Linux PAM Authentication & LDAP Integration Tutorial

Introduction

User and group management is fundamental to Linux security and multi-user environments. This comprehensive guide covers user account creation, group management, permission configuration, sudo access, and authentication systems including PAM, LDAP, and Kerberos.

We'll explore the user authentication architecture, file permissions for collaboration, resource limits, and enterprise authentication solutions. Each section includes practical commands, configuration examples, and production best practices.

Linux Administration Series

📚 View Complete Linux Administration Guide - Master all 7 parts with our comprehensive learning path.

This is Part II of our comprehensive 7-part Linux administration guide:

Part I: File System & Process Management
Part II: User Authentication & LDAP (Current Article)
Part III: UFW Firewall & Networking
Part IV: systemd & SSH Hardening
Part V: Postfix Email Server
Part VI: QEMU KVM Virtualization
Part VII: LVM & RAID Storage

← Part I | Part III →

Linux User System Architecture

User Authentication Flow

Key Files:

/etc/passwd - User account information (public) - man page
/etc/shadow - Encrypted passwords (root only) - man page
/etc/group - Group information - man page
/etc/gshadow - Encrypted group passwords (rarely used)

Understanding /etc/passwd

Password File Structure

Each line in /etc/passwd contains 7 colon-separated fields:

username:x:UID:GID:comment:home_directory:shell

Example:

john:x:1000:1000:John Doe,Room 123,555-1234:/home/john:/bin/bash

Field breakdown:

Field	Example	Description
Username	`john`	Login name (1-32 chars, lowercase recommended)
Password	`x`	`x` = password in /etc/shadow, `*` = disabled
UID	`1000`	User ID (0 = root, 1-999 = system, 1000+ = users)
GID	`1000`	Primary group ID
Comment (GECOS)	`John Doe,Room 123,555-1234`	Full name, office, phone, etc.
Home Directory	`/home/john`	User's home directory
Shell	`/bin/bash`	Login shell (`/sbin/nologin` = no login)

View passwd file:

# Show all users
cat /etc/passwd

# Show specific user
grep john /etc/passwd

# Show only usernames
cut -d: -f1 /etc/passwd

# Show users with UID >= 1000 (regular users)
awk -F: '$3 >= 1000' /etc/passwd

Understanding /etc/shadow

Shadow File Structure

The /etc/shadow file stores encrypted passwords with enhanced security:

username:$6$salt$hash:lastchange:min:max:warn:inactive:expire:

Example:

john:$6$rounds=5000$xyz$abc123...:19000:0:99999:7:14::

Field breakdown:

Field	Description
Username	Login name
Password	Encrypted ($6$ = SHA-512, $5$ = SHA-256, $1$ = MD5)
Last Change	Days since 1970-01-01 when password was last changed
Min Days	Minimum days before password can be changed
Max Days	Maximum days before password must be changed
Warn Days	Days before expiry to warn user
Inactive	Days after expiry before account is disabled
Expire	Date when account expires (days since 1970-01-01)

Password aging commands:

# View password aging info
chage -l john

# Set password expiry (90 days)
chage -M 90 john

# Force password change on next login
chage -d 0 john

# Set account expiration date
chage -E 2025-12-31 john

# Disable password expiration
chage -M 99999 john

Creating User Accounts

User Creation Process

Creating users:

# Interactive user creation (Debian/Ubuntu)
sudo adduser john

# Low-level user creation (all distros) - see useradd man page: https://man7.org/linux/man-pages/man8/useradd.8.html
sudo useradd -m -s /bin/bash -c "John Doe" john

# useradd options:
# -m: create home directory
# -s: set shell
# -c: comment/full name
# -d: specify home directory
# -g: primary group
# -G: supplementary groups
# -u: specify UID
# -e: expiration date

# Create system user (no home, no login)
sudo useradd -r -s /sbin/nologin nginx

# Create user with specific UID and groups
sudo useradd -u 2000 -g developers -G docker,sudo -m alice

Default settings:

