Skip to content Skip to site navigation

Red Hat with LDAP Proxy

The PAM/NSS LDAP packages available on Red Hat systems have the fundamental restriction that they do not support Kerberos binds to the directory. The work around for this problem is to install a local LDAP server that is used as a proxy to the central Stanford LDAP service. The proxy makes a Kerberos bind to the directory, accepts anonymous binds from clients on the host, and PAM/NSS is configured to use the local LDAP proxy.  While the the introduction of an LDAP proxy server makes the configuration more complicated it results in a system that is quite flexible.  The mappings of LDAP attributes to Posix elements can be tailored to the requirements of the system.

Configuring Red Hat PAM/NSS to Use LDAP

  1. Start by installing Kerberos and some utilities.
    yum install krb5-workstation kstart
  2. Copy a Stanford krb5.conf file into place.
    scp sunetid@corn.stanford.edu:/etc/krb5.conf /etc/krb5.conf
  3. Install wallet software. Wallet is used to download Kerberos keytabs. See the Wallet documentation for detailed information.
  4. Download the keytab for the system using wallet.
    su - root kinit sunetid wallet get -f /etc/krb5.keytab keytab host/zoot-vm3.stanford.edu
  5. Install the openafs-client package. This is required if the home directories are on AFS. OpenAFS is not required and the homeDirectory values stored in the Stanford LDAP directory can be overridden using the PAM/NSS configuration.
    yum install openafs-client
  6. Install slapd, the OpenLDAP server. Accept the defaults for the server and shut it down once the installation is complete.
    yum install openldap-servers openldap-clients cyrus-sasl-gssapi /etc/init.d/slapd stop
  7. Since the LDAP proxy configuration is so simple there is no need to use the cn=config dynamic configuration of OpenLDAP. Make sure the the cn=config based configuration of the LDAP server is not in use by removing it from the system.
    rm -rf /etc/openldap/slapd.d
  8. Create a files based configuration by creating the file /etc/openldap/slapd.conf.
    
    # Anonymous LDAP proxy configuration.  Allows anonymous local binds 
    # and uses Kerberos to bind to the central LDAP service.
    #
    # Global Schemas.
    include /etc/openldap/schema/core.schema
    include /etc/openldap/schema/cosine.schema
    include /etc/openldap/schema/inetorgperson.schema
    include /etc/openldap/schema/dyngroup.schema
    include /etc/openldap/schema/nis.schema
    #
    # Local Schemas.
    include /etc/openldap/schema/krb5-kdc.schema
    include /etc/openldap/schema/stanford-oids.schema
    include /etc/openldap/schema/suacct.schema
    include /etc/openldap/schema/superson.schema
    include /etc/openldap/schema/suapplication.schema
    include /etc/openldap/schema/suorg.schema
    include /etc/openldap/schema/suworkgroup.schema
    include /etc/openldap/schema/eduperson.schema
    #
    # Global Options.
    conn_max_pending 1000
    sockbuf_max_incoming 4194303
    pidfile  /var/run/openldap/slapd.pid
    argsfile /var/run/openldap/slapd.args
    #
    #
    loglevel stats
    sizelimit unlimited
    limits * size.pr=0 size.prtotal=none
    #
    # Allow everything that can be retrieved to be read
    readonly on
    access to *
           by * read
    #
    # LDAP Proxy Options.
    #
    database ldap
    suffix   "dc=stanford,dc=edu"
    uri      "ldap://ldap.stanford.edu"
    idassert-authzFrom dn.regex:.*
    idassert-bind bindmethod=SASL
          saslmech=GSSAPI
          mode=none
    #
    # Connection reuse limit.
    conn-ttl 3600
    
  9. The slapd configuration needs some schema files that are not included with the Red Hat package. The simplest way to get the needed schema files is to copy them from AFS.
    
    cp /afs/ir/service/directory/schema/* /etc/openldap/schema
    
  10. Make a directory to hold the pid and Kerberos ticket cache. The /var directories created by the slapd install are ignored.
    
    mkdir /var/run/openldap
    chown ldap:ldap /var/run/openldap
    
  11. Test the slapd configuration.
    
     slaptest -u
    
  12. Manually create a Kerberos ticket cache to use in testing the slapd server using the script belog. The final configuration will use daemontools to maintain the ticket cache.
    
     #!/bin/sh
     # Maintain a ticket cache for slapd to use
     if [ ! -d /var/run/openldap ]; then
       mkdir -p /var/run/openldap
     fi
     chown root:ldap /var/run/openldap
     chmod 775 /var/run/openldap
     /usr/bin/k5start -U -l 10h -K 30 -o ldap -g ldap -f /etc/krb5.keytab -k /var/run/openldap/slapd-proxy.tgt
    
  13. Modify the slapd startup configuration to point the KRB5CCNAME environment variable to the Kerberos ticket cache. Do this by adding the following line to the /etc/sysconfig/ldap file.
    
     export KRB5CCNAME=/var/run/openldap/slapd-proxy.tgt
    
  14. Start slapd.
    
     /etc/init.d/slapd start
    
  15. To make it easier to test the slapd server add the file /etc/openldap/ldap.conf. This file sets defaults used by ldapsearch. Set the base dn to the most common search that will be performed. In the example below the whole accounts branch of the directory is the default base distinguished name.
    
