Debian

Configuring Debian PAM/NSS to Use LDAP

The procedure describes the steps required to integrate the central authentication service (Kerberos) and central authorization service (Workgroups) with access controls on  Debian/Ubuntu Linux systems.  The configuration uses the pam-nss-ldapd package that is delivered with Debian/Ubuntu to access user and group information in the central directory service.  While specific Debian package names are referenced the configuration is valid for any system with a recent version of pam-nss-ldapd.

1. Install Kerberos clients.

       aptitude install krb5-user libsasl2-modules-gssapi-mit kstart
   

2. Copy a Stanford krb5.conf file into place.
3. Drop a sources file into the /etc/apt/sources.list.d/ directory that includes Stanford's Debian repositories.

       deb     http://debian.stanford.edu/debian-stanford wheezy main non-free contrib
       deb-src http://debian.stanford.edu/debian-stanford wheezy main non-free contrib
   

4. Install wallet software. Wallet is used to download Kerberos keytabs. See detailed information about wallet.

       su - root
       kinit sunetid
       wallet get -f /etc/krb5.keytab keytab host/zoot-vm3.stanford.edu
   

5. Install the openafs-client package. This is required if the home directories are on AFS. This can be overridden using the PAM configuration. In the instructions below the current kernel version will need to be substituted in on the dpkg line.

       aptitude install libpam-krb5 libpam-afs-session
   

6. Install the PAM and NSS ldap packages. Set the host to ldap.stanford.edu, the base dn to cn=accounts,dc=stanford,dc=edu, and don't configure any services.

       # /etc/pam.d/common-auth
       # Use the traditional Unix authentication mechanisms and fall back
       # to Kerberos if that fails.  Include pam_openafs_session so that
       # calls to pam_setcred will acquire an AFS PAG and tokens.
       auth sufficient               pam_unix.so try_first_pass nullok_secure
       auth [success=ok default=die] pam_krb5.so use_first_pass forwardable
       auth [default=done]           pam_afs_session.so
   
       # /etc/pam.d/common-account
       account required pam_unix.so
       account required pam_krb5.so
       
       # /etc/pam.d/common-session
       session optional pam_krb5.so
       session optional pam_afs_session.so
       session required pam_unix.so
   

7. Configure libpam-ldapd and libnss-ldapd by creating the file /etc/nslcd.conf.

   # /etc/nslcd.conf
   #
   # The user and group nslcd should run as.
   uid nslcd
   gid nslcd
   #
   # The location at which the LDAP server(s) should be reachable.
   uri ldap://ldap.stanford.edu/
   #
   # Kerberos credentials for ldap connection
   sasl_mech GSSAPI
   krb5_ccname /var/run/nslcd/ldap.tgt
   #
   # The search bases
   base passwd cn=Accounts,dc=stanford,dc=edu
   base group cn=Groups,dc=stanford,dc=edu
   #
   # The LDAP protocol version to use.
   ldap_version 3
   #
   # The search scope.
   scope sub
   #
   # Filters and maps
   filter passwd (objectclass=posixAccount)
   filter group (objectclass=suPosixGroup)
   map group cn suGroupCN
   

8. Update the /etc/nsswitch.conf file to use the data from the LDAP searches.

       # /etc/nsswitch.conf
       #
       passwd:    compat ldap
       group:     compat ldap
       shadow:    compat
       #
       hosts:     files dns
       networks:  files
       #
       protocols: db files
       services:  db files
       ethers:    db files
       rpc:       db files
       #
       netgroup:  files
   

9. Test with getent.  You should be able to see entries for the users and groups are not present in the local passwd and group files.