<br /> OpenLDAP with libnss-ldap and libpam-ldap – Debian Planet

Welcome to Debian Planet

News for Debian. Stuff that *really* matters


Debian Planet is hosted by Bluelinux Internet Services Ltd. Offering a special discounted rate for Free and Open Source software community members.

Buy your Debian merchandise at DebianShop.com.

These are important Debian sites one should not be without!

  • Official Debian site
  • Package search
  • Mailing list archives
  • Bug reports
  • Debian on CD
  • Debian Weekly News — excellent news source!
  • Unofficial APT sources

  • Developers’ Corner
  • Community
    Need help? You’re not alone on this planet.

  • Planet Debian
  • debianHELP
    (User support site)

  • Debian Administration
    (SysAdmin resources)

  • Debian International
  • DebianForum.de

  • DebianForum.dk

  • EsDebian

  • DebianWorld

  • Debian-Fr

  • MaximumDebian

  • DebianItalia
  • DebianUsers

  • Debian-BR

  • DebianHOWTO

  • Russian Debian (Русский)
  • Debian-JP
  • Debian Suisse
  • Contribute
    Got that latest or greatest scoop? Perhaps you have some important news for the Debian community? Submit a news item!

    Or perhaps you’ve written a rather ground breaking insight into some aspect of Debian and you feel compelled to share it with others? Knock up a longer editorial article and send it to the editors.

    General feedback should be sent to staff@debianplanet.org

    The place to get help on a Debian problem (after reading docs) or to just chat and chill is #debian on irc.oftc.net.

    Many of the Debian Planet staff live there so pop by and say hello.

    Debian Planet also has its own channel on the same network called #debianplanet.


    OpenLDAP with libnss-ldap and libpam-ldap
    Submitted by Bluehorn on Saturday, February 07, 2004 – 17:36
    I wrote a little HOWTO article how to setup OpenLDAP to use as accounts database with libnss-ldap and libpam-ldap. Hope it is useful to somebody…
    Category: HOWTOs

    Control panel

    Comment viewing options:

    Select your prefered way to display the comments and click ‘Update settings’ to activate your changes.

    Subject: One suggestion for improvement
    Author: pwagland
    Date: Wednesday, 2004/02/18 – 14:59
    We have also done something similar, however, I would suggest replacing the line

    auth required pam_unix.so use_first_pass

    with the lines

    auth [success=1 new_authtok_reqd=1 default=ignore] pam_ldap.so
    auth required pam_unix.so use_first_pass
    auth required pam_permit.so

    The reason to do this is it also means that anything after this set of requirements can also be enforced. For example, we sometimes use

    auth required pam_env.so

    If you have the sufficient in there, then that says that nothing else needs to be checked, and that is not always true…

    Just my €0.02

    [ Please login, or register ]

    Subject: Some myths, and other documentation;
    Author: abo
    Date: Sunday, 2004/02/15 – 14:20
    Not bad… nice and current.

    However, you have purpetrated a persistant myth… pam-ldap is _not_ needed for logging in. libnss-ldap alone makes the pam-unix module work for authentication etc. The _only_ thing you need pam-ldap for is changing passwords. In theory it should also be useful for chfn and chsh, but last time I checked the pam-ldap module didn’t support those.

    There is more info available on the debian wiki under LDAPAuthentication

    Please use and correct/extend wiki content as you go 🙂


    [ Please login, or register ]


    Subject: You *can* use nss-ldap withou
    Author: xm
    Date: Tuesday, 2004/02/17 – 03:39
    You *can* use nss-ldap without pam-ldap, but it’s not terribly useful.

    To do so, you need to use {crypt} passwords, which sucks for many reasons. It is much better to use pam-ldap as well so you can use a better hashing algorithim.


    fitter, healthier, more productive
    like a pig, in a cage, on antibiotics

    [ Please login, or register ]

    Subject: Nice!
    Author: wouter@jabber.org
    Date: Tuesday, 2004/02/10 – 01:00
    This is something I have been thinking about doing for several years, just as an experiment, so I can roll out something for real once (if, when) my workplaces are switching to all-Linux desktops…

    I’ve been thinking about manually filtering the ldap data into local user databases, though – in that case, there is a valid user database even when the ldap server would be unavailable.

    Or do these pam-libraries have a local fall-back cache? What happens when the ldap server is unavailable?

    [ Please login, or register ]


    Subject: Re: Nice!
    Author: jsf
    Date: Tuesday, 2004/02/10 – 01:30
    As stated in the HOWTO, by configuring pam properly, it checks on the system files, but if you have to maintain those, then using ldap is of no help right? So it would be better if you used the replicating functionality offered by LDAP and maybe have just the root password in the local system files for times of trouble.
    [ Please login, or register ]

    Subject: Add new users?
    Author: sjordet
    Date: Sunday, 2004/02/08 – 21:52
    I have just read the article briefly, and this is something I have wanted to check out for a very long time, so thank you very much 🙂

    I just have one question; how do I add new users after I have migrated to ldap?

