Use PAM and NSS for LDAP authentication on linux machines

LDAP authentication on console-level can be achieved by using PAM and NSS. On Debian they are really easy to configure using the following commands:

apt-get install libpam-ldap libnss-ldap # will install the required tools
dpkg-reconfigure libpam-ldap # configures ldap access for PAM
dpkg-reconfigure libnss-ldap # configures ldap access for NSS

Setting up a Linux Server to use LDAP for Samba, SSH

The main issue is that Samba and SSH do not use LDAP directly, instead you have to use the technologies NSS and PAM which will then access the LDAP system. So in order to set up two systems, about 5 systems have to be set up, which seems difficult and I was not able to find proper documentation about the whole process yet.

Use the TU Vienna authentication service for TechScreen login procedure

The IT service department of the TU provides several ways to externally authenticate a student for a third party application. Refer to http://www.zid.tuwien.ac.at/sts/dateninfrastruktur/authentifizierungsser... for full information. In short terms, one way is to query the authentication server via an url-https-request. If the request holds an already registered TU student, the authentication server responds with the unique userID of the student. To get the full username and email address a second query has to be sent to the TU LDAP server. So far to the authentication service. Now the question is, how to integrate the authentication process into the Drupal based Techscreen framework. Drupal is a powerful web framework, which is based on the programming language PHP and the database management system mySQL. It provides core functionality, that may be customized to our specific needs. Customization and additional functionality is brought in by modules (the programmer side) and templates (the visual designer side). The login block of drupal is made of a html form element. Through so called module hooks, it is possible to influence the rendering process of the login block. For details on changing the form see http://www.lullabot.com/articles/modifying-forms-5-and-6. That means, we have to change the form elements to our specific values e.g. the action attribute, which points to the TU authentication server. After submitting the form, we wait for the response of the authentication service. The authentication server redirects its response to an url, we have configured before. So, we have to implement a php script catching and evaluating the response. If the user has been successfully authenticated, the php authentication script checks, if the user is already a member of Techscreen. Is this the case, the user will be logged in, otherwise it will be automatically registered first and logged in subsequently.


Connecting an Authentication Server to a Drupal Content Management System

For my Ph.D. thesis I need a community portal, which supports students to share their experience about internet technologies. It turned out, that the content management system Drupal is a perfect fit to fullfill the given requirements. As usual for a content management system, Drupal also has its own user management function. This means, that students have to register before they may produce content on the portal. Although TechScreen is a software system on a prototype level, it is yet hosted on a server inside the TU computer network. Therefore it is expected to provide a login procedure, which makes use of the students TU credentials. So the big question is, how to connect the TechScreen system to the TU authentication server.
Subscribe to LDAP