Setting-up a Linux host for Using LDAP Accounts and TwoFactor Authentication
These instructions assume you are using Ubuntu 7.04, so YMMV.
First, install some packages:
apt-get install ntp-simple libnss-ldap tcsh libpam-radius-auth
In the configuration for
libnss-ldap
, when asked for an LDAP URI, use:
ldap://openldap.cscf.uwaterloo.ca
When asked for the base DN, use the following:
dc=cscf,dc=cs,dc=uwaterloo,dc=ca
Leave the "LDAP account for root" and the "LDAP root account password" blank, as the LDAP server allows anonymous queries.
In the
/etc/nsswitch.conf
file, add
ldap
to the end of the
passwd
line:
passwd: compat ldap
Test accounts lookup via LDAP by typing
getent passwd
. You should see all the entries for CSCF staff.
If you have not already done so, add some local time servers to
/etc/ntp.conf
.
Add the following line to
/etc/syslog.conf
(spaces are a tab):
auth.info @services112.cs.uwaterloo.ca
authpriv.notice @services112.cs.uwaterloo.ca
As described in the
TwoFactor document, add the RADIUS servers and shared keys to the
/etc/pam_radius_auth.conf
file. For this configuration, put the following in
/etc/pam.d/common-auth
(
/etc/pam.d/sudo
should remain unchanged):
auth sufficient pam_unix.so nullok_secure
auth required pam_radius_auth.so
Make sure
/etc/pam..d/common-session
looks like this:
session required pam_mkhomedir.so
session required pam_unix.so
session optional pam_foreground.so
Don't forget to set-up the
sudoers
file!
To login, CSCF staff must use their PIN and token code. On login, a home directory is created, allowing for the set-up of ssh public key authentication, if desired. To obtain root,
sudo -s
is required with the PIN and code from the authentication token.
Administration of the LDAP service can be done via a web interface at
https://watiknow.cscf.uwaterloo.ca. Access is restricted to cscf-mgmt on cscfnet.
--
JasonTestart - 28 Sep 2007