack
Creating directory '/home/jack'.
jack@raspberrypi ~ $ 

LDAP Login

With LDAP configures it should now be possible to login to the Pi as any LDAP user and the Pi with authenticate that user against the LDAP server. This can be via the normal login prompt or via SSH is you have enabled it on the Pi.

Optional Activities

Automatically mount and network shares for the LDAP user Accessing_Network_Shares#Autofs_for_LDAP

Further Reading

http://ldapman.org/articles/intro_to_ldap.html

References

  1. http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
  2. http://ducky-pond.com/posts/11