LaoBlog

Mageia 7 and LDAP authentication

I want to let the ldap user foo login in my Mageia 7 computer. The working Ldap server is in another Linux box. Usually you can make use of the utility drakconf in MCC to change the way a user authenticates in a Mageia pc. Unfortunately there's an old bug which hasn't been solved yet (I remember I had that when I migrated from Mageia 5 to Mageia 6). Well not everything is lost.

First at all follow the usual procedure to make use of Ldap through drakconf: in this way all the needed packages will be installed. You can also try to configure the authentication with Ldap, but you will see that probably it doesn't work.

Well, we need to edit the file /etc/openldap/ldap.conf and write down the parameters BASE and URI (the IP of your Ldap server) according to your server. Something like that:

BASE    dc=example,dc=com

URI     ldap://192.168.1.1:389

If you don''t make use of encryption through SSL certificates, leave everything else as it is.

the command "ldapsearch -x" and "getent passwd foo", where foo is the name of an user in our example, will let you know if the Mageia pc is able to contact the Ldap server in the other computer

Next, the most important file: /etc/pam.d/system-auth

First at all, make a copy of it. BEWARE: in case of errors, you'll find yourself locked out your pc: follow my instructions at your own risk. In the worst case you'll need to reinstall the operating system, if you aren't able to use a live distribution to correct the errors.

Drakconf isn't able for unknown reasons to change the content of /etc/pam.d/system-auth, therefore we need to edit it, by adding the following lines where appropriate:

auth        sufficient    pam_ldap.so use_first_pass
account     sufficient    pam_localuser.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so

DO NOT COPY AND PASTE THIS AS IT IS!!

You must copy the first line among the other lines beginning with the word "auth", the second line among the other lines beginning with the word "accont", and so on. NOTE: the above lines must be written in the respective section of the file, before pam_deny.so, and after pam_unix.so. For example, for the key "auth", it should look like:

auth    [success=3 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so

You can now open a TTY and try to login with the LDAP user. If you still can't login, re-read carefuly the instruction and retry. It can also be that you have omitted installing a needed package (nsswitch? nslcd?...)

I really hope Mageia can fix this long time annoying and blocking bug very soon, we have already waited for a too long time. If you want, you can fill a bug report on the Bugzilla of Mageia: https://bugs.mageia.org/describecomponents.cgi?product=Mageia