Pages

Saturday, December 10, 2011

PPPD with PAM/LDAP

This article is an update to the prior released article Setting up a pppd server. In this article I want you to show how to setup PPPD with authentication against LDAP using PAM in Slackware. How to setup LDAP and PAM in Slackware is described here: LDAP for Slackware Linux
Normally pppd looks for users and their passwords that may login via PPP in /etc/ppp/pap-secrets, /etc/passwd and /etc/shadow. But when you are using LDAP for your users then you need to use PPP with PAM and LDAP.

PPP is already shipped with Slackware but has to be recompiled for PAM support. For the beginning grab the source shipped within the CD/DVD:

# mkdir -p /mnt/loop
# mount -o loop,ro slackware-13.37-install-dvd.iso /mnt/loop/
# cp -r /mnt/loop/source/n/ppp/ /usr/src

Next go into the source directory and modify the ppp.SlackBuild script. Add the parameter USE_PAM=y at the first make command that it looks like this:

# cd /usr/src/ppp
# vi ppp.SlackBuild
...
#make $NUMJOBS || make || exit 1
make USE_PAM=y
...

Then run the script to create a new PPP package. When the compile finished, you should have a new PPP package under /tmp. Then remove the old package and replace it with the new one:

# removepkg ppp
...
# installpkg /tmp/ppp-2.4.5-i486-1.txz
...

Check that /usr/sbin/pppd is available and that the setuid bit is set:

# ls -lah /usr/sbin/pppd
-rwsr-xr-x 1 root root 267K Dec  8 20:04 /usr/sbin/pppd*

When the setuid bit is not set, set it:

# chmod 4755 /usr/sbin/pppd

Then check that pppd is linked to libpam:

# ldd /usr/sbin/pppd
        ...
        libpam.so.0 => /lib/libpam.so.0 (0xb76a0000)
        ...

Now copy the pam ruleset from login to ppp:

# cd /etc/pam.d
# copy login ppp

Next make sure that the user who might use your PPP connection appears in your LDAP and in the file /etc/ppp/pap-secrets. First take a look at your LDAP:

# ldapsearch -x -b "ou=users,dc=example,dc=com" -LLL "(&(objectClass=shadowAccount)(uid=sneill))"
dn: uid=sneill,ou=users,dc=example,dc=com
cn: Sam Neill
sn: Neill
givenName: Sam
uid: sneill
uidNumber: 1000
gidNumber: 100
homeDirectory: /home/sneill
loginShell: /bin/bash
gecos: Normal User
shadowMax: 45
mail: sam.neill@example.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
shadowLastChange: 15299

The user is sneill. Make sure that he appears with his LDAP password in /etc/ppp/pap-secrets:

# vi /etc/ppp/pap-secrets
# Secrets for authentication using PAP
# client        server  secret                  IP addresses
...
"sneill"        ppp01   "It'satrap!"      *
...

With this configuration you should be able use PPP with PAM/LDAP authentication. If you don't want to add each user seperated into pap-secrets then use the following syntax inside pap-secrets: 

# vi /etc/ppp/pap-secrets
# Secrets for authentication using PAP
# client        server  secret                  IP addresses
*        ppp01   *      *

With this configuration every user may connect to the server ppp01 with any password (checked by PAM) from any IP address.

Updated 12/13/2011: added pap-secrets configuration for any user