License

Copyright (C) 2008-2017 Oliver Bohlen.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled "GNU Free Documentation License".

Introduction

This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Howto: OpenLDAP System authentication for Gentoo Linux

This is an example how you can authenticate your System-Accounts over PAM or SASLAuthD against LDAP. Users can change their passwords in LDAP with the passwd command as usual.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge sys-auth/pam_ldap
emerge sys-auth/nss_ldap

Changes in /etc/conf.d/saslauthd

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/saslauthd

Changed on 18.05.09
Issued by olli
Beginning line 22

If you are using SASL for some authentications you should point to a configuration file with your LDAP settings.


Before change
SASLAUTHD_OPTS="-a pam"
After change
SASLAUTHD_OPTS="-O /etc/saslauthd.conf -a ldap"

Changes in /etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/crontab

Changed on 02.12.09
Issued by olli
Beginning line 32

Run the checkusers-script hourly

42 * * * *      root    /usr/local/sbin/checkusers.sh 2>&1 | mail -E -s "Checkusers-Script" root

Changes in /etc/ldap.conf.old

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/ldap.conf.old

Changed on 18.05.09
Issued by olli
Beginning line 18

The LDAP BaesDN


Before change
base dc=padl,dc=com
After change
base dc=example,dc=com

Changed on 18.05.09
Issued by olli
Beginning line 137

This is for accepting a self-signed SSL/TLS certificate

pam_login_attribute uid:caseExactMatch:
tls_reqcert allow

Changes in /etc/nsswitch.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/nsswitch.conf

Changed on 18.05.09
Issued by olli
Beginning line 4

The order how to check for passwd, shadow and group


Before change
passwd:      compat
shadow:      compat
group:       compat
After change
passwd:      compat ldap
shadow:      compat ldap
group:       compat ldap

Changes in /etc/pam.d/system-auth

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/pam.d/system-auth

Changed on 18.05.09
Issued by olli
Beginning line 2

Authenticate with LDAP


Before change
auth            required        pam_unix.so try_first_pass likeauth nullok
After change
auth            sufficient   	pam_unix.so try_first_pass likeauth nullok
auth       	sufficient   	pam_ldap.so use_first_pass 
#auth            optional        pam_smbpass.so migrate use_first_pass
auth       	required     	pam_deny.so

Changed on 18.05.09
Issued by olli
Beginning line 13

Authenticate with LDAP

account    	sufficient   	pam_ldap.so

Changes in /etc/pam.d/system-auth

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/pam.d/system-auth

Changed on 18.05.09
Issued by olli
Beginning line 25

Authenticate with LDAP


Before change
password        required      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
After change
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password   	sufficient 	pam_ldap.so use_authtok use_first_pass
password   	required     	pam_deny.so

Changed on 18.05.09
Issued by olli
Beginning line 37

Authenticate with LDAP

session		optional     	pam_ldap.so

Changes in /etc/saslauthd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/saslauthd.conf

Changed on 18.05.09
Issued by olli
Beginning line 1

If you are using SASL for some authentications you should configure the LDAP access for SASL here.

ldap_servers: ldaps://127.0.0.1:636
ldap_search_base: ou=Users,ou=People,dc=example,dc=com
ldap_scope: one
ldap_uidattr: uid
ldap_filter: uid:caseExactMatch:=%U

Changes in /usr/local/sbin/checkusers.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/checkusers.sh

Changed on 02.12.09
Issued by olli
Beginning line 2

This is a script I use to create a HomeDir and a Mailbox if a new LDAP-User is created. I depends on your environment if you can use ist.

