Setting-up a Linux host for Using LDAP Accounts and TwoFactor Authentication

These instructions assume you are using Ubuntu 7.04, so YMMV.

First, install some packages:

apt-get install ntp-simple libnss-ldap tcsh libpam-radius-auth

In the configuration for libnss-ldap, when asked for an LDAP URI, use:

ldap://openldap.cscf.uwaterloo.ca

When asked for the base DN, use the following:

dc=cscf,dc=cs,dc=uwaterloo,dc=ca

Leave the "LDAP account for root" and the "LDAP root account password" blank, as the LDAP server allows anonymous queries.

In the /etc/nsswitch.conf file, add ldap to the end of the passwd line:

passwd:   compat ldap

Test accounts lookup via LDAP by typing getent passwd. You should see all the entries for CSCF staff.

If you have not already done so, add some local time servers to /etc/ntp.conf.

Add the following line to /etc/syslog.conf (spaces are a tab):

auth.info        @services112.cs.uwaterloo.ca
authpriv.notice  @services112.cs.uwaterloo.ca

As described in the TwoFactor document, add the RADIUS servers and shared keys to the /etc/pam_radius_auth.conf file. For this configuration, put the following in /etc/pam.d/common-auth (/etc/pam.d/sudo should remain unchanged):

auth    sufficient      pam_unix.so nullok_secure
auth    required        pam_radius_auth.so

Make sure /etc/pam..d/common-session looks like this:

session required        pam_mkhomedir.so
session required        pam_unix.so
session optional        pam_foreground.so

Don't forget to set-up the sudoers file!

To login, CSCF staff must use their PIN and token code. On login, a home directory is created, allowing for the set-up of ssh public key authentication, if desired. To obtain root, sudo -s is required with the PIN and code from the authentication token.

Administration of the LDAP service can be done via a web interface at https://watiknow.cscf.uwaterloo.ca. Access is restricted to cscf-mgmt on cscfnet.

-- JasonTestart - 28 Sep 2007