Home‎ > ‎Dabbles‎ > ‎RaspberryPi‎ > ‎

Allowing Authentication - Building the LDAP Client

posted Nov 23, 2014, 5:08 PM by Joshua S   [ updated Dec 7, 2014, 12:08 PM ]
This post demonstrates how to integrate LDAP and Samba authentication into a RaspberryPi.  This will allow for central management of authentication and authorization.

LDAP (Lightweight Directory Access Protocol) allows for central authorization (UserIDs and Passwords) and authorization (Security Groups), along with a number of other centralized management functions such as distribution lists.  When integrated with Samba, it can be leveraged to support Windows shares under the SMB protocol.

This is the fourth project in the series and several others assume this is in place and integrated into the template (see the template projects) in order to work.

Most of these projects can be performed in any order, but if you follow the order outlined here it will all definitely work.  I've found a number of guides to help me, but many have partial documentation, skip key steps, etc.  The goal is to build out a guide with everything you need to complete each step, but let me know if I miss something or it isn't clear.

For each template and initial setup, I used an 8GB memory card.  With the B+, the image you back up will be the full size of the card whether you expand the file system or not.  For the actual projects, I use a mix of card sizes -- generally 32GB, but I like my templates and initial setup configs to be 8GB to reduce the storage size of my backups.

Supply List:
  • LDAP Admin  LDAP Admin is a free Windows LDAP client and administration tool for LDAP directory management. 
  • MicroSD Card  A digital memory card, initially designed for media (think a camera) but which will serve as the hard drive for the RaspberryPi.  All tutorials will focus on the 8GB size, but you can easily use this process for a larger format also.  This should be pre-loaded with the template image created in the previous project (template step 01).
  • PuTTY  A free SSH client which is excellent for working at the command line.  I know, I know, no one loves the Command Line any more, but the more you use the RaspberryPi the more you will quickly learn that CommandLine > GUI.
  • RaspberryPi B+  The actual RaspberryPi hardware this will all be built around.
  • Win32 Disk Imager  A Free Open Source Software (FOSS) utility to write of image (.IMG) files to various flash card media (SD, MicroSD, etc.).  Download the software from the website.

Project:
  • Write the image you plan to enhance to the SD Card and load it into the RaspberryPi.  In this example, we'll use the template file, created in a previous tutorial.  
  • Using PuTTY (or whatever SSH client you prefer) connect to the IP address of the RaspberryPi.  You should know this from the previous step (192.168.84.158 in this example), but if you do not, follow the steps at the beginning of the first lesson which show how to use AngryIP scanner to locate the IP address.
  • Once connected, log onto the Pi using:
    • UserID:  pi 
    • Password:  raspberry

  • Raspbian uses Advanced Package Tool (APT) to manage and install software.  First, we need to update the tool using:
    • sudo apt-get -y update
  • Now let's update the software currently loaded.  There are several ways to do this, but if we issue the dist-upgrade command it will intelligently add software, update packages, and remove unneeded packages.
    • sudo apt-get -y dist-upgrade
  • Finally, let's upgrade the Pi Kernel:
    • sudo rpi-update
  • Let's reboot now that the upgrades are complete:
    • sudo reboot

  • OK, good!  Now that everything is updated, let's install our LDAP client.  Use the following commands:
    • sudo apt-get -y install libpam-ldapd libnss-ldapd
      • libpam-ldapd  Integrates OpenLDAP with the Pluggable Authentication Module in Linux.
      • libnss-ldapd - Integrates OpenLDAP with the Name Service Switch functionality in Linux.
  • During the install, you will be prompted to enter the server location.  This can be done with an IP address or URL, but it is recommended to use the IP address to prevent authentication errors if there is a failure in the DNS server.  Accept the search base distinguished name on the next screen, and then select every option on the services screen by pressing space and the down arrow.



  • To allow a user to log onto the Pi using LDAP, we need to edit the /etc/pam.d/common-session file using nano and add the following line which will create home directories for LDAP users if they do not already exist.  A full example of this file is attached at the bottom of this lesson for reference.
    • session required pam_mkhomedir.so umask=0022 skel=/etc/skel

  • Issue the following command to check if the configuration is working.  The first should list Users with LDAP Users listed at the end while the second should list Groups with LDAP Groups listed at the end.
    • sudo getent passwd
    • sudo getent group



  • If all looks good, then all we have left is to install the samba client.  Use the following commands:
    • sudo apt-get -y install smbclient
      • smbclient  SMB/CIFS file, print, and login client for Unix.
  • Power off the RaspberryPi and pull out the MicroSD card.  Insert it into your computer's card reader and run Win32 Disk Imager.  Create a new image file you name as your template and select the "Read" button.
  • Mission accomplished!  You finished creating a template image for your RaspberryPi!
ċ
common-session
(1k)
Joshua S,
Nov 23, 2014, 5:19 PM
Comments