Categories
Network Engineering

Authenticate to Ubuntu using OpenLDAP

What is PAM?

PAM [1] (Pluggable Authentication Module) is a way for authentication to be separate from the system. This means that you can have one database containing user login information such as OpenLDAP and use this databases information to allow access to different parts of a system such as the system itself, SSH, A website or other applications. This is opposed to every application containing its own logon information and is an excellent way to improve security.

System Settings

Network 192.168.56.0/24 – Host only adapter for the 2 VM’s to communicate.

Bridged Adapter for internet access.

Ubuntu 18.04 VM 1.

Ubuntu 18.04 VM 2.

Diagram of the network. The OpenLDAP server authenticates LDAP users onto VM1. SSH LDAP authentication can also be performed from the windows computer or the server into the client machine using LDAP users.

Part 1: Installing OpenLDAP and Populating the database

These websites were referenced and followed for the following setup [2] [4].

Server (VM2)

  • sudo apt-get update
  • sudo apt-get upgrade
  • sudo apt-get install slapd ldap-utils
  • Set Admin Password
  • Sudo dpkg-reconfigure slapd
  • No
  • DNS domain name – example.com
  • Organization name – nodomain
  • Enter Password
  • MDB
  • No
  • Yes

This will have installed OPENLDAP with the example.com domain i.e.

‘dc=example,dc=com’

Create a file called add_content.ldif example data will be supplied in the appendices. This will be different from the previous labs as the user will want to have a home directory and other luxuries when they log into the system. The users need a uidNumber and a gidNumber. Every account needs to be unique these numbers are used for keeping track of the user and groups on a system and what folders and files they can access [3]. 

Example user John. Example Ldif data can be found at the bottom of the report.

Add the content to the database:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif

Assuming the ldif file is correct it will add the content to the database. If you ever want to modify the ldif file at some point it can easily be changed and then updated to the working system by adding the -c switch which skips exiting if a duplicate is found in the database and writes over. ldapadd -x -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif

Part 2: Enable Logging on OPENLDAP

This can be used to verify issues with ldap authentication on the system.

sudo nano logging.ldif Add to the file below. dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats

Implement it to the system: sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif They recommend changing the settings, so your system doesn’t get swamped with logging messages. Edit /etc/rsyslog.conf and add to the file below. 

# Disable rate limiting

# (default is 200 messages in 5 seconds; below we make the 5 become 0)

$SystemLogRateLimitInterval 0

Then do a sudo systemctl restart syslog.service.

Part 3: Configure Client to Authenticate Against LDAP Client: (VM1)

sudo apt install libnss-ldap
ldap://192.168.56.117/IP of your server.
Choose the default options changing the accounts to be in the correct domain.
The results can be seen in /etc/ldap.conf other settings may be changed here to.
Configure NSS for LDAP sudo auth-client-config -t nss -p lac_ldap This command changes
the way information from a file such as LDAP is used to login to a system.
Configure the system to use PAM Authentication.
sudo pam-auth-update

Choose every option in the list any less seems to crash the system. (use the spacebar). This should make it possible to log into the system using LDAP accounts as well as possible to log in through the regular way if needed. This will also create the users home directory on log in. 

Edit the file /etc/pam.d/common-session as the pam and add the second line to allow home directories to be made upon logon.

Problem 1

Authenticating via the GUI does not work at all. It authenticates the user then shows the background for a long time then loads back up to the login screen. A Possible solution was installing a different Desktop Environment after installing xfce4 it still didn’t work so the problem was not the Desktop Environment. 

Authenticating via terminal and SSH does work. (sudo apt-get install ssh)

Access through SSH via PowerShell from the windows machine connected by the host only adapter does allow our LDAP user John and Fiona to authenticate into the system. Access while logged in from Student and changing user to john works as well.

Solution for Problem 1

After reading many more tutorial such as [4] [5]. All that was needed was found here [6]. sudo systemctl restart systemd-logind. This then allowed login via the GUI using LDAP accounts. 

Fiona Smith LDAP logged in.

John Doe logged in via GUI.

So the problem was systemd which is part of the core components to Linux. I thought that services got restarted on reboot but obviously not all of them then from what this situation has taught me. This then concludes this report on how to enable LDAP PAM user authentication for a client/server system using Ubuntu.

References

  • “User Authentication HOWTO,” [Online]. Available: http://tldp.org/HOWTO/UserAuthentication-HOWTO/x115.html. [Accessed 21 6 2019].
  • “OpenLDAP Server,” [Online]. Available: https://help.ubuntu.com/lts/serverguide/openldap-server.html. [Accessed 19 6 2019].
  • [Online]. Available: https://geek-university.com/linux/uid-user-identifier-gid-groupidentifier/. [Accessed 19 6 2019].
  • “Configre Linux clients to authenticate using openldap,” [Online]. Available:
  • https://www.unixmen.com/configure-linux-clients-to-authenticate-using-openldap/. [Accessed 21 6 2019].
  • “How to Setup OpenLDAP Server and Authenticate Client Workstation,” [Online]. Available: https://linoxide.com/linux-how-to/setup-openldap-server-authenticate-clientworkstation/. [Accessed 21 6 2019].
    “After an update, locking and logging in puts me back at login screen,” [Online]. Available: https://askubuntu.com/questions/747876/after-an-update-locking-andlogging-in-puts-me-back-at-login-screen/747877. [Accessed 21 6 2019].

Appendices

Example LDIF data

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
dn: uid=Magnus,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: magnus
sn: Smith
givenName: Magnus
cn: Magnus Smith
displayName: Magnus Smith
uidNumber: 11000
gidNumber: 5100
userPassword: Password1
gecos: Magnus Smith
loginShell: /bin/bash
homeDirectory: /home/Magnus
dn: uid=Fiona,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: fiona
sn: Smith
givenName: Fiona
cn: Magnus Smith
displayName: Fiona smith
uidNumber: 11100
gidNumber: 5110
userPassword: Password1
gecos: Fiona Smith
loginShell: /bin/bash
homeDirectory: /home/Fiona
dn: uid=Fiona,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: fiona
Network Engineering Major Assignment
LDAP PAM Authentication
I give permission for this assignment to be shared.
sn: Smith
givenName: Fiona
cn: Magnus Smith
displayName: Fiona smith
uidNumber: 11100
gidNumber: 5110
userPassword: Password1
gecos: Fiona Smith
loginShell: /bin/bash
homeDirectory: /home/Fiona
dn: uid=Freya,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: freya
sn: Taylor
givenName: Freya
cn: Magnus Taylor
displayName: Freya Taylor
uidNumber: 11110
gidNumber: 5111
userPassword: Password1
gecos: Freya Taylor
loginShell: /bin/bash
homeDirectory: /home/Freya
dn: uid=Murphey,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: murphey
sn: Jones
givenName: Murphey
cn: Magnus Jones
displayName: Murphey Jones
uidNumber: 11111
gidNumber: 5221
userPassword: Password1
gecos: Murphey Jones
loginShell: /bin/bash
homeDirectory: /home/Murphey