Authenticating Users on Linux Operating Systems

This page is no longer maintained.  For questions regarding shell authentication, consider posting them to the UH App Dev list: <App Developers Forum>.

Overview

This page provides set-up information that should apply to the pam_ldap software from PADL Software that is usually included with their nss_ldap software. This is usually included with the nss_ldap package for Red Hat/Fedora and deriviates.

The set-up described here provides for:

  • authenticating users with their UH username and password
  • controlling access locally on the machine

The advantages of this are:

  • no administration of user passwords
  • no GUI required to be able to set up configuration
  • explicit access control

Set-up

As the root user:

  • DO NOT USE the Users and Groups GUI and the Authentication GUI from System -> Administration. CAUTION: You run the risk of not being able to log into you machine or someone else breaking in if you deviate from these instructions or use the system administration GUIs to do these set-up activities.
  • Rename /etc/ldap.conf to /etc/ldap.conf-orig.
  • Copy the sample ldap.conf below file to /etc/ldap.conf.
  • Secure the /etc/ldap.conf to protect the password of the special DN if you have been issued one for your specific purpose. Be sure to keep the password protected at all times. It is not to be shared with others. 
    # chown root:root /etc/ldap.conf
    # chmod 600 /etc/ldap.conf
            
  • Copy the sample system-auth file below to /etc/pamd.d/system-auth-ac. Retain a copy so that you can restore it if someone uses the Authentication System Administration GUI to enable LDAP or other things.


    NOTE: This assumes that system-auth is a symbolic link to system-auth-ac as it is for CentOS 5, Fedora Core 5 & 6, and Fedora 7. This isn't the case with CentOS 4 and Fedora 4, so you'll work directly with system-auth.


  • Add users from the command line using something like this:
    # adduser -g users -c 'Test User' -m testuser
            
    This will create the user and her home directory. It will set a non-guessable password for the user. This is OK because LDAP will be used to authenticate the user.

    This can be scripted with a file containing the username and full name. See the sample user-admin.sh below.


    NOTE: Users will need to change or reset their passwords with assistance from the Help Desk or by going to the Managing Your UH Username page at:
               https://www.hawaii.edu/username/ 


  • To remove a user from the command line use something like this:
    # userdel -r testuser
            
    This can be scripted with a file containing the username and full name. See the sample user-admin.sh below.

Problems

Ensure that you are not attempting to bind to LDAP anonymously.  New UH Data Governance policies now require registration.  In other words, you will need to request a Special DN.

To debug problems with the set-up, you'll need access to some log files.

Check /var/log/messages and /var/log/secure for pam and authentication related entries.

To increase the logging level in /var/log/messages, you can edit the /etc/syslog.conf file. Change info to debug:

# Don't log private authentication messages!
##*.info;mail.none;authpriv.none;cron.none              /var/log/messages
*.debug;mail.none;authpriv.none;cron.none               /var/log/messages

If you see error messages in /var/log/messages or /var/log/secure about "ldap_simple_bind Can't contact LDAP server", it may be due to not having the location of the CA certs file correct for the tls_cacertfile entry in /etc/ldap.conf. Check to see if you have the OpenSSL package installed and where the ca-bundle.crt is located.

You can also check that you can reach the LDAP server using the ping or traceroute command. Alternatively, you can use ldapsearch like so:

$ ldapsearch -b dc=hawaii,dc=edu -H ldaps://ldap.hawaii.edu -x uid=david

Sample files

  • /etc/ldap.conf
    # 08/15/07, russ@hawaii.edu; Configuration for CentOS 5 to use LDAP for
    #                            user authentication.
    #
    base ou=people,dc=hawaii,dc=edu
    uri ldaps://ldap.hawaii.edu
    #   Blank means anonymous LDAP binds are used to look up the UH
    #   username before authenticating the user.
    binddn 
    bindpw 
    scope sub
    pam_login_attribute uid
    #  Require an affiliation at a campus/org
    pam_filter uhOrgAffiliation=*
    pam_lookup_policy no
    pam_min_uid 100
    pam_max_uid 59999
    tls_checkpeer yes
    #   This file is usually part of the OpenSSL package.
    tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
    tls_ciphers TLSv1
            
  • /etc/pam.d/system-auth
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      pam_env.so
    auth sufficient pam_ldap.so debug
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        required      pam_deny.so
    
    account     required      pam_unix.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so try_first_pass retry=3
    password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password    required      pam_deny.so
    
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session     required      pam_unix.so
    session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022
            
  • user-admin.sh - Add or delete users listed in a file.
    #!/bin/sh
    # user-admin.sh - Add or delete users listed in a file.
    #               - 08/16/07, russ@hawaii.edu
    #
    #
    #---------------------------------------------------------------------
    # Run as root or with root privileges.
    #
    # A file of users should contain a username, colon (:), and the user's
    # fulll name like so:
    #
    # test1:Test User 1
    # test2:Test User 2
    # test3:Test User 3
    #
    #---------------------------------------------------------------------
    #
    
    if [ $# -ne 2 ]; then
        echo "usage: $0 add file_of_users"
        echo "       $0 del file_of_users"
        exit 1
    fi
    
    CMD=$1
    LIST=$2
    
    if [ "$CMD" != "add" -a "$CMD" != "del" ]; then
        echo "Must be add or del; not $CMD"
        exit 1
    fi
    
    if [ ! -f $LIST ]; then
        echo "Can't find $LIST"
        exit 1
    fi
    
    MYPID=$$
    CMD_FILE=/tmp/cmds-${MYPID}.sh
    LOG=/tmp/user-admin-${MYPID}.log
    
    if [ "$CMD" == "add" ]; then
        awk -F: '{print "adduser -g users -c \"" $2 "\" -m " $1}' $LIST > $CMD_FILE
    elif [ "$CMD" == "del" ]; then
        awk -F: '{print "userdel -r " $1}' $LIST > $CMD_FILE
    fi
    
    # Execute the commands
    /bin/sh $CMD_FILE > $LOG 2>&1
    
    # Clean up
    /bin/rm $CMD_FILE
    
    echo
    echo "Done.  A log of what was done is in $LOG"
    echo
    
    # eof: user-admin.sh