Wednesday, March 28, 2012

setting up ldap client authentication on ubuntu 11.10 and 12.04


Recently I have to setup a linux corporate network and had a hard time to get things work. The setup consists of postfix, dovecot, svn and all were using LDAP for central authentication and authorization. I will try to describe the steps required in a series of blogs as a first step i will try to describe how to setup ldap client authentication on ubuntu 11.10 (12.04) machines. 

By the end of this document you should be able to authenticate ldap users on the ubuntu client. Ldap users donot have local unix accounts on the client pc The client contacts the ldap server during the login to authenticate and authorize the access.

These steps are tested with a ubuntu client pc trying to authenticate against a fedora directory server running on Centos6. Both the client and the server are in intranet.

requirements : 
ubuntu PC which acts as a client. 
Centos6 running fedora directory server. 
NOTE: 
Installing fedora directory server on a centos6 server is not less than any nightmare if you are able to get this you are super lucky.
You should have root password or admin priviliges on both the client and server 
machines.

Steps:
i) Issue the below command [ with out quotes ] 
   "sudo apt-get install ldap-utils libpam-ldap libnss-ldap nslcd
   NOTE: 
   During the installation of the above packages a dialog will pop up and ask some ldap configuration,        you should give right  parameters here for things to work. 

ii) open /etc/nsswitch.conf [ remember you need to be sudo to edit this file ]
    append "ldap" word to the following lines 

    #Original file looks like this 
    passwd: compat 
    group : compat  
    shadow: compat 

    #After appending "ldap" lines look like these
    passwd: compat ldap
    group : compat ldap  
    shadow: compat ldap 
   
iii) Comment out the line "rootbinddn" [ not sure why we need to do that ]

if you don't want to create home directories on the work station but want to create them on the nfs
server, you can directly go to step vi).

iv) open the file /etc/pam.d/login and paste the below line 
  session required pam_mkhomedir.so skel=/etc/skel umask=0022 
v) open the file /etc/pam.d/lightdm paste the below line  
  session required pam_mkhomedir.so skel=/etc/skel umask=0022

vi) issue command [with out quotes] "sudo update-rc.d nslcd enable"

reboot the ubuntu client and your ldap user should be able to login. 

Problems likely to encounter and solutions : 
i) Ldap user takes extremely long time, in the order of mins before he can see the desktop. 
   This is a very serious problem and you are likely to get in to this, actually the problem is not on the client but on the server side. This happens because the nss-ldap module is looking very hard to get the group information but its not able to find the group of the user whether in ldap or on local system. 
  
   check whether you have created a POSIX group on the ldap and associated the users with this group. 

ii) checking the errors in /var/log/auth.log can be helpful. All the ldap errors will be logged there.

   Debugging "unable to contact ldap server" 
   Check whether the ldap is reachable and the port is opened.
   Try to ping the ldap server whether its reachable and the name of the ldap machine is resolved properly. 
   Try to check whether the ldap port is opened or not (ports can be 6513 or 389).
   you can find out by the telnet command just issue telnet 6513 or 389 
   if you see any characters on the console then the port is opened. if not then the port is closed and you need to open them in firewall.

Remove the 'i' from the 'ldapi' where you specify the address of the machine running ldap server, the 'i' is required only when the ldap server is running on the local machine you are authenticating , its pretty obvious that the ldap server will always run on a different machine, so use "ldap" instead of  "ldapi" in the address of ldap server.

   Debugging "no such object" 
   It means you are trying to access an object which does not exist, try to verify the "basedn" and see whether there is any object with that basedn.

 The login prompt accepts the user password and name but the user is not able to login, the system does not present the ldap user with the desktop. This happens because there is no home directory for the user. you have to create them on the nfs server and mount them on to the work station, creating nfs home directories for ldap users is discussed in my other post, this problem will go away soon after the nfs home directories are created for ldap users.

And finally drop me a comment if you are stuck with some thing, i might be able to help you out.

14 comments:

  1. Hi, first thank you for that turoial!
    I tried it out on my Ubuntu 12.04 LTS the first time and it works fine till now, but on my second server i can't get it work ...

    Following error is shown in auth.log on login via ssh

    sshd[985]: PAM unable to dlopen(pam_ldap.so): /lib/security/pam_ldap.so: cannot open shared object file: No such file or directory

    Do you know what i can do to fix this problem?

    ReplyDelete
    Replies
    1. first check whether the module is present in the location or not. if it is present there then the problem is with the "LD_LIBRARY_PATH" variable. directories where shared libraries are to be searched is guided by this variable.
      issuing
      export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:"/lib/security"
      before sshd starts will solve the problem. you can put this in the /etc/init.d/sshd if you are using centos.

      Delete
    2. I am getting many comments that people are trying the steps on ubuntu 12.04 but I verified these steps on ubuntu 11.10 only. if it works then i am happy.

      Delete
  2. Thank You for this tutorial !
    It's exactly what i needed :-)

    ReplyDelete
  3. Something to help 12.04 users. To add a 'manual' login option to the 12.04 login screen edit the file:

    /etc/lightdm/lightdm.conf

    and add this:

    greeter-show-manual-login=true

    A restart later and you'll have a username/password option.

    ReplyDelete
  4. Thanks for the suggestion colin, sure will edit the blog

    ReplyDelete
  5. Seems promessing so far.... trying to login for the first time.... but this part: iii) Comment out the line "rootbinddn" [ not sure why we need to do that ] is not clear to me.... where from? Nsswitch.conf or maybe some other file?

    ReplyDelete
  6. yeah wherever you find it, i don't remember any more correctly, this article was written long back. sorry that was a bad excuse ;-)

    ReplyDelete
  7. sir I go through the article ...it is really wonderful, could you pls help me the nfs mounting the ldapclient in edubuntu 11.10

    ReplyDelete
  8. hi Pramod, can you post your problem and error message in the comments, so that it will help others as well ?

    ReplyDelete
  9. I am doing a similar setup for my daughter's elementary school- glad to know I am not the only one experiencing this nightmare!

    I have it working (sort of), one user can log in, but once I start trying to log in several at once on different clients, the whole thing bogs down as you mentioned above.

    Can you elaborate on this?

    check whether you have created a POSIX group on the ldap and associated the users with this group.

    I have not created a posix group, or associated users with it. Never heard of posix. Using PHPLDAPadmin to create users. How would I do this?

    Thank you!

    ReplyDelete
    Replies
    1. sorry for my unclear writing, not a good writer, what i meant by a posix group is
      in ldap (389 server) you have to create a group of "posix type". This option will be asked at the time of group creation. its a must for the ldap authentication to work.

      Delete
  10. This comment has been removed by the author.

    ReplyDelete
  11. Never mind, I had already made three groups (administrators, teachers, and students) everyone is a member of one of those three...

    Still not working, 10+ minute logins, if at all.

    ReplyDelete