# View default settings
cat /etc/default/useradd

# Modify defaults
sudo useradd -D -s /bin/zsh  # change default shell
sudo useradd -D -e 2025-12-31  # set default expiration

Modifying User Accounts

User Modification Commands

# Change username
sudo usermod -l newname oldname

# Change home directory (and move files)
sudo usermod -d /home/newhome -m john

# Change default shell
sudo usermod -s /bin/zsh john
# OR
sudo chsh -s /bin/zsh john

# Lock account (disable login)
sudo usermod -L john
sudo passwd -l john

# Unlock account
sudo usermod -U john
sudo passwd -u john

# Change user comment/GECOS info
sudo usermod -c "John Doe, DevOps Engineer" john
# OR
sudo chfn john

# Add user to supplementary groups
sudo usermod -aG docker,sudo john

# Remove user from group
sudo gpasswd -d john docker

# Set account expiration
sudo usermod -e 2025-12-31 john

# Disable account expiration
sudo usermod -e "" john

Deleting User Accounts

# Delete user (keep home directory)
sudo deluser john

# Delete user and home directory
sudo deluser --remove-home john

# Delete user, home, and all files owned by user
sudo deluser --remove-all-files john

# Low-level deletion
sudo userdel john          # keep home
sudo userdel -r john       # remove home
sudo userdel -rf john      # force remove

# Find and remove orphaned files
sudo find / -user 1000 -exec rm -rf {} \;  # if UID was 1000

Group Management

Group Architecture

Managing groups:

# Create group
sudo addgroup developers
sudo groupadd developers

# Create group with specific GID
sudo groupadd -g 3000 developers

# Add user to group
sudo adduser john developers  # Debian/Ubuntu
sudo usermod -aG developers john  # All distros

# Remove user from group
sudo gpasswd -d john developers

# Change group name
sudo groupmod -n newname oldname

# Change group GID
sudo groupmod -g 3500 developers

# Delete group
sudo delgroup developers
sudo groupdel developers

# View user's groups
groups john
id john

# View group members
getent group developers
grep developers /etc/group

Configuring Group Collaboration

Shared Directory Permissions

Setting up shared directories:

# Create shared directory
sudo mkdir /shared/project

# Set group ownership
sudo chgrp developers /shared/project

# Set permissions: owner rwx, group rwx, others none
sudo chmod 770 /shared/project

# Set SGID bit (new files inherit group)
sudo chmod g+s /shared/project
# Final permissions: drwxrws---

# Verify SGID is set (s in group execute position)
ls -ld /shared/project

# Alternative: use ACLs for more granular control
sudo setfacl -m g:developers:rwx /shared/project
sudo setfacl -d -m g:developers:rwx /shared/project  # default for new files

SGID (Set Group ID) explained:

When set on directory: new files/dirs inherit the directory's group
Represented by s in group execute position: drwxrws---
Numeric value: 2000 (e.g., chmod 2770)

Sudo Access Configuration

Sudo Architecture

Granting sudo access:

# Method 1: Add user to sudo group (Debian/Ubuntu)
sudo usermod -aG sudo alice

# Method 2: Add user to wheel group (RHEL/CentOS)
sudo usermod -aG wheel alice

# Method 3: Edit sudoers file (use visudo!) - sudo documentation: https://www.sudo.ws/
sudo visudo

# Grant full sudo access to user
alice ALL=(ALL:ALL) ALL

# Grant sudo without password
alice ALL=(ALL:ALL) NOPASSWD:ALL

# Grant specific commands only
alice ALL=(ALL) /usr/bin/systemctl, /usr/bin/apt

# Grant to group
%developers ALL=(ALL:ALL) ALL

# Allow user to run commands as specific user
alice ALL=(www-data) /usr/bin/php

# Set sudo timeout (default 15 min)
Defaults timestamp_timeout=30

# Require password for every sudo command
Defaults timestamp_timeout=0

Sudo configuration files:

