• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

OpenLDAP & PAM Auth

Scarpozzi

Scarpozzi

Lifer
I'm wanting to setup LDAP Authentication using PAM & OpenLDAP. I configured a server to run OpenLDAP and have it working with my ldap browser (ssl on 636). I made a few accounts and want to use them to authenticate some linux accounts local to about 10 servers.

We have a password policy that requires 10 accounts across about 15 systems(and growing) to be changed once a month. I'm trying to come up with a way to make this pw change as streamlined as possible with less chance of me making a typo somewhere and locking accounts (including root). If I can configure LDAP auth, I'm at least centralizing any problems for the common user accounts as long as the client-auth works and the ldap server/servers are up.

Does anyone have any direct configuration documentation on how to do this easily? I've been reading up and haven't found a good guide yet. I'm running RHEL(LDAP PAM Clients)& CentOS (OpenLDAP Server)

If you have good/bad experiences with this kind of configuration, send me stories too. I'm a little reluctant to use this full time unless I can use ldap to update the local accounts dynamically without server restarts and to know that the users can still access the local server accounts when LDAP is unavailable.

Thanks-
 
What are you asking? How to enforce monthly password changes with shadowAccount, or how to configure your clients to use pam-ldap?
 
Configure ldap to use startTLS on port 389, then use authconfig or authconfig-tui to configure your clients, that uses PAM.
 
Also, check out phpldapadmin, a nice little GUI front end. Messing with ldif files gets old quick.

If no one answers your question by tomorrow I'll find some of the documents I used when I set this up at work a couple of months ago. BTW, using ldaps on port 636 is deprecated, that's why I mentioned ldap with startTLS.
 
Last edited:
JD50 said:
Also, check out phpldapadmin, a nice little GUI front end. Messing with ldif files gets old quick.

If no one answers your question by tomorrow I'll find some of the documents I used when I set this up at work a couple of months ago. BTW, using ldaps on port 636 is deprecated, that's why I mentioned ldap with startTLS.
Click to expand...
Yeah...I get what you're saying about the SSL/TLS thing. I was just mentioning that I have 636 open and can connect to the ldap server for testing. I'm used to x500 design, so I like to see things graphically 😛 . TLS is the only option I see when looking at the GUI interface to ldap authentication on the linux servers... I just need to know what fles the gui is supposed to be altering for auth-config and reverse engineer the whole pam-ldap configuration.

Vadatajs, What I'm asking is where I can find some good, recent pam-ldap documentation. I can find a bunch of it from 5+ years ago and I'm hitting snags because many files, versions referenced are no longer valid. I've not had time to look at it much since I wrote the initial post, but I'll probably get a few hours to play around this weekend.
 
The pam-ldap stuff is pretty much just /etc/ldap.conf. Other than setting the URI and your TLS settings, there isn't much else to do. The man page and example in the pam_ldap package are pretty straightforward. Not a whole lot has changed in the past 5 years.

In addition, you'll need to configure PAM to use the ldap library for login. You can either set it up using system-config-authentication, or take a look at the client setup here . The part you really care about are the Pam_ldap and Nss_ldap sections. Just add the pam_ldap.so lines to your existing file.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top