Categories
Solus OS

Configure LDAP Authentication on Solus 3

I’ll just start with that I think that Solus is a fantastic Linux based desktop operating system. My preference is Solus with Gnome but is also available with the homegrown Budgie desktop or Mate.

My user accounts are all entries in a directory server but Solus doesn’t at the moment have the ability to pull in accounts from one (although I have submitted a package request to facilitate this).

Enter nss-pam-ldapd from Arthur de Jong. There are other implementations but I had problems compiling them and I don’t have the nous to fix them.

This guide make the presumption that you already have a directory server with user accounts set up beforehand. Right, lets go!

Firstly, lets install some prerequisites.

# Install the development software
#
sudo eopkg it -c system.devel
# Install OpenLDAP and LDAP development files
#
sudo eopkg it openldap openldap-devel

Now get the latest tarball from https://arthurdejong.org/nss-pam-ldapd/downloads and extract it into a temporary location, I use ~/tmp
As of writing version 0.9.8 is current.

# Extract the software and enter the build directory
#
tar zxvf nss-pam-ldapd-0.9.8.tar.gz -C ~/tmp/ && cd ~/tmp/nss-pam-ldapd-0.9.8

Building  is fairly simple, just make sure that you pass the –prefix parameter to the configure script. Strangely the default prefix for configure is /

# Build the software and install with sudo
#
./configure --prefix=/usr && make
sudo make install

Modify the /etc/nslcd.conf to your specification. The salient parts are uid, gid, uri, base

If your directory requires a log-in modify binddn, bindpw

Create the service account for nslcd

sudo useradd --system nslcd

Modify your /etc/nsswitch.conf so that the passwd, group, and shadow lines look something like this:

passwd:  files ldap
group:   files ldap
shadow:  files ldap

To test LDAP connectivity between nslcd and our LDAP server, fire up a couple of terminals and fire up nslcd in one of them.

# Start nslcd in debug mode
#
sudo /usr/sbin/nslcd -d

We can now see if we can pull user and group information from our directory.

# Use getent to test if we can access LDAP accounts
#
getent passwd

# Use getent to test if we can access LDAP groups
#
getent group

If successful you should see your LDAP users and groups and you can now stop the nslcd daemon by issuing a ^C in your first terminal.

Now lets make things a little more permanent. Solus uses systemd so we now need to create a service unit file. Paste the following into /etc/systemd/system/nslcd.service.

[Unit]
Description=nss-pam-ldapd
After=network.target

[Service]
ExecStart=/usr/sbin/nslcd
Type=forking
PIDFile=/var/run/nslcd/nslcd.pid

[Install]
WantedBy=multi-user.target

Tell systemd that there is a new service file.

# Reload systemd
#
sudo systemctl daemon-reload

You should be able to enable, disable, start, stop, restart the nslcd service so lets enable and start it.

# Enable and start nslcd
#
sudo systemctl enable nslcd.service
sudo systemctl start nslcd.service

Debug by issuing:

# Check journal for nslcd message
#
sudo journalctl -u nslcd.service

Now for the fucking ugly part where I usually lock myself out of my system. If you are running Solus in a virtual machine I suggest snap-shotting or creating a backup.

Open /etc/pam.d/system-auth in a text editor and make sure that it looks similar to the following. Note my LDAP accounts have uids of 10000 and above.

# Begin /etc/pam.d/system-auth

auth    sufficient    pam_unix.so
auth    sufficient    pam_ldap.so minimum_uid=10000 use_first_pass
auth    required      pam_deny.so

# End /etc/pam.d/system-auth

If you could pull user and group information with getent then we can test authentication by running the following.

# Test LDAP authentication by sudoing to root and
# running login, then test authentication with a
# user account from your directory
#
sudo su
login

I successfully logged in with a network account but received a warning about not getting a home directory. We will fix this now with the help of the pam_mkhomedir.so PAM module.

Open /etc/pam.d/system-session and make sure that it looks similar to the following.

# Begin /etc/pam.d/system-session

session   required    pam_unix.so
session   required    pam_systemd.so
session   required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
session   optional    pam_loginuid.so
session   optional    pam_limits.so

# End /etc/pam.d/system-session

Now when you repeat the LDAP authentication test a home directory will be automatically created for you.