Accessing a shell with LDAP authentication
Shell access with LDAP authentication and authorization
Preparatory steps
To be able to use the LDAP database for authentication, we must have the right software. So as usual, we install it using apt-get or aptitude. The software we need is:
- libnss-ldap, the NSS module that can use LDAP as a naming service
- libpam-ldap, the PAM module that allows LDAP interfaces
- nscd, the Name Service Cache Daemon, that handles & caches lookups of passwd/groups/hosts for running programs
Note: the libnss-ldap has the other two as dependencies, so you could limit yourself to
apt-get install libnss-ldap
When installing libnss-ldap, Debian asks the following questions:
- the LDAP server Uniform Resource Identifier; you can submit ldap:///192.168.67.10 or whatever the IP address on your LDAP server's internal NIC is. Note: use "ldap:" and not "ldapi:". The difference is "ldapi:" signals LDAP over a Unix socket (and, to be complete, "ldaps:" signals LDAP over SSL).
- the DN of the LDAP search base: in our example this was "dc=saruman,dc=biz".
- LDAP protocol version to use: if you're not using this server with ancient applications, LDAP v3 is the best choice.
- The LDAP account for root: in our example this was "cn=admin,dc=saruman,dc=biz".
- The root LDAP account password.
The libnss-ldap configuration ends with a reminder that for the libnss-ldap package to work, you need to modify your /etc/nsswitch.conf to use the "ldap" datasource. Furthermore, should you ever want to remove this package, it is wise to remove the "ldap" entries from nsswitch.conf to keep basic services functioning.
Next is the libpam-ldap configuration:
- Make root database owner: default is yes, but we choose "no".
- Does the LDAP database require login: as long as we haven't disabled anonymous queries, it does not. We can answer "no".
Funny enough, if we run dpkg-reconfigure after installation, we get more questions.