#!/bin/bash
. /etc/profile

for i in `getent passwd | cut -d":" -f 3`
do
 if [ $i -gt 999 ]
 then
  if [ $i -lt 65000 ]
  then
   # Get Infos
   USER=`getent passwd $i | cut -d":" -f 1`
   USERID=`getent passwd $i | cut -d":" -f 3`
   HOMEDIR=`getent passwd $i | cut -d":" -f 6`
   GROUP=`getent passwd $i | cut -d":" -f 4`
   LNAME="`getent passwd $i | cut -d':' -f 5`"
   #echo "Checking User $USER"
   # Check for non existing HomeDir
   if ! [ -d $HOMEDIR ]
   then
    echo "Creating Homedir $HOMEDIR for $USER ($i)"
    mkdir -p $HOMEDIR
    chown $USER:$GROUP $HOMEDIR
    chmod 0700 $HOMEDIR
   fi
#   if ! [ -d "/srv/share/.Trash-$USERID" ]
#   then
#    echo "Creating Trashdir /srv/share/.Trash-$USERID for $USER ($i)"
#    mkdir -p /srv/share/.Trash-$USERID
#    chown $USER:$GROUP /srv/share/.Trash-$USERID
#    chmod 0700 /srv/share/.Trash-$USERID
#   fi
   # Check weather a mailbox exists
   if ! [ $USER = "admin" ]
   then
    if /usr/local/sbin/cyr-show-mailboxes | grep "^user\.$USER" >/dev/null 
    then
     echo "Mailbox for User $USER OK" >/dev/null
    else
     echo "Creating Mailbox for $USER"
     /usr/local/sbin/cyr-create-mbox user.$USER 100
    fi
   fi
   # Check for Horde-Test Identity
   if echo "select * from horde_prefs where pref_uid='$USER' AND pref_scope='horde' AND pref_name='identities'" | mysql -u root -p`gtc-crypt -a mysqlroot -p` hordetest 2>&1 | grep -v "Warning: Using a password on the command line interface can be insecure." | grep identities >/dev/null
   then
    echo "Horde-Test Identity for $USER exists" >/dev/null
   else
    echo "Creating Horde-Test-Identity for $USER"
    let LNAMECOLS=$(echo $LNAME | wc -m)-1
    let MAILCOLS=$(echo $USER | wc -m)+10
    echo "INSERT INTO horde_prefs (pref_uid, pref_scope, pref_name, pref_value) VALUES ('$USER', 'horde', 'identities','a:1:{i:0;a:17:{s:16:\"default_identity\";i:0;s:9:\"from_addr\";s:$MAILCOLS:\"$USER@example.com\";s:8:\"fullname\";s:$LNAMECOLS:\"$LNAME\";s:2:\"id\";s:18:\"Standardidentität\";s:10:\"identities\";s:6:\"a:0:{}\";s:10:\"properties\";N;s:10:\"alias_addr\";a:0:{}s:10:\"tieto_addr\";a:0:{}s:8:\"bcc_addr\";a:0:{}s:8:\"location\";s:0:\"\";s:12:\"replyto_addr\";s:0:\"\";s:9:\"signature\";s:0:\"\";s:10:\"sig_dashes\";i:0;s:14:\"signature_html\";s:0:\"\";s:9:\"sig_first\";i:0;s:14:\"save_sent_mail\";i:1;s:16:\"sent_mail_folder\";s:4:\"Sent\";}}')" | mysql -u root -p`gtc-crypt -a mysqlroot -p` hordetest 2>&1 | grep -v "Warning: Using a password on the command line interface can be insecure."
   fi
   # Check for Horde Identity
   if echo "select * from horde_prefs where pref_uid='$USER' AND pref_scope='horde' AND pref_name='identities'" | mysql -u root -p`gtc-crypt -a mysqlroot -p` horde4 2>&1 | grep -v "Warning: Using a password on the command line interface can be insecure." | grep identities >/dev/null
   then
    echo "Horde Identity for $USER exists" >/dev/null
   else
    echo "Creating Horde-Identity for $USER"
    let LNAMECOLS=$(echo $LNAME | wc -m)-1
    let MAILCOLS=$(echo $USER | wc -m)+10
    echo "INSERT INTO horde_prefs (pref_uid, pref_scope, pref_name, pref_value) VALUES ('$USER', 'horde', 'identities','a:1:{i:0;a:17:{s:16:\"default_identity\";i:0;s:9:\"from_addr\";s:$MAILCOLS:\"$USER@example.com\";s:8:\"fullname\";s:$LNAMECOLS:\"$LNAME\";s:2:\"id\";s:18:\"Standardidentität\";s:10:\"identities\";s:6:\"a:0:{}\";s:10:\"properties\";N;s:10:\"alias_addr\";a:0:{}s:10:\"tieto_addr\";a:0:{}s:8:\"bcc_addr\";a:0:{}s:8:\"location\";s:0:\"\";s:12:\"replyto_addr\";s:0:\"\";s:9:\"signature\";s:0:\"\";s:10:\"sig_dashes\";i:0;s:14:\"signature_html\";s:0:\"\";s:9:\"sig_first\";i:0;s:14:\"save_sent_mail\";i:1;s:16:\"sent_mail_folder\";s:4:\"Sent\";}}')" | mysql -u root -p`gtc-crypt -a mysqlroot -p` horde4 2>&1 | grep -v "Warning: Using a password on the command line interface can be insecure."
   fi
   # Prepare synchronization
   #mksynccal.pl $USER hordetest
   #mksynccal.pl $USER horde4
   # Send a daily eMail if the password is older then 3 months if user is in vpn-Group
   if [ "`date +%H`" -eq "1" ]
   then
    if id $USER | grep -q '(vpn)'
    then
     olddate=`date -d "-3 month" +%s`
     lockdate=`date -d "-6 month" +%s`
     ldappw=`gtc-crypt -a ldap -p`
     if ldapsearch -LLL -w $ldappw -D cn=Manager,dc=example,dc=com uid=$USER | grep sambaPwdLastSet >/dev/null 2>&1
     then
      pwdate=`ldapsearch -LLL -w $ldappw -D cn=Manager,dc=example,dc=com uid=$USER | grep sambaPwdLastSet | cut -d" " -f2`
      ldappw=""
      if [ $lockdate -gt $pwdate ]
      then
       echo "Changed password for $USER after 6 months not changed: `date -d @$pwdate`" | mail -s "Password of $USER automatically changed (6 months)" admin
       pwgen=`pwgen -cn 8 1`
       echo "$USER:$pwgen" | chpasswd
       echo "$pwgen" | gtc-crypt -a pwgen-$USER -b
      elif [ $olddate -gt $pwdate ]
      then
       echo "Password of $USER is too old: `date -d @$pwdate`" | mail -s "Password of $USER too old" admin
       echo "Hallo,