    Sorry if this is something that was covered in the article, that I just didn’t find. (Or if it is very obvious.)

    [ Please login, or register ]


    Subject: Re: Add new users?
    Author: jsf
    Date: Tuesday, 2004/02/10 – 01:33
    By configuring the proper files in pam.d (i forget which ones), you can add users with the usual useradd command, IIRC.
    [ Please login, or register ]


    Subject: Personally, I use custom tool
    Author: mmnatas
    Date: Sunday, 2004/02/08 – 22:00
    Personally, I use custom tools writen using the very nice python-ldap libraries to essentially provide the same functionality as [add|del][user|group].

    However, it looks like sarge has a few ldap management tools in it now, you might want to give one of them a try.

    [ Please login, or register ]


    Subject: What about homedir?
    Author: sjordet
    Date: Sunday, 2004/02/08 – 22:07
    Ok, I guess I might be able to write a custom tool myself, because I would want the script/whatever to create homedirs on the nfs server as well, and copy the stuff from /etc/skel, and so on… I’ll find out. Thanks 🙂
    [ Please login, or register ]

    Subject: Giving libpam-ldap the password
    Author: grimcracker
    Date: Sunday, 2004/02/08 – 18:28
    Why must one give libpam-ldap the root dn and password for the LDAP database? I do LDAP authentication on Redhat and I don’t have to store that information anywhere on the clients.
    [ Please login, or register ]


    Subject: root password
    Author: Bluehorn
    Date: Sunday, 2004/02/08 – 18:59
    The root password is only needed so that the root user can change any users’ password without giving the old password. It is not really needed for authentication.
    [ Please login, or register ]


    Subject: ldappasswd?
    Author: xm
    Date: Monday, 2004/02/09 – 13:27
    Why not just use ldapasswd so you don’t need to store the password?

    Keep that password there, and you’re one local root exploit away from having your entire user database 0wned.

    *Never* store such an important password in clear text, even if it is root:root 600.


    fitter, healthier, more productive
    like a pig, in a cage, on antibiotics

    [ Please login, or register ]


    Subject: Surely…
    Author: robot101
    Date: Monday, 2004/02/09 – 17:42
    LDAP just stores data in files on disk, so when you’re 0wned, they can read the files directly anyway?

    Robster is a monkey
    [ Please login, or register ]


    Subject: The point is that by saving y
    Author: grimcracker
    Date: Tuesday, 2004/02/10 – 03:56
    The point is that by saving your root dn and password on the clients, any one of your clients can be compromised and the hacker then has root access on your LDAP database, which then of course gives them root on all of the clients that authenticate with that database. You make it sound like you only have one box in the first place, and if that’s the case, why bother with LDAP?
    [ Please login, or register ]


    Subject: replication?
    Author: robot101
    Date: Tuesday, 2004/02/10 – 16:49
    I have a pair of systems which I would like to have the same users, but don’t want them to be dependent on each other. So one of them has the LDAP master database, the other replicates it and authenticates locally against the database.

    Robster is a monkey
    [ Please login, or register ]


    Subject: no no
    Author: xm
    Date: Tuesday, 2004/02/10 – 03:52
    Nope, (if done correctly) passwords are stored encrypted in the directory, just like /etc/password.

    Even better, you can use some industrial-strength hashes, like SHA instead of just MD5.

    fitter, healthier, more productive
    like a pig, in a cage, on antibiotics

    [ Please login, or register ]


    Subject: Yes…
    Author: robot101
    Date: Tuesday, 2004/02/10 – 16:51
    I know this. The previous poster said you can have your “user database” owned. Even getting password hashes out is a bad thing – it allows the passwords to be brute forced. Although it’s all fairly academic, because by this point, the box has been rooted already.

    Robster is a monkey
    [ Please login, or register ]


    Subject: arguing the point
    Author: xm
    Date: Wednesday, 2004/02/11 – 04:03
    Dude, I think you’re confused about how your typical LDAP directory gets used. Your typical deployment looks like:

    | LDAP server |
     ————————— — — –
          |                    |
     ————-     ————-
    | workstation |   | workstation |
     ————-     ————-

    The main thing to note are: a) there is no ldap server running on the workstations and b) users don’t work on the ldap server.

    So if you do things according to the article, if you have the password for the ldap superuser (different to the root password for the workstations and the server) stored on the workstations and workstation gets 0wned, then you get full access to the directory and hence all machines.

    If the password is not stored locally and a workstation gets 0wned, then you loose only that machine and the directory is not compromised.


    fitter, healthier, more productive
    like a pig, in a cage, on antibiotics

    [ Please login, or register ]


    Subject: As I said…
    Author: robot101
    Date: Wednesday, 2004/02/11 – 13:24
    … I know this.

