System Authentication using LDAP
My Adventures through RFC2307

Brad Marshall

(page 1)

System Authentication using LDAP

More and more users into network
Needed centralized authentication solution
Wanted to integrate easily with existing network

(page 2)

Options for Authentication


(page 3)


Custom scripts
Replicating password files

(page 4)


Plugged In is a Java development consulting business
See ``Linux in a Commercial Environment'' - SAGE-AU'98
Everyone has a Linux box
Everyone has an account on all boxes

(page 5)

What is LDAP

Lightweight Directory Access Protocol
Directory service (RFC1777)
Stores attribute based data
Optimized for reading
Hierarchical data structure
Client-server model
Consistent view of data
Based on entries

(page 6)

LDAP Structure

Entries referenced by distinguished name - DN (RFC1779)
Can be referenced by relative distinguished name - RDN
Top level or base (RFC2377)
Object class

(page 7)

What is LDIF

LDAP Data Interchange Format
ldbmcat converts ldbm database to ldif
ldif2ldbm converts ldif back to ldbm database

(page 8)

Example User Schema

dn: uid=bmarshal,ou=People,dc=pisoftware,dc=com
uid: bmarshal
cn: Brad Marshall
objectclass: account
objectclass: posixAccount
objectclass: top
loginshell: /bin/bash
uidnumber: 500
gidnumber: 120
homedirectory: /mnt/home/bmarshal
gecos: Brad Marshall,,,,
userpassword: {crypt}KDnOoUYN7Neac

(page 9)

Example Group Schema

dn: cn=sysadmin,ou=Group,dc=pisoftware,dc=com
objectclass: posixGroup
objectclass: top
cn: sysadmin
gidnumber: 160
memberuid: bmarshal
memberuid: dwood
memberuid: jparker

(page 10)

Search filters

Criteria for attributes
Directory base to search
Prefix notation


See RFC2254 for more details

(page 11)


Describes data layout
People in ou=People
Groups in ou=Group

(page 12)


Uses RFC2307
Applications query LDAP server


(page 13)

Library calls

Library calls as defined by RFC2307
getpwnam() (&(objectClass=posixAccount)(uid=%s))
getpwuid() (&(objectClass=posixAccount)
getpwent() (objectClass=posixAccount)

getspnam() (&(objectClass=shadowAccount)(uid=%s))
getspent() (objectClass=shadowAccount)

getgrnam() (&(objectClass=posixGroup)(cn=%s))
getgrgid() (&(objectClass=posixGroup)
getgrent() (objectClass=posixGroup)

(page 14)


Used PADLs MigrationTools
Can migrate
Initially migrated

(page 15)

LDAP Server architecture

LDAP daemon called slapd

Replication daemon called slurpd

(page 16)

Server Configuration: slapd.conf


include /etc/openldap/
include /etc/openldap/slapd.oc.conf
schemacheck off

pidfile /var/run/
argsfile /var/run/slapd.args

defaultaccess read

access to attr=userpassword
by self write
by * read

access to *
by self write
by dn=".+" read
by * read

(page 17)

Server Configuration: slapd.conf cont

/etc/openldap/slapd.conf cont

database ldbm
suffix "dc=pisoftware, dc=com"
rootdn "cn=Manager, dc=pisoftware, dc=com"
rootpw {crypt}lAn4J@KmNp9
bindmethod=simple credentials=d0nTe1l
replogfile /var/lib/openldap/replication.log

directory /var/lib/openldap/

(page 18)

Client Configuration: ldap.conf


BASE dc=pisoftware,dc=com
HOST ldap
pam_crypt local

(page 19)

Client Configuration: PAM


auth sufficient /lib/security/
auth required /lib/security/ shadow nullok try_first_pass
auth required /lib/security/
account sufficient /lib/security/
account required /lib/security/
password required /lib/security/
password sufficient /lib/security/
password required /lib/security/ shadow nullok use_authtok
session sufficient /lib/security/
session required /lib/security/

(page 20)

Client Configuration: nsswitch.conf


passwd: ldap files
shadow: ldap files
group: ldap files

(page 21)


ldappasswd -W -D 'uid=bmarshal,ou=People,dc=pisoftware,dc=com' 'uid=bmarshal'

ldapmodify -W -r -D "cn=Manager,dc=pisoftware,dc=com" < bmarshal.ldif

where bmarshal.ldif is ldapsearch -L 'uid=bmarshal'

ldapsearch -L 'uid=*'
ldapsearch -L 'objectclass=posixGroup'
ldapsearch -L 'objectclass=posixAccount'
ldapsearch -D 'uid=bmarshal,ou=People,dc=pisoftware,dc=com' -W -L 'uid=bmarshal'

(page 22)

Future Directions


(page 23)


Some learning curve
Definately worth it
Much easier to
Lots of expansion potential
Saves having multiple authentication databases

(page 24)

Useful Urls


UMich LDAP Server -

OpenLDAP -

SLAPD and SLURPD Admin Guide -

(page 25)


RFC1777 - Lightweight Directory Access Protocol

RFC1779 - A String Representation of Distinguished Names

RFC2254 - The String Representation of LDAP Search Filters

RFC2377 - Naming Plan for Internet Directory-Enabled Applications

RFC2307 - An Approach for Using LDAP as a Network Information Service

(page 26)