Dein Passwort wurde seit `date -d @$pwdate` nicht mehr geändert. Um das Risiko für den Betrieb des Servers zu minimieren ist es notwendig, dass das Passwort regelmäßig (mindestens alle 3 Monate) geändert wird. Dies betrifft nur VPN-User.

Sollte nach 6 Monaten kein neues Passwort gesetzt worden sein, wird der Account sicherheitshalber erstmal gesperrt.

Bitte das Passwort über Horde -> https://horde.example.com oben unter 'Weitere' -> 'Mein Konto' -> 'Passwort' ändern!

Sobald das Passwort geändert ist bitte daran denken, dass das Passwort an allen Stellen wo es ggf. gespeichert wurde (z.B. Smartphone, Conversations, DAVDroid, ActiveSync, eMail-Programm, Thunderbird, Firefox, Fritz!Box,...) auch entsprechend geändert werden muss.

Danke
 " | mail -s "Bitte Passwort ändern - Letzte Änderung `date -d @$pwdate`" $USER
      fi
     fi
    fi
   fi
  fi
 fi
done

chmod 700 /home/*
maillists.sh


Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Here you can find the official Gentoo Linux Forums where you can find a lot of answers.

Here a link to the official Gentoo Linux Homepage.

Edit Howto

About / Impressum

Click here for About / Impressum

Wishlist

If you want to support my work you can find my Amazon whishlist here