Skip to main content

Red Hat with LDAP Proxy

The PAM/NSS LDAP packages available on Red Hat systems have the fundamental restriction that they do not support Kerberos binds to the directory. The work around for this problem is to install a local LDAP server that is used as a proxy to the central Stanford LDAP service. The proxy makes a Kerberos bind to the directory, accepts anonymous binds from clients on the host, and PAM/NSS is configured to use the local LDAP proxy.  While the the introduction of an LDAP proxy server makes the configuration more complicated it results in a system that is quite flexible.  The mappings of LDAP attributes to Posix elements can be tailored to the requirements of the system.

Configuring Red Hat PAM/NSS to Use LDAP

  1. Start by installing Kerberos and some utilities.
    yum install krb5-workstation kstart
  2. Copy a Stanford krb5.conf file into place.
    scp sunetid@corn.stanford.edu:/etc/krb5.conf /etc/krb5.conf
  3. Install wallet software. Wallet is used to download Kerberos keytabs. See the Wallet documentation for detailed information.
  4. Download the keytab for the system using wallet.
    su - root kinit sunetid wallet get -f /etc/krb5.keytab keytab host/zoot-vm3.stanford.edu
  5. Install the openafs-client package. This is required if the home directories are on AFS. OpenAFS is not required and the homeDirectory values stored in the Stanford LDAP directory can be overridden using the PAM/NSS configuration.
    yum install openafs-client
  6. Install slapd, the OpenLDAP server. Accept the defaults for the server and shut it down once the installation is complete.
    yum install openldap-servers openldap-clients cyrus-sasl-gssapi /etc/init.d/slapd stop
  7. Since the LDAP proxy configuration is so simple there is no need to use the cn=config dynamic configuration of OpenLDAP. Make sure the the cn=config based configuration of the LDAP server is not in use by removing it from the system.
    rm -rf /etc/openldap/slapd.d
  8. Create a files based configuration by creating the file /etc/openldap/slapd.conf. 
    
# Anonymous LDAP proxy configuration.  Allows anonymous local binds 
# and uses Kerberos to bind to the central LDAP service.
#
# Global Schemas.
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/nis.schema
#
# Local Schemas.
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/stanford-oids.schema
include /etc/openldap/schema/suacct.schema
include /etc/openldap/schema/superson.schema
include /etc/openldap/schema/suapplication.schema
include /etc/openldap/schema/suorg.schema
include /etc/openldap/schema/suworkgroup.schema
include /etc/openldap/schema/eduperson.schema
#
# Global Options.
conn_max_pending 1000
sockbuf_max_incoming 4194303
pidfile  /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#
#
loglevel stats
sizelimit unlimited
limits * size.pr=0 size.prtotal=none
#
# Allow everything that can be retrieved to be read
readonly on
access to *
       by * read
#
# LDAP Proxy Options.
#
database ldap
suffix   "dc=stanford,dc=edu"
uri      "ldap://ldap.stanford.edu"
idassert-authzFrom dn.regex:.*
idassert-bind bindmethod=SASL
      saslmech=GSSAPI
      mode=none
#
# Connection reuse limit.
conn-ttl 3600
  9. The slapd configuration needs some schema files that are not included with the Red Hat package. The simplest way to get the needed schema files is to copy them from AFS. 
    
cp /afs/ir/service/directory/schema/* /etc/openldap/schema
  10. Make a directory to hold the pid and Kerberos ticket cache. The /var directories created by the slapd install are ignored. 
    
mkdir /var/run/openldap
chown ldap:ldap /var/run/openldap
  11. Test the slapd configuration. 
    
 slaptest -u
  12. Manually create a Kerberos ticket cache to use in testing the slapd server using the script belog. The final configuration will use daemontools to maintain the ticket cache. 
    
 #!/bin/sh
 # Maintain a ticket cache for slapd to use
 if [ ! -d /var/run/openldap ]; then
   mkdir -p /var/run/openldap
 fi
 chown root:ldap /var/run/openldap
 chmod 775 /var/run/openldap
 /usr/bin/k5start -U -l 10h -K 30 -o ldap -g ldap -f /etc/krb5.keytab -k /var/run/openldap/slapd-proxy.tgt
  13. Modify the slapd startup configuration to point the KRB5CCNAME environment variable to the Kerberos ticket cache. Do this by adding the following line to the /etc/sysconfig/ldap file. 
    
 export KRB5CCNAME=/var/run/openldap/slapd-proxy.tgt
  14. Start slapd. 
    
