SSH server ldap user
SSH server - Authentication using LDAP server
Requirement: LDAP server
Contents
Principle
The idea is to use a LDAP server to manage users and groups to ease the maintenance and administration.
- Only 1 group of users is allowed to connect
- Access can be dynamically and easily granted
Server side requirements
You need to have a LDAP server with both the "memberOf" and "Reference Integrity" overlays enabled.
You also need to create some group for SSH users, this must be a groupOfNames - i.e not a posixGroup !!!
==> Every member of the "ssh-users" group will be able to log-in to the server
LDAP client installation
Install LDAP pam client
apt-get install libpam-ldap nscd ldap-utils
Questions / Answers
- LDAP URI? ldap://daxiongmao.eu || ldap://213.186.33.87
- Distinguished Name: dc=daxiongmao,dc=eu
- LDAP version to use? 3
- Make local root DB admin? Yes
- Does LDAP require login? No
- LDAP account for root: cn=admin,dc=daxiongmao,dc=eu
- LDAP root password: ROOT_PWD
[!] You can either use IP @ or name for LDAP server
[!] All these settings are available in /etc/ldap.conf
[!] If you make a mistake and need to change a value, you can go through the menu again by issuing this command:
dpkg-reconfigure ldap-auth-config
Enable LDAP authentication
LDAP as authentication server
vim /etc/ldap/ldap.conf
Adjust the file like that:
BASE dc=daxiongmao,dc=eu
URI ldap://daxiongmao.eu || ldap://213.186.33.87
SIZELIMIT 0
TIMELIMIT 0
DEREF never
Allow LDAP lookups
Automatic
auth-client-config -t nss -p lac_ldap
Manual approach
vim /etc/nsswitch.conf
- Replace "compat" by "files ldap"
- "files" allows sudo to check its local configuration before checking the LDAP-based
LDAP user's home
This will create the LDAP user's home on server login.
Edit configuration file
vim /etc/pam.d/common-session
Add the following line BEFORE pam_ldap.so (~ line 28)
session required pam_mkhomedir.so skel=/etc/skel umask=0022
LDAP client configuration
Edit LDAP's client configuration:
vim /etc/ldap.conf
Increase security
Uncomment / comment
bind_policy soft ~ line 72
#pam_password md5 ~ line 131
pam_password crypt ~ line 138
LDAP schema binding
-- The following content depends on your configuration --
Uncomment and adjust the following lines:
pam_filter objectclass=posixAccount ~ line 80
pam_login_attribute uid ~ line 83
nss_base_passwd ou=people,dc=daxiongmao,dc=eu?one ~ line 173
nss_base_group ou=groups,dc=daxiongmao,dc=eu?sub?gidNumber=* ~ line 175
nss_base_hosts ou=hosts,dc=daxiongmao,dc=eu ~ line 175
nss_base_netgroup ou=groups,dc=daxiongmao,dc=eu ~ line 185
[!] Note that the "passwd" (= user binding) must use the one scope ; the groups binding can use the sub scope.
allow LDAP Group ID
This will allow use to LDAP Group ID = you don't have to create a local group with the same GID.
vim /etc/nsswitch.conf
Replace: "netgroup: nis" by
netgroup: nis ldap
Restart NSCD
/etc/init.d/nscd restart
Installation check
get all data
ldapsearch -x
Return the user list from LDAP
getent passwd
Return the user settings (tabulation should work)
getent passwd <user>
Return the list of SSH users
getent group ssh-users
Return the list of SSH admins
getent group ssh-admins
Test login as LDAP user
su <user>
It should work smoothly ! :)
It might not even ask for a password !!! (Normal: you didn't restarted PAM so far)
Overall config check
You need to reboot your computer to enable all LDAP settings, including security !
SSH test
Test to SSH to the server using one LDAP account.
Since there is no filter (yet) all LDAP users should be able to log-in.
Local test
su <user>
>> It should ask for a password
LDAP group filter
Edit LDAP configuration
vim /etc/ldap.conf
Adjust the user binding (nss_base_passwd).
Single group binding
nss_base_passwd ou=people,dc=daxiongmao,dc=eu?one?memberof=cn=ssh-users,ou=groups,dc=daxiongmao,dc=eu
[!] you need a LDAP server with MemberOf enable !!
[!] mind the case ! overlay + {CN,OU,DC} in lower case !!
[!] you can only apply the scope "one" for it to work
Multi group binding
nss_base_passwd ou=people,dc=daxiongmao,dc=eu?one?memberof=cn=ssh-users,ou=groups,dc=daxiongmao,dc=eu
Test
All the changes in /etc/ldap.conf are read on real-time.
You should be able to test them right away !