# Main sudo config
/etc/sudoers

# Drop-in configs (recommended)
/etc/sudoers.d/

# Create custom sudoers file
sudo visudo -f /etc/sudoers.d/developers

# Example /etc/sudoers.d/developers:
%developers ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
%developers ALL=(ALL) /usr/bin/docker

Resource Limits

User Resource Configuration

# View current limits
ulimit -a

# View limits for specific user
sudo -u john bash -c 'ulimit -a'

# Set limits in /etc/security/limits.conf
sudo vim /etc/security/limits.conf

# Examples:
alice soft nofile 4096      # soft limit: max open files
alice hard nofile 8192      # hard limit: max open files
@developers soft nproc 100  # max processes for developers group
@developers hard nproc 200
* soft core 0               # disable core dumps for all users
* hard memlock unlimited    # unlimited locked memory

# Limit types:
# core - core file size
# data - max data size
# fsize - max file size
# memlock - max locked memory
# nofile - max open files
# nproc - max processes
# cpu - max CPU time (minutes)
# as - address space (virtual memory)

Monitoring user resources:

# Show processes for user
ps -u alice

# Show resource usage
top -u alice

# Show open files
lsof -u alice

# Count open files
lsof -u alice | wc -l

PAM (Pluggable Authentication Modules)

PAM Architecture

PAM configuration:

# PAM config directory - Linux-PAM documentation: https://www.kernel.org/pub/linux/libs/pam/
ls /etc/pam.d/

# Common PAM configs
/etc/pam.d/common-auth       # authentication
/etc/pam.d/common-account    # account restrictions
/etc/pam.d/common-password   # password policies
/etc/pam.d/common-session    # session setup

# Service-specific configs
/etc/pam.d/login
/etc/pam.d/sshd
/etc/pam.d/sudo

# Example /etc/pam.d/sshd:
auth       required   pam_unix.so
auth       required   pam_env.so
account    required   pam_unix.so
password   required   pam_unix.so
session    required   pam_unix.so
session    optional   pam_motd.so

LDAP Authentication

LDAP Integration Architecture

Installing and configuring LDAP:

# Install LDAP client packages
sudo apt install ldap-utils libpam-ldap libnss-ldap nscd

# Configure LDAP authentication
sudo dpkg-reconfigure ldap-auth-config

# Configuration prompts:
# - LDAP server URI: ldap://ldap.example.com
# - Distinguished name: dc=example,dc=com
# - LDAP version: 3
# - Admin account: cn=admin,dc=example,dc=com

# Edit NSS configuration
sudo vim /etc/nsswitch.conf

# Add ldap to these lines:
passwd:         files systemd ldap
group:          files systemd ldap
shadow:         files ldap

# Test LDAP connection
ldapsearch -x -H ldap://ldap.example.com -b dc=example,dc=com

# View LDAP users
getent passwd
getent group

# Clear NSCD cache after changes
sudo nscd -i passwd
sudo nscd -i group

LDAP client configuration:

# /etc/ldap/ldap.conf
BASE    dc=example,dc=com
URI     ldap://ldap.example.com
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

Kerberos Authentication

Kerberos Architecture

Installing Kerberos:

# Install Kerberos client
sudo apt install krb5-user libpam-krb5

# Install Kerberos server (KDC)
sudo apt install krb5-kdc krb5-admin-server

# Configure realm
sudo vim /etc/krb5.conf

# Example krb5.conf:
[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    EXAMPLE.COM = {
        kdc = kdc.example.com
        admin_server = kdc.example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

Using Kerberos:

