Set up LDAP authentication between Ubuntu 10.04 and OpenDJ 2.4.1

(Updated to remove the changes to the default password storage scheme in OpenDJ.)

The following guide describes how to quickly set up a test environment for authenticating Ubuntu client LDAP logins to a directory server. This is an insecure setup, intended only for learning more about LDAP authentication.

I am using VirtualBox to virtualise my test Ubuntu 10.04 client, although you may of course use a physical machine. The LDAP server is Forgerock’s OpenDJ v2.4.1, running on OpenIndiana oi_147 x86. OpenDJ is chosen for its brilliantly easy-to-use Java-based installation and management utilities, coupled with the fact it’s developed by ex-Sun Microsystems talent, and, perhaps best of all, Oracle has nothing to do with it.

This guide assumes prior basic familiarity with installing OpenDJ, and installing VirtualBox guest VMs. Let’s get started.

 

Install and configure OpenDJ 2.4.1 on the host system

Download OpenDJ 2.4.1 from http://forgerock.com/downloads-opendj.html, and install it via the Java quick start utility. Simply use the default settings as follows:

OpenDJ installation

OpenDJ installation

OpenDJ installation

OpenDJ installation

OpenDJ installation

OpenDJ installation

 

Next, let’s run the OpenDJ control-panel GUI utility and create a test People OU under our base DN:

OpenDJ - create a People OU

Add a test user account to the People OU: fill out the First Name, Last Name, Common Name, User ID, and User Password fields, then save changes:

OpenDJ - add a user account

Now, edit the test account’s Object Class, and add the posixAccount auxiliary object class to it. Fill out the gidNumber, homeDirectory and uidNumber fields as follows:

OpenDJ - add the posixAccount object class

OpenDJ - add the posixAccount object class

OpenDJ is now configured. Let’s set up our Ubuntu client.

 

Install and configure a fresh Ubuntu 10.04 x86 virtual machine

Create a new Ubuntu 10.04 x86 VM. The default NAT networking mode for the VM works fine. For the administrative account created during OS installation, pick a username that won’t exist in OpenDJ (e.g. “pcadmin” or something).

Once Ubuntu has been installed, run a full software update. Following this, install the VirtualBox guest additions, then restart the VM.

 

Install libnss-ldap and dependencies

Log in with the administrative account created during installation, then use Synaptic Package Manager to install the libnss-ldap package. The packages dependent on libnss-ldap will be also downloaded and installed automatically:

Ubuntu10.04 - install libnss-ldap

During installation of the packages, you will be prompted for the location of your LDAP server: point at IP address of the host system using the ldap:// format. Other settings may be left at defaults as illustrated in the following, but be sure to change the search base to dc=example,dc=com, and the LDAP root account to cn=Directory Manager:

Ubuntu - configure libnss-ldap

Ubuntu - configure libnss-ldap

Ubuntu - configure libnss-ldap

 

Manually edit the PAM LDAP configuration file

After installation of libnss-ldap and its dependencies, manually edit /etc/ldap.conf and comment out this line:

pam_password md5

If you are using a non-default port for LDAP connectivity (e.g. port 1389), then append this as part of the LDAP server address entry in /etc/ldap.conf. Look for the uncommented uri entry with the address of your LDAP server, then append the port number to it. In my case, this looks like:

# Another way to specify your LDAP server is to provide an
uri ldap://192.168.51.2:1389

I encountered authentication problems when attempting to set an alternate port number at the following section in /etc/ldap.conf, so leave this as-is (i.e. commented out):

# The port.
# Optional: default is 389.
#port 389

 

Edit PAM service configuration files

Change directory to /etc/pam.d, and edit the files common-account, common-auth, common-password and common-session, commenting out or removing the existing entries and replacing them with the following entries respectively:

In common-account:

account     sufficient    pam_ldap.so
account     required      pam_unix.so

In common-auth:

auth        sufficient    pam_ldap.so
auth        required      pam_unix.so nullok_secure use_first_pass

In common-password:

password    sufficient    pam_ldap.so nullok
password    required      pam_unix.so nullok obscure min=4 max=8 md5

In common-session:

session     required	  pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      pam_unix.so
session     optional      pam_ldap.so

 

Manually edit the name service switch file

Next, change the passwd, group, and shadow entries in /etc/nsswitch.conf from this:

passwd:         compat
group:          compat
shadow:         compat

to this:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

Finally, reboot the VM. Ubuntu is now configured.

