Authenticating your Raspberry Pi users to openLDAP

It has been my experience that once you let one Pi into your life then you are just going to gain more; they are so useful, versatile and cheap. Managing user accounts they may become an issue. We have already seen how we can setup an openLDAP server on a Raspberry Pi device. Now we look at using the server to authenticate users to other Pis. The openLDAP server makes the basis of centralized users accounts and we implement that now.

Installing the openLDAP client onto Raspberry Pi


I am using Raspbian on my Pi, based on Debian 7 “Wheezy”. I have also set up the client on a previous tutorial with the client on Ubuntu 13.04. Although this is similar it is not the same as setting the client on the Pi so it is worth a quick run through.

sudo apt-get install libpam-ldapd libnss-ldapd

LPI Tutorials and Materials, LPI Linux Essentials

This will add on the required PAM (Pluggable Authentication Modules) and NSS (Name Service Switch) libraries onto the system. During the install we will prompted to configure the ldap client and nss. You will need to know:

◉ IP Address or DNS Name of the openLDAP Server
◉ Base DN ( Distinguished Name) to search for users
◉ Which services to integrate with NSS: we choose passwd, shadow and groups

LPI Tutorials and Materials, LPI Linux Essentials

Allowing time for the install to finish and configure the LDAP client will start, (nlscd) and the Name Services Cache, (nscd). You should now be able to view user accounts in openLDAP by querying the contents of passwd, not the file but the reference to passwd in the nscd.

getent passwd

This will both local and openLDAP users. In the following graphic, for clarity, I have search just for my openLDAP based user.

LPI Tutorials and Materials, LPI Linux Essentials

Home Directories


If you have a central server for home directories then there will be no need to create home directories on each Pi. However, if you haven’t set up and central server and mounted those directories locally we can easily as PAM to do this on user login. There is a PAM module to create user home directories. Simply add this line to the file /etc/pam.d/common-session, editing the file as root.

session required pam_mkhomedir.so umask=027 skel=/etc/skel

With this edit in place and saved, you will be able to log into you client Pi using credentials on your openLDAP server. Which too can be Pi.

LPI Tutorials and Materials, LPI Linux Essentials

The video for this tutorial can be viewed on YouTube: https://www.youtube.com/watch?v=LWKkKkeQfJY

0 comments:

Post a Comment