Adding login for LDAP users to Ubuntu 17.10 client with TLS

I’ve configured an LDAP database with users, now I need to setup a client(fangorn) to log in.  This client is running Ubuntu 17.10.

david@fangorn:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 17.10
Release:	17.10
Codename:	artful

Installing the Client LDAP Modules

Using apt, install the libpam and libnss ldap modules.

apt install libpam-ldapd libnss-ldapd

The debconf prompts the user to enter the nslcd daemon configuration data:
set the ldap server to ldap://barad-dur.telperion.org
set ldap search base to dc=telperion,dc=org
select passwd, group, shadow as services to configure

Configuring the Modules for TLS

Unfortunately, that isn’t enough, we also need to configure the nslcd daemon for secure tls access. Edit /etc/nslcd.conf to configure. The nslcd.conf manpage has helpful hints for any further configuration.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://barad-dur.telperion.org

# The search base that will be used for all queries.
base dc=telperion,dc=org

# The LDAP protocol version to use.
ldap_version 3

# force ldap to use start_tls protocol to setup tls connections
ssl start_tls

# force the tls connection to verify the other end
# using a cert signed by the CA
tls_reqcert demand

# path to pem file containing CA and CA intermediate files
tls_cacertfile = /etc/ssl/certs/telperion.org.ca-chain.cert.pem

# path to the client certificate
tls_certfile = /etc/ssl/certs/fangorn.telperion.org.cert.pem

# path to key file containing the private key for the cert
tls_key = /etc/ssl/private/fangorn.telperion.org.key.pem

# uncomment to enable logging to syslog for debugging issues
#log syslog debug

If you experience issues, try adding logging to the nslcd service by adding the following line to /etc/nslcd.conf and restarting nslcd service.

log syslog debug

pam ldap uses the default ldap.conf file located in /etc/ldap. Edit /etc/ldap/ldap.conf to add similar key paths and requirements for verification.

BASE    dc=telperion,dc=org
URI     ldap://barad-dur.telperion.org
TLS_CACERT      /etc/ssl/certs/telperion.org.ca-chain.cert.pem
TLS_CERT        /etc/ssl/certs/fangorn.telperion.org.cert.pem
TLS_KEY         /etc/ssl/private/fangorn.telperion.org.key.pem
TLS_REQCERT     demand

Make sure permissions are setup correctly on the private keys. The private key should be readable by root and ssl-cert group.

root@fangorn:/etc/ssl/private# ls -l fangorn.telperion.org.key.pem 
-r--r----- 1 root ssl-cert 288 Feb 17 10:44 fangorn.telperion.org.key.pem

The user nslcd must be added to the ssl-cert group using the command usermod -a -G ssl-cert nslcd, otherwise start_tls will fail.

Also make sure the certs have the correct permissions:

root@fangorn:/etc/ssl/certs# ls -l | grep telperion
-r--r--r-- 1 root root   1208 Feb 17 10:44 fangorn.telperion.org.cert.pem
-r--r--r-- 1 root root   1836 Feb 17 10:43 fangorn.org.ca-chain.cert.pem

Now that everything is configured, we need to restart the nslcd and nscd services to use the configuration. On ubuntu, run systemctl restart nscd and systemctl restart nslcd.

Testing Configuration

To validate that our configuration is working for nss (using the nslcd daemon installed above), we can use genent passwd to see your ldap users. I recently added a user account for Lobelia Sackville-Baggins as a member of the telperionusers group.

root@fangorn:~# getent passwd | grep lobelia
lobelia:x:10000:5000:Lobelia Sackville-Baggins:/home/lobelia:/bin/bash
root@fangorn:~# getent group | grep telperionusers
telperionusers:*:5000:
root@fangorn:~# getent shadow | grep lobelia
lobelia:*:::::::0

To get pam working out of the box, I didn’t need to do much. Simply restarting the nscd daemon was all that was required.

Running su -l lobelia with the password, I was able to log in.   Lobelia doesn’t yet have a home directory though.   We can configure pam to handle some of these setup items for us… another post.