users pulled from LDAP on an SSH machine

This how to is a note to self for the next time I have to deal with pam and ldap. We will build an SSH server that accept users coming a LDAP and give them a proper environment with bash from a clean Debian box.

The overall plan looks like this:

  • step 1: install our SSH and other dependencies we need to deal with ldap within PAM
  • step 2: configure the ldap library to use our ldap directory. This will be the service that will talk to our LDAP backend and pull the required information
  • step 3: instruct the service responsible to pull user information called Name service switch (NSS) to use our ldap backend to pull info
  • step 4: finish the configuration
# step 0: cleanup and start a clean box
docker rm -f debian_trash
docker run -ti --name debian_trash -p 2223:22 debian bash
apt update

# step 1:
apt install -y unison openssh-server
DEBIAN_FRONTEND=noninteractive apt install -y libnss-ldapd nslcd libpam-ldapd nscd

# step 2:
sed -i 's|uri.*|uri ldap://ldap.kerjean.me/|' /etc/nslcd.conf
sed -i 's|base.*|base dc=kerjean,dc=me|' /etc/nslcd.conf
sed -i 's|#binddn.*|binddn cn=readonly,dc=kerjean,dc=me|' /etc/nslcd.conf
sed -i 's|#bindpw.*|bindpw xxxxxx|' /etc/nslcd.conf

# step 3:
sed -i 's|compat.*|compat ldap|g' /etc/nsswitch.conf

# step 4:
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077" >> /etc/pam.d/sshd
mkdir /run/sshd
/etc/init.d/nslcd restart
/usr/sbin/sshd -D -e

From the container, we should be able to list users like this: getent passwd

Also, if we want to connect from the host: ssh -p 2223 mickael@kerjean.me@localhost