Project accounts in DataONE are managed in an OpenLDAP instance running at NCEAS. The following procedure will enable LDAP authentication of shell accounts against the NCEAS LDAP server. It depends on the packages libnss-ldap and nscd being installed. Shell accounts on linux VMs authenticate using LDAP, typically allowing members of dataone-shell to logon using SSH.
Install libnss-ldap, nscd, and ensure ca-certificates is installed:
sudo apt-get install libnss-ldap nscd ca-certificates
It’s OK to accept the default values for LDAP configuration, as these will be replaced in the configuration process below.
Backup /etc/ldap.conf, then install this ldap.conf file in its place:
# /etc/ldap.conf settings for shell authentication using NCEAS LDAP
base ou=Account,dc=ecoinformatics,dc=org
ldap_version 3
uri ldap://ldap.ecoinformatics.org
# General configuration for shell accounts
pam_groupdn cn=dataone-shell,ou=Groups,dc=ecoinformatics,dc=org
# Restrict shell accounts to dataone-sysadmin accounts
# pam_groupdn cn=dataone-sysadmin,ou=Groups,dc=ecoinformatics,dc=org
pam_member_attribute uniqueMember
pam_password md5
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,openldap,pan,postgres,proxy,root,sshd,sync,sys,syslog,tomcat6,uucp,www-data
Note the default configuration allows shell access to members of the group dataone-shell. If more restricted access is desired, change the group to dataone-sysadmin. Access to sudo is manually enabled, the entries in ldap.conf indicate who is able to log in to the machine.
Enable pam_ldap:
sudo auth-client-config -t nss -p lac_ldap
sudo pam-auth-update
Create a file /usr/share/pam-configs/d1_mkhomedir with contents:
Name: Activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
Add the following to /etc/security/group.conf:
*;*;*;Al0000-2400;adm,dialout,cdrom,plugdev,sambashare
Create a file /usr/share/pam-configs/d1_groups with contents:
Name: Activate groups
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
Required pam_group.so use_first_pass
Now update pam and restart nscd and ldap client:
sudo pam-auth-update
sudo /etc/init.d/nscd restart
sudo /etc/init.d/libnss-ldap restart
Members of the group selected in /etc/ldap.conf should now be able to log in using their DataONE credentials.
To grant sudo to a user:
sudo usermod -a -G admin USERNAME
The members of a group such as dataone-shell can be examined using an LDAP client such as ldapsearch:
ldapsearch -x -h ldap.ecoinformatics.org -b "dc=ecoinformatics,dc=org" -p 389 cn=dataone-shell