    Robster is a monkey
    [ Please login, or register ]


    Subject: And, (even though it isn’t e
    Author: mmnatas
    Date: Sunday, 2004/02/08 – 20:54
    And, (even though it isn’t explicitly noted in the article), the LDAP admin password should not be the same as the actual root password.
    [ Please login, or register ]

    Subject: Good Job.
    Author: pill
    Date: Sunday, 2004/02/08 – 16:43
    I am a bit greedy. Where should i install ssl support when following the HowTo. Thanks.
    [ Please login, or register ]


    Subject: Another LDAP-on-Debian HOWTO
    Author: der.plusch
    Date: Monday, 2004/02/09 – 10:36

    In order to be able to use SSL you will have to re-compile the
    LDAP-packages with SSL enabled manually, as Debian doesn’t include this functionality by default.

    You might want to check through my “Using OpenLDAP on Debian Woody to serve Linux and Samba users“-HOWTO for more detailed information.



    [ Please login, or register ]


    Subject: OH MY GOODNESS! IT’S YOU!
    Author: undefined
    Date: Friday, 2004/02/13 – 21:52
    okay, this is completely off-topic:

    i went to your howto and the format of the web page looked very familiar. then i remembered it from last night: i’m experimenting with ACLs and found your web page quite helpful as far as learning what all packages are required (kernel patch, new coreutils, e2fsprogs, etc).

    some updates though:

  • coreutils features ACL/EA as of 5.0.90-3
  • hahn’s fileutils is here
  • 2.4.24 kernel patch now available at the usual place

    i’m currently experimenting on a sarge workstation, but if ACLs work out and seem worthwhile, i’m going to implement ACLs on a woody server. to implement on woody i probably won’t backport everything myself, but use the backports.org repository. (the sarge workstation use to be a woody + personal-sarge-backports, but i got tired of backporting 20 other packages just to build/install the one backported application i wanted.)

    sorry for this WAY off-topic post, but if i waited to email until i got home, it would have never been written.

  • [ Please login, or register ]


    Subject: Why not stunnel for SSL support?
    Author: DaGoodBoy
    Date: Thursday, 2004/02/12 – 03:58
    We use it for external access to our contact database. Or do you have to recompile the clients and libpam stuff?
    [ Please login, or register ]


    Subject: SSL available in sarge & sid?
    Author: joib
    Date: Tuesday, 2004/02/10 – 10:33
    Well, I haven’t tried this personally, but the version of slapd and ldap-utils in sarge & sid (2.1.something) depend on libgnutls7, so I guess they have SSL support built-in.
    [ Please login, or register ]

    Search articles

    ·News (406)
    ·Features (5)
    ·Site News (16)
    ·HOWTOs (79)
    ·Tips (21)
    ·Opinion (29)
    ·Q & A (35)
    ·Sponsorship (1)
    ·Press Releases (5)

    Log in


    Remember me

    » Register
    » New password

    Debian Security Announcements
    DSA-943 perl
    DSA-942 albatross
    DSA-903 unzip
    DSA-941 tuxpaint
    DSA-940 gpdf
    DSA-939 fetchmail
    DSA-938 koffice
    DSA-937 tetex-bin
    DSA-936 libextractor
    DSA-935 libapache2-mod-auth-pgsql

    Planet Debian
    Wouter Verhelst: On flames.
    Joachim Breitner: Fixing my planet.debian.org subscription
    Steve Kemp: She has the blood of reptile just underneath her skin
    Pierre Habouzit: Married …
    Pierre Habouzit: whitelister 0.4 (SPF) and aaege ….
    Pierre Habouzit: kde 3.4.1 upload
    Holger Levsen: In case you are running OpenWRT
    Michael Janssen: Shiny roofs are good for the environment!
    Matthew Palmer: Work it out yourself, dammit!
    Axel Beckert: Tell me which music you like and I tell who you are

    Debian Administration
    How do I prevent rebuilt packages from being upgraded?
    Disabling the print-screen key inside X?
    Monitoring your bandwidth usage with vnstat
    Ruby on Rails on Debian
    Choice for Virtual Private Servers?
    Monitoring your hardware’s temperature
    Sending mail with Exim from ‘dialup’ IP
    How to recover GRUB Debian Sarge after reinstalling Windows
    Getting a GUI
    Spam filtering with Pyzor and SpamBayes

    Latest poll: Which release scheme should Debian follow?
    Continue this way (release when ready)
    Give up on releasing
    Split the release up
    Speed the release up
    Crank the workload up (see DebianWiki ReleaseProposals for details on these)

    Total votes: 372
    0 comments · older polls

    home · archives · news feeds · about · polls · search · sections · user account

    Powered by the amazing Drupal

    Debian Planet is not officially related to the Debian Project.
    Debian and the Debian logo are trademarks of Software in the Public Interest, Inc.