NSS and PAM for LDAP

1. LDAP client configuration

You can configure your OpenLDAP client and server as described in the relevant article<. However, if your directory server is RHDS, the way you import the server security certificate changes and becomes:

cd /etc/dirsrv/slapd-webserver
hash=`openssl x509 -noout -hash -in cacert.asc`
cp -i cacert.asc /etc/openldap/cacerts/$hash.0
pk12util -d . -o ourdom-ldap-ca.p12 -n "CA certificate" -k pwdfile.txt
openssl pkcs12 -in ourdom-ldap-ca.p12 -nokeys -out ourdom-ldap-ca.crt
rm ourdom-ldap-ca.p12
mkdir -p /etc/pki/ldap
mv ourdom-ldap-ca.crt /etc/pki/ldap
cat /etc/pki/ldap/ourdom-ldap-ca.crt >> /etc/openldap/cacerts.pem<

2. NSS in Redhat

The NSS-for-LDAP configuration file is /etc/ldap.conf

uri ldaps://server.ourdom.com:636
base dc=ourdom.com
ldap_version 3

rootbinddn cn=root,dc=ourdom.com
binddn cn=browse,dc=ourdom.com
bindpw browse4ourdom

timelimit 5
bind_timelimit 5
bind_policy soft
idle_timelimit 3600
timeout 5

pam_lookup_policy no
pam_password exop
nss_base_passwd ou=users,dc=ourdom.com?one
nss_base_shadow ou=users,dc=ourdom.com?one
nss_base_group  ou=groups,dc=ourdom.com?one

#ssl start_tls
ssl on

tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts.pem
tls_cacertdir /etc/openldap/cacerts

#debug 255
#logdir /tmp/nsslogs

Store password of the LDAP root bind entry in /etc/ldap.secret. Prevent unauthorized access to this password:

chown root:root /etc/ldap.secret
chmod 400 /etc/ldap.secret<

Depending on your LDAP server of choice, user and group search bases can differ. For example, for RHDS:

 nss_base_passwd ou=People,dc=ourdom,dc=com?one
nss_base_group  ou=Groups,dc=ourdom,dc=com?one 

We must ensure that system users like "haldaemon" or "root" are never requested from LDAP, oterwise system boot can hang in various places, e.g. hang during message bus startup<. Therefore, add a line like following line in /etc/ldap.conf:

 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd, news,mailman,nscd,gdm,polkituser,rtkit,pulse 

Also notice the binddn and bindpw configuration parameters. They describe how the NSS LDAP should connect to LDAP server when invoked from under non-root user. If you omit them, the library connects anonymously. Allowing anonymous access to the directory is bad because anybody from network might browse the directory. Using a real login account for browsing is not an option because anyone on the box can read /etc/ldap.conf and consequently obtains its password. As a solution you can create a special browsing account< in the LDAP directory and record its credentials in binddn/bindpw.

Now enable LDAP for users and group in /etc/nsswitch.conf:

passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns

Now test your settings: try the following command both from under both root and non-root accounts:

getent passwd jsmith
jsmith:x:201:201:John Smith:/home/jsmith:/bin/bash<

3. PAM in Redhat

Edit /etc/pam.d/system.auth (diff<):

auth        sufficient    pam_ldap.so use_first_pass
account     required      pam_unix.so broken_shadow
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so<

Some daemons needs a restart for the changes to take effect: Directory Server, SSH, CGP

4. Ubuntu NSS

Install NSS-LDAP and PAM-LDAP:

apt-get install -y libnss-ldap<

(it will prompt you for some settings)

Copy LDAP server certificate< to the client:

scp SRVIP:/etc/pki/ldap/ourdom-ldap-ca.crt /etc/ssl/<

Configure /etc/ldap.conf:

uri ldaps://ldap.ourdom.com:636
ssl on
uri ldap://
base dc=ourdom,dc=com
rootbinddn cn=dirman
timelimit 5
bind_timelimit 5
timeout 5
bind_policy soft
idle_timelimit 600
nss_base_passwd ou=People,?one
nss_base_shadow ou=People,?one
nss_base_group  ou=Groups,?one
tls_cacertfile /etc/ssl/ourdom-ldap-ca.crt<
1. Connecting via ldaps causes problems with DBUS on Ubuntu. Therefore we connect on insecure port 389 but via secure VPN (what about TLS?)
2. LDAP host is specified via IP to save on DNS lookups
3. Timeouts should be small or failing LDAP server will almost freeze logins
Ubuntu also adds:
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,

Configure /etc/ldap.secret and /etc/nsswitch.conf like above.

5. Ubuntu PAM

I use two methods to configure LDAP PAM< in Ubuntu. The first one is as follows.

Edit /etc/pam.d/common-account:

account    sufficient    pam_ldap.so
account    required    pam_unix.so<

Edit /etc/pam.d/common-auth:

auth    sufficient    pam_ldap.so
auth    required    pam_unix.so nullok_secure use_first_pass<

Edit /etc/pam.d/common-password:

password   sufficient  pam_ldap.so
password   required   pam_unix.so nullok obscure md5<

However, there is another way to configure LDAP PAM in Ubuntu which leads to faster login time:

  • /etc/pam.d/common-auth:
auth    sufficient    pam_unix.so nullok_secure
auth    required    pam_ldap.so use_first_pass<
Faster for local logins, because LDAP is checked only for non-local accounts.
  • /etc/pam.d/common-account:
account    required    pam_unix.so<
pam_ldap supports account filtering, e.g., based on host or time, ony when it is explicitly requiested. we do not want it from LDAP so pam_ldap is completely removed here
  • /etc/pam.d/common-password:
password   sufficient  pam_unix.so nullok obscure md5
password   required    pam_ldap.so<
Again, LDAP will be contacted only if user is not found locally
  • /etc/pam.d/common-session:
password   required    pam_unix.so<
pam_ldap does not support PAM sessions, so we drop it here completely

6. Troubleshooting

Now getent passwd and getent group should work as expected.

Note: The use_first_pass keyword prevents from duplicate password requests.

If not, create the /tmp/nsslogs directory and add/uncomment the following lines in the /etc/ldap.conf file:

debug 255
logdir /tmp/nsslogs<

Then do getent passwd and analyze the logs.To troubleshoot PAM, add the debug argument in the pam_ldap.so lines.

7. Tuning RedHat Directory Server

If your LDAP server is RHDS, and you want to use SetPassword LDAP method (use_set_password=1 in userman.ini), you have to tell the server about the preferred password encryption method as follows:

  • Management Console / Servers and Applications / Server Group / Directory Server / Open
  • Directory Server / Directory / ourdom / People
  • Right-click and choose Manage password policy / for subtree
  • In the Subtree Password Policy dialog:
    • Check Create subtree level password policy
    • Check User may change password
    • Choose Password never expires
    • Uncheck Check password syntax
    • Set Password encryption = MD5 hash algorithm (or choose your preferred method)
    • Press Save, Close
  • Close all windows


This section applies to both Redhat and Ubuntu.

Default NSCD retention values are too tough and lead to confusion.Modify /etc/nscd.conf and set retention to 1 minute:

#positive-time-to-live   passwd  600
 positive-time-to-live   passwd  60
#positive-time-to-live   group   3600
 positive-time-to-live   group   60
#positive-time-to-live   hosts   3600
 positive-time-to-live   hosts   60<

Now clear NSCD cache and restart the daemon:

rm -f /var/{cache,db}/nscd/*
/etc/init.d/nscd restart<

NSCD has problems with DNS< too.