LDAP Authentication =================== Project accounts in DataONE are managed in an OpenLDAP instance running at NCEAS. The following procedure will enable LDAP authentication of shell accounts against the NCEAS LDAP server. It depends on the packages *libnss-ldap* and *nscd* being installed. Shell accounts on linux VMs authenticate using LDAP, typically allowing members of *dataone-shell* to logon using SSH. Enable LDAP Authentication -------------------------- Install *libnss-ldap*, *nscd*, and ensure *ca-certificates* is installed:: sudo apt-get install libnss-ldap nscd ca-certificates It's OK to accept the default values for LDAP configuration, as these will be replaced in the configuration process below. Backup */etc/ldap.conf*, then install this *ldap.conf* file in its place: .. include:: data/etc/ldap.conf :literal: Note the default configuration allows shell access to members of the group *dataone-shell*. If more restricted access is desired, change the group to *dataone-sysadmin*. Access to *sudo* is manually enabled, the entries in *ldap.conf* indicate who is able to log in to the machine. Enable *pam_ldap*:: sudo auth-client-config -t nss -p lac_ldap sudo pam-auth-update Create a file */usr/share/pam-configs/d1_mkhomedir* with contents: .. include:: data/usr/share/pam-configs/d1_mkhomedir :literal: Add the following to */etc/security/group.conf*:: *;*;*;Al0000-2400;adm,dialout,cdrom,plugdev,sambashare Create a file */usr/share/pam-configs/d1_groups* with contents: .. include:: data/usr/share/pam-configs/d1_groups :literal: Now update *pam* and restart *nscd* and *ldap* client:: sudo pam-auth-update sudo /etc/init.d/nscd restart sudo /etc/init.d/libnss-ldap restart Members of the group selected in */etc/ldap.conf* should now be able to log in using their DataONE credentials. To grant *sudo* to a user:: sudo usermod -a -G admin USERNAME Listing Group Members --------------------- The members of a group such as *dataone-shell* can be examined using an LDAP client such as *ldapsearch*:: ldapsearch -x -h ldap.ecoinformatics.org -b "dc=ecoinformatics,dc=org" -p 389 cn=dataone-shell