PAM-LDAP 身份验证的原理
身份验证本身是由 需要身份验证服务的服务(例如:ssh,su,ftp等等)根据/etc/pam.d/目录下对应的配置信息选择相应的PAM模块逐一进行的。指定的认证模块从身份验证候选机制中获取用户名和用户的credential进行认证(用户的从credential可以是提示用户输入,也可以是上一个认证模块传过来)。pam-ldap.so就是使用LDAP进行认证的PAM模块。它先(从上一个认证模块)获取用户名(uid),使用/etc/pam_ldap.conf (对于非RHEL6 x84_64版本的Linux,对应的文件是/etc/ldap.conf或者/etc/pam.conf)文件中binddn字段指定的DN及bindpw字段配置的密码(即利用binddn/bindpw指定的用户名和密码) 到 LDAP 服务器上去查询检索pam-ldap.so模块传入待验证的用户 uid 条目(注意不是binddn字段指定的用户名)相关的 DN。注意,因为我们是用binddn指定的DN作为查询身份标示来进行LDAP查询,所以在LDAP服务器一端的访问控制设置(Access Control)中要保证binddn指定的DN必须拥有对用户的条目(entry)进行读取的权限。当然,如果LDAP服务本身允许做匿名查询的话,就没必要在pam_ldap.conf文件中配置binddn/bindpw字段。在获取待验证用户在LDAP中的条目后,pam-ldap.so从身份验证候选机制中获取密码(一般说来是从上一个模块,通常都是pam_unix.so),然后使用这个用户(uid)查询到的对应DN和用户输入的密码做配对再次到LDAP服务器上尝试绑定(binding)操作。特别要注意的是在/etc/pam_ldap.conf中不能配置rootbinddn字段的值。如果配置了,最后到LDAP服务器尝试绑定操作的DN就不是待认证用户查询到的DN,而是rootbinddn指定的DN,那肯定会导致失败。如果LDAP服务器返回绑定成功,PAM 会报告说这个用户已经成功通过了 pam_ldap.so 提供的身份验证测试。根据 PAM 的配置不同(/etc/pam.d目录下配置文件,或者/etc/pam.conf),在用户看到命令行提示符之前可能会执行其它身份验证/测试。
Setup Procedure (within RHEL6)
0. Precondition
To use LDAP for authentication through PAM, it is required that an LDAP service has been properly provisioned with necessary user/group data.
It's better to provide two sub-trees in your LDAP database:
- a user sub-tree to hold all users' information (eg, ou=people,dc=example,dc=com);
- a group sub-tree to hold group information of all users (eg, ou=groups,dc=example,dc=com);
For each user entry, it must include a posixAccount and a shadowAccount objectClass(es). Since we usually use LDAP as a unique point for generic authentication and directory service, it's wise to define user's entry as inetOrgperson as well.
|
For each user's group entry, it must include a posixGroup objectClass.
dn: cn=lukeyang,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: lukeyang
gidNumber: 505
memberUid: 505
|
You can manually create LDIF file for each user and then add the entry to LDAP database through ldapadd command. Or you can use PADL.com's migration tool (included in RHEL 6 already as part of openLDAP - actually it's part of the University of Michigan LDAP distribution - the predecessor of openLDAP) to migrate the existing user/group's information (or the other information) from /etc/passwd, /etc/group to LDIF format. The detailed manual is available fromhttp://www.padl.com/OSS/MigrationTools.html.
An example to use MigrationTools to migrate one account "ldapuser" from /etc/passwd to LDAP database (by using ldapadd) :
# grep ldapuser /etc/passwd > passwd.in
# ./migrate_passwd.pl passwd.in > passwd.ldif
# cat passwd.ldif
dn: uid=ldapuser,ou=People,dc=example,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt$1$TeOlOcMc$cpQaa0WpLSFRC1HIHW5bt1
shadowLastChange: 13048
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/ldapuser
gecos: ldapuser
# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f passwd.ldif