    # LDAP Defaults
    host localhost
    base cn=accounts,dc=stanford,dc=edu
    
  16. Test with the ldapsearch. You should see a list of posixAccounts entries for the selected workgroup. There is no point going on past this point until the following query returns data from the directory.
    
    ldapsearch -x 
    
  17. Install daemontools to manage the Kerberos ticket cache required and start the svscan daemon.
    
    yum install daemontools
    start daemontools
    
  18. Create the service directory to the ticket cache maintenance.
    
    mkdir /service/slapd-proxy
    
  19. Create the file /service/slapd-proxy/run to maintain the ticket cache. Make sure that the permissions on the include the execute bit, i.e. 'chmod +x /service/slapd-proxy/run'.
    
    #!/bin/sh
    # /service/slapd-proxy/run - maintain slapd service ticket.
    if [ ! -d /var/run/openldap ]; then
        mkdir -p /var/run/openldap
    fi
    chmod 775 /var/run/openldap
    exec /usr/bin/k5start -U -l 10h -K 30 -o ldap -g ldap -f /etc/krb5.keytab -k /var/run/openldap/slapd-proxy.tgt
    
  20. Start up the ticket cache maintenance daemon and restart slapd.
    
    svc -u /service/slapd-proxy
    /etc/init.d/slapd restart
    
  21. Test again with the ldapsearch to make sure the LDAP directory is still accessible.
    
    ldapsearch -x 
    
  22. Install the PAM and NSS ldap packages. Answer the installations questions by setting the host to 127.0.0.1, the base dn to cn=accounts,dc=stanford,dc=edu, and don't configure any services.
    
    yum install nss-pam-ldapd
    yum install pam_ldap
    yum install pam_krb5
    
  23. Install PAM afs support if AFS will be used.
    
    yum install pam-afs-session
    
  24. Create the file /etc/pam.d/system-auth-ldap. Note these files contain no LDAP entries. LDAP is not used for authentication. LDAP is used to retrieve posix account information using using nsswitch.
    
    # PAM Configuration supporting ldap account information
    auth        required      pam_env.so
    auth        sufficient    pam_unix.so nullok
    auth        [success=ok default=1] pam_krb5.so use_first_pass minimum_uid=100
    auth        [default=done] pam_afs_session.so program=/usr/bin/aklog
    auth        requisite     pam_succeed_if.so uid >= 100 quiet
    auth        required      pam_deny.so
    #
    account     required      pam_krb5.so ignore_root minimum_uid=100
    account     required      pam_unix.so
    account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore]   pam_ldap.so
    account     sufficient    pam_succeed_if.so uid < 100 quiet
    account     required      pam_permit.so
    #
    password    requisite     pam_cracklib.so try_first_pass retry=3
    password    sufficient    pam_krb5.so ignore_root minimum_uid=100
    password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password    required      pam_deny.so
    #
    session     optional      pam_keyinit.so revoke
    session     optional      pam_krb5.so ignore_root minimum_uid=100
    session     required      pam_afs_session.so program=/usr/bin/aklog
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session     required      pam_unix.so
    
  25. Configure pam_ldap by creating the file /etc/pam_ldap.conf.
    
    # This is the configuration file the pam_ldap package.
    # It is only used on Red Hat systems.
    #
    # The man page for this file is pam_ldap(5)
    #
    # The ldap server
    host 127.0.0.1
    #
    # Search base
    base cn=Accounts,dc=stanford,dc=edu
    #
    # The LDAP version
    ldap_version 3
    #
    # The search scope.
    scope sub
    #
    # Filter to AND with uid=%s
    pam_filter (suPrivilegeGroup=stem:workgroup)
    
  26. Configure pam-nss-ldapd by creating the file /etc/nslcd.conf.
    
    # /etc/nslcd.conf
    #
    # nslcd configuration file. See nslcd.conf(5) for details.
    #
    # The user and group nslcd should run as.
    uid nslcd
    gid ldap
    #
    # The location at which the LDAP server(s) should be reachable.
    uri ldap://127.0.0.1/
    #
    # The search base that will be used for all queries.
    base cn=Accounts,dc=stanford,dc=edu
    #
    # The LDAP protocol version to use.
    ldap_version 3
    #
    # The search scope.
    scope sub
    #
    filter passwd (suPrivilegeGroup=stem:workgroup)
    
  27. Update /etc/nsswitch.conf to include ldap for passwd resolution. Again, LDAP is not used for password authentication, rather account information is extracted from the passwd, i.e. home directory, uidnumber, gidnumber, and the user's friendly name.
    
    # /etc/nsswitch.conf
    #
    passwd:         compat ldap
    group:          compat
    shadow:         compat
    #
    hosts:          files dns
    networks:       files
    #
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    #
    netgroup:       files
    
  28. Test with getent. You should be able to see entries for the users that have access to the system and not see entries for users that don't.
    
    getent passwd some-sunetid
    
Last modified March 21, 2024