Using LDAP & PAM for SSO Authentication

This document provides a practical guide to authentication using PAM and OpenLDAP on RedHat Linux. Configuration examples are taken from working systems where possible. A set of useful links is included for users seeking more detaild information.

Related Links:
* This document!
* Introduction to LDAP Part One
* Introduction to LDAP Part Two
* Introduction to LDAP Part Three
* Apache LDAP Authentication
* LDAP Directory Recipe
* Authentication using LDAP Part One
* Authentication using LDAP Part Two
* How to use pam_ldap and pam_nss
* LDAP Authentication for Netware 4.11
* LDAP Client/Browser Configuration

Some of these documents are cached as insurance against broken links (PITA). Please visit the source for latest versions - All copyright and kudos resides with orginal authors. Any complaints, mailto:webmaster at saas.nsw.edu.au

Browser based LDAP password changer

This is one solution to allow users to change their own LDAP passwords using a simple web interface. This information is also useful for those looking for solutions to synchronise unix and ldap password databases (including shadow)and LDAP integration for authentication with third party software usch as Postfix email and Apache web server.

The user interface is a simple web form front-end using PopPass - a CGI script in Perl initially designed to allow users to changes their POP password via a Web Browser interface.

PopPass requires poppassd version 1.2 to actually make the password change. It can run as an unprivileged user on any Web server (not necessarily the server where the password file exists). Access can be controlled via uid filter, tcp wrappers, xinetd, configuration options in addition to the standard LDAP acl restrictions.

Here is an example of a minimal OpenLDAP password protection acl:

#
# /etc/openldap/slapd.conf
#
#--snip--
# Allow users to change own password
# - Manager can change any password
# - Any users who have valid username+password may login
# 
access to dn=".*,dc=example,dc=com"
    attr=userPassword
    by self write
    by dn="cn=Manager,dc=example,dc=com" write
    by * auth

#--snip--
# =EOF=

This ACL is only designed to provide minimal protection for the LDAP userPassword attribute. Additional ACLs would be required to provide access security for production servers (see OpenLDAP documentation).

Passwords can be stored in native OpenLDAP formats (including {MD5} and {CRYPT}).

Integration/synchronisation with shadow password and standard unix authentication is achieved by using the PAM AUTH and NSS libraries. This approach can simultaneously support local users with standard shadow-accounts-only, as well as LDAP-only users. Beware: Exact functionality depends on the configuration combinations - which can easily be messed up!

All the required information is included with the applications mentioned:

The following supplementary information may be useful:

PAM Configuration for LDAP Authentication

#%PAM-1.0
#
# /etc/pam.d/system-auth
#
# Read http://www.saas.nsw.edu.au/solutions/ldap.html
# Last updated 1 JAN 2002 - rog@saas.nsw.edu.au
#
# Under RedHat, this file is auto-generated - Make sure you backup!!!!
# - Any user changes will be destroyed the next time authconfig is run.
# - Again, make backup of this file and update after you run authconfig.
# ======================================================================
# To make sure that user can login with only shadow password:
# 1. Below, change "required" to "sufficient" for the "pam_unix.so" line
#
auth    required     /lib/security/pam_env.so
auth    sufficient   /lib/security/pam_unix.so likeauth nullok
auth    sufficient   /lib/security/pam_ldap.so use_first_pass
auth    required     /lib/security/pam_deny.so

account sufficient   /lib/security/pam_unix.so
account required     /lib/security/pam_ldap.so

# To synchronise shadow and ldap passwords:
# 1. edit /etc/ldap.conf and activate "pam_password exop"
# 2. edit /etc/openldap/sldapd.conf and activate "password-hash {MD5}"
# 3. move configuration line for pam_ldap.so above the pam_unix.so line
# 4. set the pam_ldap.so entry to "sufficient" 
#
password required   /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_ldap.so use_authtok
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required   /lib/security/pam_deny.so

session  required   /lib/security/pam_limits.so
session  required   /lib/security/pam_unix.so
session  optional   /lib/security/pam_ldap.so
# =EOF=

Test xinetd configuration for poppassd

# /etc/xinetd.d/poppassd
#
# Use web based PopPass + PAM to change password for local/LDAP users.
# - This is only an example /etc/xinetd.d/popassd configuration file.
# - man xinetd to make sure you understand what these settings mean.
# - For test purposes, you only need to change "only_from" IP addresses. 
# - At minimum, you must change IP addresses to your own network range.
# - After testing, you may want to change "user" to a non-root userID!
# - If you are using inetd instead of xinetd, read the poppassd docs.
# ======================================================================
service poppassd
{
    disable = no
    instances   = 16
    flags       = REUSE
    socket_type = stream
    protocol    = tcp
    wait        = no
    user        = root 
    server      = /usr/sbin/poppassd
    bind        = 0.0.0.0
    only_from   = localhost 127.0.0.1 192.168.0.0/16
}
# =EOF=

When running poppassd, if you receive a perl error message about "dump", then edit your poppassd perl script:

Change the text CGI::dump() to CGI::as_string()

The need for this modification depends on your perl version.

This solution has been tested on RedHat 7.2 with OpenLDAP, PAM_LDAP, NSS_LDAP, PopPass. and poppassd with shadow password support (a non-shadow poppassd v1.2 by Qualcomm).

You must also install the Perl CGI module, and IO::Socket::INET module (often already installed - depends on your distribution).