LDAP Authentication

Project accounts in DataONE are managed in an OpenLDAP instance running at NCEAS. The following procedure will enable LDAP authentication of shell accounts against the NCEAS LDAP server. It depends on the packages libnss-ldap and nscd being installed. Shell accounts on linux VMs authenticate using LDAP, typically allowing members of dataone-shell to logon using SSH.

Enable LDAP Authentication

Install libnss-ldap, nscd, and ensure ca-certificates is installed:

sudo apt-get install libnss-ldap nscd ca-certificates

It’s OK to accept the default values for LDAP configuration, as these will be replaced in the configuration process below.

Backup /etc/ldap.conf, then install this ldap.conf file in its place:

# /etc/ldap.conf settings for shell authentication using NCEAS LDAP
base ou=Account,dc=ecoinformatics,dc=org
ldap_version 3
uri ldap://ldap.ecoinformatics.org
# General configuration for shell accounts
pam_groupdn cn=dataone-shell,ou=Groups,dc=ecoinformatics,dc=org
# Restrict shell accounts to dataone-sysadmin accounts
# pam_groupdn cn=dataone-sysadmin,ou=Groups,dc=ecoinformatics,dc=org
pam_member_attribute uniqueMember
pam_password md5
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,openldap,pan,postgres,proxy,root,sshd,sync,sys,syslog,tomcat6,uucp,www-data

Note the default configuration allows shell access to members of the group dataone-shell. If more restricted access is desired, change the group to dataone-sysadmin. Access to sudo is manually enabled, the entries in ldap.conf indicate who is able to log in to the machine.

Enable pam_ldap:

sudo auth-client-config -t nss -p lac_ldap
sudo pam-auth-update

Create a file /usr/share/pam-configs/d1_mkhomedir with contents:

Name: Activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required            pam_mkhomedir.so umask=0022 skel=/etc/skel

Add the following to /etc/security/group.conf:

*;*;*;Al0000-2400;adm,dialout,cdrom,plugdev,sambashare

Create a file /usr/share/pam-configs/d1_groups with contents:

Name: Activate groups
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
      Required        pam_group.so use_first_pass

Now update pam and restart nscd and ldap client:

sudo pam-auth-update
sudo /etc/init.d/nscd restart
sudo /etc/init.d/libnss-ldap restart

Members of the group selected in /etc/ldap.conf should now be able to log in using their DataONE credentials.

To grant sudo to a user:

sudo usermod -a -G admin USERNAME

Listing Group Members

The members of a group such as dataone-shell can be examined using an LDAP client such as ldapsearch:

ldapsearch -x -h ldap.ecoinformatics.org -b "dc=ecoinformatics,dc=org" -p 389 cn=dataone-shell

This material is based upon work supported by the National Science Foundation under Grant Numbers 083094 and 1430508.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.