Spacer
scald

Laptop LDAP

Fedora Nano
appliance-config
Mac Software
More projects...
Articles...
SRPM...
Patches...
The Oakbud Co.
Home...

LDAP for Mobile Laptops

Introduction

Do you use LDAP and Kerberos on your Linux laptop? Do you wish your laptop worked when away from your LDAP and Kerberos servers?

This is an effort to document the settings and work necessary to allow a laptop to use LDAP and Kerberos for network information and authentication without sacrificing mobility.

Settings

/etc/nsswitch.conf

The Name Service Switch configuration file should contain both file and LDAP lookups. 

passwd:     files ldap
shadow:     files
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

/etc/pam.d/system-auth

In addition to the Kerberos PAM modules, pam_ccreds is used to cache authentication tokens locally. This allows a laptop to authenticate a user when the Kerberos server is not available. The pam_ccreds module had to be modified so that non-root applications could authenticate. See Red Hat Bugzilla #151914. 

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so

 ## Ignore unavailable; allow pam_ccreds to try.
 ## 1 = skip one module down, 2 = skip two modules down.
auth        [authinfo_unavail=ignore success=1 default=2] /lib/security/$ISA/pam_krb5.so use_first_pass

 ## Patched pam_ccreds to allow xscreensaver (non-root) to validate.
 ## Validate vs. cached creds. if avail.
auth        [default=done] /lib/security/$ISA/pam_ccreds.so action=validate use_first_pass

 ## Patched pam_ccreds to allow xscreensaver (non-root) to store/update.
 ## Store (cache) valid credentials locally.
auth        [default=done] /lib/security/$ISA/pam_ccreds.so action=store
 ## Delete credentials.
auth        [default=done] /lib/security/$ISA/pam_ccreds.so action=update

auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

/etc/nscd.conf

The nscd caches network information. Normally used to reduce the number of LDAP queries to boost performance, nscd may be configured to cache for long periods. This allows nscd to provide network information when the laptop cannot contact the LDAP server. The reload-count, positive-time-to-live and persistent options may be increased so that nscd caches for extended periods of time. 

server-user		nscd
debug-level		0
reload-count		unlimited
paranoia		no

enable-cache		passwd		yes
positive-time-to-live	passwd		2592000
negative-time-to-live	passwd		20
suggested-size		passwd		211
check-files		passwd		yes
persistent		passwd		yes
shared			passwd		yes

enable-cache		group		yes
positive-time-to-live	group		2592000
negative-time-to-live	group		20
suggested-size		group		211
check-files		group		yes
persistent		group		yes
shared			group		yes

enable-cache		hosts		yes
positive-time-to-live	hosts		2592000
negative-time-to-live	hosts		20
suggested-size		hosts		211
check-files		hosts		yes
persistent		hosts		yes
shared			hosts		yes

/etc/ldap.conf

The bind_policy soft option forbids nss_ldap from retrying failed LDAP queries. If the default bind policy is used, LDAP will retry a query several times when the LDAP server is not present. This can cause a pause of several seconds during routine operations. 

bind_policy soft
base dc=flyn,dc=org
uri ldaps://golem.flyn.org/   
timelimit 5
bind_timelimit 5
ssl start_tls
ssl on
tls_cacertdir /etc/openldap/cacerts
pam_password md5

/etc/krb5.conf

The kdc_timeout and max_retries options reduce the time the laptop waits on a connection to the Kerberos server. Setting the value of these parameters low allows the laptop to give up on Kerberos requests quickly and fall back on cached authentication. 

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = flyn.org
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 flyn.org = {
  kdc = golem.flyn.org:88
  admin_server = golem.flyn.org:749
  default_domain = flyn.org
 }

[domain_realm]
 .flyn.org = flyn.org
 flyn.org = flyn.org

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   kdc_timeout = 1
   max_retries = 1
 }

Issues

  1. The nscd system does not support disconnected operation correctly (See glibc Bugzilla bug #2132)
  2. The pam_ccreds module is not fully integrated into Fedora (See Red Hat Bugzilla bug #145044)
  3. The pam_ccreds module does not yet fully integrate with SELinux (See Red Hat Bugzilla bug #154133)