[Techtalk] Re: [Newchix] OpenLDAP Client configuration???? no clue

Devdas Bhagat devdas at dvb.homelinux.org
Tue Oct 26 03:29:55 EST 2004 

On 25/10/04 09:16 +1000, Karina wrote:
> thank you again Devdas
> 
> yes the LADP server has been configured and all is working well on the 
> server side
> the client side for the Macintosh systems are working like a charm.
> 
> on the Linux side, the e-mail LDAP connection is working perfectly, just 
> the login to the Linux box is not authenticating.
> 
> in my ldap.conf file the settings are there,
> the system-auth file is not in the pam.d directory, I will look for this 
> today.

For a local Linux login, the file /etc/pam.d/login is used.
On my system, this contains:
$cat /etc/pam.d/login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

These lines basically tell the system to look for a certain set of
modules while authenticating and authorizing a user.
The option of service=system-auth tells PAM to use the options in
/etc/pam.d/system-auth for AA.

Your distribution may not pass authentication requests to other modules
using a similar setup, but may add ldap auth lines directly to the login
file. 

> I agree once I get the LDAP working I will focus on the Kiosk aspect of 
> the setup... all one step at a time.
> 
> with regards to explanations going over my head... I appreciate what you 
> are saying with regards to limited knowledge with Linux, however, I 
> would love to hear your explanation so that I may be able to understand 
> more, and ask questions accordingly.

Ok, I will try and keep this as simple as possible, and point you along
the path.

LDAP stands for the Lightweight Directory Access Protocol. On Linux,
this is typically provided by OpenLDAP (http://www.openldap.org/).
LDAP is a general information store. It stores entities termed as
objects, which are described by key=value pairs.

For the purposes of authentication, the LDAP server stores a user
object. This is typically known as posixAccount. The posixAccount object
has attributes uid and userPassword.
The uid attribute maps to a login name, and userPassword maps to the
password. 

The Unix UID (User ID) maps to uidNumber. It does not map to the uid
attribute.

To access data stored in the directory, you first need to prove your
credentials to the LDAP server. The simplest method of doing this is
storing the authentication information in the server itself in the uid
and userPassword attributes.

Access to these attributes is controlled by Access Control Lists (ACLs).

The OpenLDAP server daemon is named slapd, and the configuration file is
named slapd.conf. If you have installed from a RPM, this will most
likely be in /etc/openldap/slapd.conf, or /etc/slapd.conf.

The OpenLDAP client uses the file /etc/ldap.conf.

OpenLDAP logs to syslog, using the local LOG_LEVEL4 facility. To obtain
logs for OpenLDAP, add the line 

local4.*					/var/log/ldap.log

to /etc/syslog.conf. Restart syslogd.

Try to authenticate to the LDAP server with the commandline LDAP client.
$ldapsearch -d 9 -D "some=user,dn" -x -W -b "basedn=goes,here" objectclass=*

This runs a search on your LDAP server for all objects below the basedn
basedn=goes,here with you authenticating as user,dn. The -d 9 option
gives slightly verbose logging, and hopefully a helpful hint of what is
going on

Check your logs on the server side as well. By default, the LDAP server 
listens on port 389. If your Linux client has a firewall that prevents
packets from the server from returning to it, you may not see much
useful logging there. Make sure that return traffic from port 389 is
allowed. If you are using LDAPs, the port is 636.

> one of the problems I am conceptually trying to sort out, is not How 
> LDAP works, it is where all the files are located that need modification.
> 
> I my conceptual issue is where doe login get it's information on where 
> to look for the Authentication for LDAP.

If you have the time, I recommend buying the O'Reilly book: LDAP system
administration. It explains in quite some detail how to actually run
systems with LDAP, as opposed to programming for those.

Linux uses PAM for system authentication. Configuration files for the
pluggable authentication modules are in /etc/pam.d/, named after the
service.
Each file references a list of modules to be used (as above).

> anyways... I am not discouraged, and I will get this going one way or 
> another <smile>

Cool. Good luck.

Devdas Bhagat

PS: A smile is :). 

PPS: Legal disclaimers are stupid. Point that out to your management types.

PPPS: Top posting on a mailing list is a bad thing. Interpolate instead.

More information about the Techtalk mailing list