 /etc/init.d/slapd start
  15. To make it easier to test the slapd server add the file /etc/openldap/ldap.conf. This file sets defaults used by ldapsearch. Set the base dn to the most common search that will be performed. In the example below the whole accounts branch of the directory is the default base distinguished name. 
    
# LDAP Defaults
host localhost
base cn=accounts,dc=stanford,dc=edu
  16. Test with the ldapsearch. You should see a list of posixAccounts entries for the selected workgroup. There is no point going on past this point until the following query returns data from the directory. 
    
ldapsearch -x
  17. Install daemontools to manage the Kerberos ticket cache required and start the svscan daemon. 
    
yum install daemontools
start daemontools
  18. Create the service directory to the ticket cache maintenance. 
    
mkdir /service/slapd-proxy
  19. Create the file /service/slapd-proxy/run to maintain the ticket cache. Make sure that the permissions on the include the execute bit, i.e. 'chmod +x /service/slapd-proxy/run'. 
    
#!/bin/sh
# /service/slapd-proxy/run - maintain slapd service ticket.
if [ ! -d /var/run/openldap ]; then
    mkdir -p /var/run/openldap
fi
chmod 775 /var/run/openldap
exec /usr/bin/k5start -U -l 10h -K 30 -o ldap -g ldap -f /etc/krb5.keytab -k /var/run/openldap/slapd-proxy.tgt
  20. Start up the ticket cache maintenance daemon and restart slapd. 
    
svc -u /service/slapd-proxy
/etc/init.d/slapd restart
  21. Test again with the ldapsearch to make sure the LDAP directory is still accessible. 
    
ldapsearch -x
  22. Install the PAM and NSS ldap packages. Answer the installations questions by setting the host to 127.0.0.1, the base dn to cn=accounts,dc=stanford,dc=edu, and don't configure any services. 
    
yum install nss-pam-ldapd
yum install pam_ldap
yum install pam_krb5
  23. Install PAM afs support if AFS will be used. 
    
yum install pam-afs-session
  24. Create the file /etc/pam.d/system-auth-ldap. Note these files contain no LDAP entries. LDAP is not used for authentication. LDAP is used to retrieve posix account information using using nsswitch. 
    
# PAM Configuration supporting ldap account information
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok
auth        [success=ok default=1] pam_krb5.so use_first_pass minimum_uid=100
auth        [default=done] pam_afs_session.so program=/usr/bin/aklog
auth        requisite     pam_succeed_if.so uid >= 100 quiet
auth        required      pam_deny.so
#
account     required      pam_krb5.so ignore_root minimum_uid=100
account     required      pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore]   pam_ldap.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     required      pam_permit.so
#
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_krb5.so ignore_root minimum_uid=100
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
#
session     optional      pam_keyinit.so revoke
session     optional      pam_krb5.so ignore_root minimum_uid=100
session     required      pam_afs_session.so program=/usr/bin/aklog
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
  25. Configure pam_ldap by creating the file /etc/pam_ldap.conf. 
    
# This is the configuration file the pam_ldap package.
# It is only used on Red Hat systems.
#
# The man page for this file is pam_ldap(5)
#
# The ldap server
host 127.0.0.1
#
# Search base
base cn=Accounts,dc=stanford,dc=edu
#
# The LDAP version
ldap_version 3
#
# The search scope.
scope sub
#
# Filter to AND with uid=%s
pam_filter (suPrivilegeGroup=stem:workgroup)
  26. Configure pam-nss-ldapd by creating the file /etc/nslcd.conf. 
    
# /etc/nslcd.conf
#
# nslcd configuration file. See nslcd.conf(5) for details.
#
# The user and group nslcd should run as.
uid nslcd
gid ldap
#
# The location at which the LDAP server(s) should be reachable.
uri ldap://127.0.0.1/
#
# The search base that will be used for all queries.
base cn=Accounts,dc=stanford,dc=edu
#
# The LDAP protocol version to use.
ldap_version 3
#
# The search scope.
scope sub
#
filter passwd (suPrivilegeGroup=stem:workgroup)
  27. Update /etc/nsswitch.conf to include ldap for passwd resolution. Again, LDAP is not used for password authentication, rather account information is extracted from the passwd, i.e. home directory, uidnumber, gidnumber, and the user's friendly name. 
    
# /etc/nsswitch.conf
#
passwd:         compat ldap
group:          compat
shadow:         compat
#
hosts:          files dns
networks:       files
#
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
#
netgroup:       files
  28. Test with getent. You should be able to see entries for the users that have access to the system and not see entries for users that don't. 
    
getent passwd some-sunetid
Last modified