Assignment 4: All together I

Integration of openLDAP and NSS/PAM to build an identification and authentication service

The goal now is to learn how to use the secure LDAP service from a client host. To be specific, you must make it possible for any LDAP user on server-01 to open an SSH session on the frontend, being SSH sessions the ONLY service that LDAP users can use.

1. Make sure that the SSH service is installed and running on frontend.

2. This host should be able to use the LDAP service on server-01 (over SSL) and thus identify and authenticate local and remote (LDAP) users (1)

   • First, configure frontend as a LDAP client, so that it can access LDAP data using the client LDAP tools (ldapserach, ldapadd, ldapmodify…). Remember that the LDAP session should be secure, over SSL protocol.

   • Secondly, add the LDAP service as another identify system on frontend. To do this, you need to correctly modify the NSS (Name service switch) configuration.

   • Finally, configure frontend to use the LDAP service on server-01 as an authentication system for only the SSH service. For this, you need to correctly modify the PAM (Pluggable authentication modules) configuration.

3. Make sure that frontend and server-01 are property linked to each other through LDAP.

   • Identification checking: (From frontend)

     • You can use these commands:

       $ ldapsearch –x
       $ id <username>
       $ getent password

   • Authentication checking and frontend access: (To frontend)

   • SSH access to frontend for LDAP users.

   • LDAP users must be able to change their password from frontend

(1) Consider also the following data and aspects:

1. LDAP server URI:

   • ldaps://server-01.localdomain

   • ldap://server-02.localdomain (**)

2. DN of the search base: dc=localdomain

3. LDAP version to be used: 3

4. LDAP account for root: cn=admin,dc=localdomain

5. LDAP root account Password: 'ldap'

6. Don’t allow the LDAP administration account to behave like the local root

7. LDAP data base doesn’t require login

8. For LDAP users who connect to frontend for the first time, the system should create their $HOME directories automatically.

(**) No SSL!! Only if optional assignment is done.