Setting-up a Linux host for Using LDAP Accounts and TwoFactor Authentication

These instructions assume you are using Ubuntu, so YMMV.

First, install some packages:

apt-get install ntp-simple libnss-ldap tcsh libpam-radius-auth

In the configuration for libnss-ldap, when asked for an LDAP URI, use:

ldap://watiknow.cscf.uwaterloo.ca

When asked for the base DN, use the following:

dc=cscf,dc=cs,dc=uwaterloo,dc=ca

Leave the Root Bind DN and password blank, as the LDAP server allows anonymous queries.

As described in the TwoFactor document, add the RADIUS servers and shared keys to the /etc/pam_radius_auth.conf file. For this configuration, put the documented PAM stack in /etc/pam.d/common-auth instead of /etc/pam.d/sudo. Don't forget to set-up the sudoers file.

Make sure /etc/pam..d/common-session looks like this:

session required        pam_mkhomedir.so
session required        pam_unix.so
session optional        pam_foreground.so

In the /etc/nsswitch.conf file, add ldap to the end of the passwd line:

passwd:   compat ldap

Test accounts lookup via LDAP by typing getent passwd. You should see all the entries for CSCF staff.

To login, CSCF staff must use their PIN and token code. On login, a home directory is created, allowing for the set-up of ssh public key authentication, if desired. To obtain root, sudo -s is required with the PIN and code from the authentication token.

Administration of the LDAP service can be done via a web interface at https://watiknow.cscf.uwaterloo.ca. Access is restricted to cscf-mgmt on cscfnet.

-- JasonTestart - 28 Sep 2007