 

Test LDAP logins to the Ubuntu VM

After rebooting Ubuntu, you should now be able to log in using the test LDAP account you created. A home directory and GNOME environment will be created automatically on login.

About these ads

22 thoughts on “Set up LDAP authentication between Ubuntu 10.04 and OpenDJ 2.4.1

  1. Pingback: Notes on LDAP auth on Ubuntu by Dave Koelmeyer | Margin Notes 2.0

  2. Pingback: Ubuntu 10.04 LDAP naming service with OpenDJ « Ludo's Sketches

  3. Pingback: Ubuntu 10.04 LDAP naming service with OpenDJ » OpenDJ

  4. Joachim Andres

    Hi Dave,

    How did you estimate the additional directory load using pam_ldap ? Curious if you have any figures from running this is a production environment.
    I did a little profiling on the same configuration. A sequence of ssh, edit file, chown file, exit results in 12 binds and 32 exact searches. Extrapolation is obviously tricky.

    Cheers,
    Joachim

    Reply
  5. Matt

    Joachim,

    Is nscd running?

    The connections should stay bound. However there are always a number of searches as nscd caching isn’t perfect. We run (Old) boxes with ~900 SSL connections each and they run <10% CPU. Just have a look and make sure to index where needed (uidNumber/gidNumber/unixUser).

    Reply
  6. Pingback: Sudo with OpenDJ | Margin Notes 2.0

  7. Pingback: Thunderbird 3.1 on Ubuntu 10.04 segfaults on launch with LDAP users « Dave Koelmeyer

  8. ShakataGaNai

    2 questions for you, if you get a chance.

    #1 – Why use the directory admin user? Does this process need uber permissions or can you create some proxy for it?

    #2 – Why change the permission scheme to MD5? Does something require that specifically?

    Otherwise thanks! Super informative. I’m gonna try this with 11.04 here shortly (I hope).

    Reply
    1. davekoelmeyer Post author

      On question number #1, this is simply a quick and dirty how-to, and I wouldn’t recommend any of this in a production environment, especially using the default root account to bind.

      Reply
  9. Pingback: Secure LDAP authentication between OpenDJ and Ubuntu « Dave Koelmeyer

  10. shubham895

    hi dave,

    I have an issue that even when ldap password expires my user is able to login in his ubuntu machine because his password is picked from the cache , so the user does not change his password even after the password has expired, so is there a way i can force my user to change his password after expiration…thanks

    Reply
  11. shubham895

    hi dave ,

    thanks for your reply, I am using opendj version 2.4.3 on centos 5.6(64 bit) and my client is ubuntu 11.04(32 bit) . On my client side I have done the same steps as you have defined in this document and on the server side I have implemedted the following password policies.
    allow-expired-password-changes -true
    allow-user-password-changes -true
    max-password-age – 12w 6d
    grace- login-count – 4
    password-expiration-warning-interval – 5d

    My main concern is that when the user password expires he should be prompted to change his password as in the case of active directory, and he should not be able to login once his password has expired without changing his password .

    In the current scenario even when the ldap rejects the authentication due to password expiration , the configuration of pam.d files and nssswitch.conf allows the password to be picked from the ubuntu cache. so can we make any changes in these files so user is forced to change his password once the password has expired.

    I am using the following packages on client side nss-updatedb for caching name service directories locally (passwd and group) , libnss-db to enable NSS to read cached name services (passwd and group) . I am using these services so my user can login even when he is offline but I dont want him to login once his password has expired.

    thanks once again.

    Reply
  12. Pingback: PAM, LDAPS, and Policykit weirdness in Ubuntu 10.04 x86 « Dave Koelmeyer

  13. Pingback: LDAP secondary group memberships with OpenDJ and Ubuntu 12.04 « Dave Koelmeyer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s