Pam krb5+ldap

= Kerberos, OpenLDAP/Active Directory &amp; Linux client authentication =

Description
In order to authenticate a linux desktop client against Windows Directory services there are several configuration files and services which need to exist. The PAM authentication stack utilizing the pam_ldap and nss_ldap authentication modules. Network services such as NFS etc. Extensive configuration settings regarding the nsswitch.conf, pam.d/* configuration files, ldap.conf etc.

As a systems administrator these factors create a sharp learning curve, and time to not only configure all of these things, but to also maintain them. Having this many variables lead to errors costing time and money.

What if you could install one Pluggable Authentication Module, modify one configuration file to begin authenticating an existing Windows Directory Service or OpenLDAP directory containing existing users and groups?

Background
I work for a University. We have an existing Windows Directory full of students. Two hundred thousand plus accounts. To bring Linux into the destkop environment as an alternative to the Windows and OSX clients we needed a simple to maintain, simply to configure solution.

Kerberos Authentication was needed. Active Directory / OpenLDAP support was needed. Minimal configuration and minimal network services was also needed.

We have been utilizing Linux on the desktop in our student labs, public access terminals and some staff machines for close to 5 years now without the need for the pam_ldap, nss_ldap, nsswitch.conf, ldap.conf or NFS configurations necessary for this type of Linux desktop integration.

Alternative Solution
Because there is a perfectly viable solution existing regarding the necessary Kerberos Realm authentication a simple patch, or feature was added to dynamically query the existing Windows / OpenLDAP directory services in order to provide the pam_krb5 TGT to UID/GID verification.

The pam_krb5+ldap project page: [|pam_krb5+ldap project page @ sourceforge.net]

A patch has also been submitted to the original developer as a feature request to integrate this functionality to any new releases. Details can be found on bugzilla. [|patch to integrate ldap uid/gid mapping to pam_krb5]

Installation HOWTO
Simple, get the package. You can download the latest release at the following URL: [|pam_krb5+ldap download]

Next simple extract the package contents: %> tar zxvf pam_krb5+ldap-version.tgz

Compile the package using the '--with-ldap' switch to enable the Widows Directory / OpenLDAP option (please note the libpam, libldap and libkrb5 libraries are required) %> ./configure --with-ldap

Now install the compiled shared objects %> make && make install

You may need to change the installation directory from /var/lib/security/pam_krb5 by issuing the following command: %> cp -dfrv /var/lib/security/pam_krb5/* /lib/security/

If you receive errors during the compile or make commands please file bug reports at the following URL: [|pam_krb5+ldap support]

Configuration
There are two areas to configure, one being the krb5.conf and the other being the pam.d/ file to ensure the Linux client uses the proper authentication method.

We will start with the krb5.conf file, below is an example. The following items will need to be changed to match your environment:
 * default_realm (your kerberos realm)


 * kdc (kerberos realm server address)


 * default_domain (your domain name)


 * ldap_servs (list of ldap/active directory server addresses separated by a space)


 * ldap_port (connection port, default is 389, to use TLS/SSL specify 689)


 * binddn (location of user accounts used in bind process)


 * basedn (location of users used during search process)


 * ldapuser (default user account used during bind process)


 * ldappass (default password associated with bind user)


 * group_list (comma separated list of groups to ad user to)

[libdefaults] default_realm = EXAMPLE.EDU clockskew = 300

[realms] UTAH.EDU = { kdc = KDC1.EXAMPLE.COM default_domain = EXAMPLE.COM admin_server = KDC1.EXAMPLE.COM }

[logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [domain_realm] .sub.example.com = EXAMPLE.COM

[appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 2 try_first_pass = true ignore_root = true

schema = ad       ldapservs = ldap1.example.com ldap2.example.com ldapport = 389 binddn = uid=username,ou=Users,dc=example,dc=com basedn = ou=remoteusers,dc=example,dc=com ldapuser = [readonly-username] ldappass = [readonly-password] passwd = /etc/passwd shadow = /etc/shadow groups = /etc/group

groups_list = audio,cdrom,cdrw,usb,plugdev,video,games

# If you define these they will # over write anything obtained from # ldap/active directory homedir = /home defshell = /bin/bash }

Now simply configure any service you wish to utilize this authentication method. For example if you wish to use this method to only authenticate the user at the terminal configure the /etc/pam.d/system-login file, if you wish to also enable ssh users access utilizing this authentication method you would also configure the /etc/pam.d/ssh configuration file.

Below is an example of the /etc/pam.d/system-login configuration auth           required        pam_env.so auth            sufficient      pam_krb5.so auth            sufficient      pam_unix.so try_first_pass likeauth nullok auth           required        pam_deny.so account         required        pam_unix.so password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password       sufficient      pam_krb5.so password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow password       required        pam_deny.so session         required        pam_limits.so session         required        pam_env.so session         optional        pam_krb5.so session         required        pam_unix.so session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022 session        optional        pam_permit.so

You may want to take note of the utilization of the pam_mkhome.so module as this is required for this authentication type.

Conclusion
Thats it. Hopefully linux on the desktop in educational, corporate environments will start becoming a bit easier to integrate.

Help & Support
Problems and questions can be directed to the support forums. Thanks. [|pam_krb5+ldap support]