Authenticating Users on Linux Operating Systems
This page is no longer maintained. For questions regarding shell authentication, consider posting them to the UH App Dev list: <App Developers Forum>.
Overview
This page provides set-up information that should apply to the pam_ldap software from PADL Software that is usually included with their nss_ldap software. This is usually included with the nss_ldap package for Red Hat/Fedora and deriviates.
The set-up described here provides for:
- authenticating users with their UH username and password
- controlling access locally on the machine
The advantages of this are:
- no administration of user passwords
- no GUI required to be able to set up configuration
- explicit access control
Set-up
As the root user:
- DO NOT USE the Users and Groups GUI and the Authentication GUI from System -> Administration. CAUTION: You run the risk of not being able to log into you machine or someone else breaking in if you deviate from these instructions or use the system administration GUIs to do these set-up activities.
- Rename /etc/ldap.conf to /etc/ldap.conf-orig.
- Copy the sample ldap.conf below file to /etc/ldap.conf.
- Secure the /etc/ldap.conf to protect the password of the special DN if you have been issued one for your specific purpose. Be sure to keep the password protected at all times. It is not to be shared with others.
# chown root:root /etc/ldap.conf # chmod 600 /etc/ldap.conf
- Copy the sample system-auth file below to /etc/pamd.d/system-auth-ac. Retain a copy so that you can restore it if someone uses the Authentication System Administration GUI to enable LDAP or other things.
NOTE: This assumes that system-auth is a symbolic link to system-auth-ac as it is for CentOS 5, Fedora Core 5 & 6, and Fedora 7. This isn't the case with CentOS 4 and Fedora 4, so you'll work directly with system-auth.
- Add users from the command line using something like this:
# adduser -g users -c 'Test User' -m testuser
This will create the user and her home directory. It will set a non-guessable password for the user. This is OK because LDAP will be used to authenticate the user.This can be scripted with a file containing the username and full name. See the sample user-admin.sh below.
NOTE: Users will need to change or reset their passwords with assistance from the Help Desk or by going to the Managing Your UH Username page at:
https://www.hawaii.edu/username/
- To remove a user from the command line use something like this:
# userdel -r testuser
This can be scripted with a file containing the username and full name. See the sample user-admin.sh below.
Problems
Ensure that you are not attempting to bind to LDAP anonymously. New UH Data Governance policies now require registration. In other words, you will need to request a Special DN.
To debug problems with the set-up, you'll need access to some log files.
Check /var/log/messages and /var/log/secure for pam and authentication related entries.
To increase the logging level in /var/log/messages, you can edit the /etc/syslog.conf file. Change info to debug:
# Don't log private authentication messages! ##*.info;mail.none;authpriv.none;cron.none /var/log/messages *.debug;mail.none;authpriv.none;cron.none /var/log/messagesIf you see error messages in /var/log/messages or /var/log/secure about "ldap_simple_bind Can't contact LDAP server", it may be due to not having the location of the CA certs file correct for the tls_cacertfile entry in /etc/ldap.conf. Check to see if you have the OpenSSL package installed and where the ca-bundle.crt is located.
You can also check that you can reach the LDAP server using the ping or traceroute command. Alternatively, you can use ldapsearch like so:
$ ldapsearch -b dc=hawaii,dc=edu -H ldaps://ldap.hawaii.edu -x uid=david
Sample files
- /etc/ldap.conf
# 08/15/07, russ@hawaii.edu; Configuration for CentOS 5 to use LDAP for # user authentication. # base ou=people,dc=hawaii,dc=edu uri ldaps://ldap.hawaii.edu # Blank means anonymous LDAP binds are used to look up the UH # username before authenticating the user. binddn bindpw scope sub pam_login_attribute uid # Require an affiliation at a campus/org pam_filter uhOrgAffiliation=* pam_lookup_policy no pam_min_uid 100 pam_max_uid 59999 tls_checkpeer yes # This file is usually part of the OpenSSL package. tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt tls_ciphers TLSv1
- /etc/pam.d/system-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_ldap.so debug auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_mkhomedir.so skel=/etc/skel umask=0022
- user-admin.sh - Add or delete users listed in a file.
#!/bin/sh # user-admin.sh - Add or delete users listed in a file. # - 08/16/07, russ@hawaii.edu # # #--------------------------------------------------------------------- # Run as root or with root privileges. # # A file of users should contain a username, colon (:), and the user's # fulll name like so: # # test1:Test User 1 # test2:Test User 2 # test3:Test User 3 # #--------------------------------------------------------------------- # if [ $# -ne 2 ]; then echo "usage: $0 add file_of_users" echo " $0 del file_of_users" exit 1 fi CMD=$1 LIST=$2 if [ "$CMD" != "add" -a "$CMD" != "del" ]; then echo "Must be add or del; not $CMD" exit 1 fi if [ ! -f $LIST ]; then echo "Can't find $LIST" exit 1 fi MYPID=$$ CMD_FILE=/tmp/cmds-${MYPID}.sh LOG=/tmp/user-admin-${MYPID}.log if [ "$CMD" == "add" ]; then awk -F: '{print "adduser -g users -c \"" $2 "\" -m " $1}' $LIST > $CMD_FILE elif [ "$CMD" == "del" ]; then awk -F: '{print "userdel -r " $1}' $LIST > $CMD_FILE fi # Execute the commands /bin/sh $CMD_FILE > $LOG 2>&1 # Clean up /bin/rm $CMD_FILE echo echo "Done. A log of what was done is in $LOG" echo # eof: user-admin.sh