Introduction: Make Raspberry Pi Do LDAP Authentication
Introduction
By default, Raspberry Pi authenticate users against a local password file (/etc/passwd). If I have more than one raspberry pi, then I will have to manage more than one password file. Can I avoid this?
Solution
Configure each Rasperry Pi to look up user account and password from a remote LDAP server and authenticate.
Scope
This instructable will show how to:
- Install LDAP Authetication related packages
- Configure LDAP Authetication
- Test
This instructable will NOT show how to:
Make Raspberry Pi into a LDAP Server
References
Pre-requisite
There must be another remote Raspberry Pi that runs an LDAP Server with a user account database The two Raspberry Pi devices are connected to the network
Environment
The following are data about my Raspberry Pi:
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 7.8 (wheezy)
Release: 7.8
Codename: wheezy
Linux raspberrypi 3.18.7+ #755 PREEMPT Thu Feb 12 17:14:31 GMT 2015 armv6l GNU/Linux
Step 1: Configure Domain Name of Raspberry Pi
Open Terminal Emulator in Raspberry Pi
sudo vi /etc/hostname
Enter:
ldapclient.example.com
Save the file
Step 2: Configure Raspberry Pi to Display Login Menu
Complete "Step 1" in my "Make Raspberry Pi a Multi-User Desktop" instructable.
Step 3: Install LDAP Authentication Related Packages
Open Terminal Emulator in Raspberry Pi
sudo apt-get install libnss-ldapd
Step 4: Configure Name Service LDAP Connection Daemon (nslcd)
Open terminal emulator in Raspberry Pi
Modify /etc/nslcd.conf:
sudo vi /etc/nslcd.conf
Enter the following if needed:
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable. Change according to your setup
uri ldap://192.168.0.6
# The search base that will be used for all queries. Change according to your setup
base dc=example,dc=com
Step 5: Configure Name Service Switch
Open terminal emulator in Raspberry Pi
Check that ldap is present in the following file. If not, add it:
sudo vi /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap shadow: compat ldap
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis
Save the file if any changes are made.
Step 6: Configure Pluggable Authentication Modules (PAM)
Open terminal emulator in Raspberry Pi
sudo pam-auth-update
Use Unix authentication and LDAP authentication as shown in the screenshot
Enter "OK"
Step 7: Restart the Connection and Caching Daemon
Open terminal emulator in Raspberry Pi
Restart Name Service LDAP Connection Daemon
sudo service nslcd stop
sudo service nslcd start
Restart Name Service Cache Daemon
sudo service nscd stop
sudo service nscd start
Step 8: Test Authentication Using Login Shell
We are going to login in to "john" account created in my "Installing LDAP Server" instructable.
Open terminal emulator in Raspberry Pi
su - john password: (Enter johnldap)
Terminal emulator will display the following:
No directory, logging in with HOME=/
The LDAP authenticaiton is successful. The "No directory, logging in with HOME=/" indicates that PAM failed to find /home/john directory and it falls back to "/" directory
Step 9: Configure PAM to Auto-create Home Directory Upon Valid Authentication
Open terminal emulator in Raspberry Pi
sudo vi /etc/pam.d/common-session<br>
Insert the following directive before "# end of pam-auth-update config":
session required pam_mkhomedir.so umask=027 skel=/etc/skel
Save the file
Step 10: Test Authentication Using X Display Manager
Reboot Raspberry Pi
Use the following test account:
user: john password: johnldap
Raspberry Pi will take between 1 to 3 minutes to do LDAP authenticate and auto-create home directory
Open terminal emulator in Raspberry Pi
pwd<br>/home/ldap/john
The LDAP authentication is successful and the home directory was auto-created as expected