# Obtain ticket-granting ticket (TGT)
kinit alice@EXAMPLE.COM

# List current tickets
klist

# Renew ticket
kinit -R

# Destroy tickets (logout)
kdestroy

# SSH with Kerberos
ssh -K alice@server.example.com

Production Best Practices

Account Management:
- Use strong password policies (PAM pwquality)
- Implement password expiration (90 days recommended)
- Disable unused accounts promptly
- Use service accounts with /sbin/nologin for daemons
Permission Management:
- Follow principle of least privilege
- Use groups for team permissions, not individual users
- Set SGID on shared directories
- Audit permissions regularly
Sudo Access:
- Grant minimal sudo rights needed
- Use /etc/sudoers.d/ for organized configs
- Log sudo commands (Defaults log_output)
- Require passwords for sensitive operations
Authentication:
- Use centralized authentication (LDAP/AD) for multiple servers
- Implement MFA for privileged accounts
- Use SSH keys instead of passwords
- Enable SELinux or AppArmor
Monitoring:
- Track login attempts (/var/log/auth.log)
- Monitor sudo usage
- Alert on failed authentication
- Audit user activity regularly

Troubleshooting Common Issues

User cannot login:

# Check account status
sudo passwd -S alice
sudo chage -l alice

# Check shell exists
grep alice /etc/passwd
ls -l /bin/bash

# Check home directory
ls -ld /home/alice

# Unlock if locked
sudo passwd -u alice
sudo usermod -U alice

Permission denied on shared directory:

# Check user groups
groups alice

# Check directory permissions
ls -ld /shared/project

# Check if SGID is set
stat /shared/project | grep Access

# Add user to group
sudo usermod -aG developers alice
# User must logout/login for group change

Sudo not working:

# Check sudo group membership
groups alice

# Verify sudoers syntax
sudo visudo -c

# Check sudo logs
sudo cat /var/log/auth.log | grep sudo

Frequently Asked Questions

Q: How do I create a user in Linux?

Use the "useradd" command to create users: "useradd -m -s /bin/bash username" creates a user with home directory and bash shell. Then set password with "passwd username". Alternatively, use "adduser" on Debian/Ubuntu for interactive creation. Always specify shell and create home directory for interactive users.

Q: What is the difference between /etc/passwd and /etc/shadow?

/etc/passwd stores basic user information like username, UID, GID, home directory, and shell. It's world-readable for system compatibility. /etc/shadow stores encrypted passwords and password policies, readable only by root for security. This separation protects password hashes from unauthorized access while maintaining system functionality.

Q: How does sudo work in Linux?

Sudo allows users to execute commands as root or other users based on /etc/sudoers configuration. It logs all commands for auditing, requires password authentication, and supports fine-grained permissions. Use "visudo" to edit configuration safely. Add users to sudo group or create custom rules in /etc/sudoers.d/.

Q: What are SUID, SGID, and sticky bits?

SUID (Set User ID) on executables runs programs with owner's privileges (like passwd command). SGID (Set Group ID) on directories makes new files inherit directory's group. Sticky bit on directories allows only file owners to delete their files (like /tmp). Set with chmod: SUID=4000, SGID=2000, sticky=1000.

Q: How do I manage groups in Linux?

Create groups with "groupadd groupname", add users with "usermod -aG groupname username". View user groups with "groups username" or "id username". Groups enable permission sharing without individual grants. Use "gpasswd -a" to add users or "deluser username groupname" to remove. Changes require logout/login.

Q: What is LDAP authentication in Linux?

LDAP (Lightweight Directory Access Protocol) provides centralized user authentication across multiple Linux servers. Configure with sssd or nslcd to query LDAP directory for user credentials. Benefits include single sign-on, centralized password management, and consistent user/group information. Essential for enterprise environments with many servers.

Q: How do I set password policies in Linux?

Configure password policies in /etc/login.defs for minimum/maximum age and warning days. Use "chage" command to set per-user policies: "chage -M 90 -m 7 -W 14 username" sets 90-day maximum, 7-day minimum, 14-day warning. Install libpam-pwquality to enforce complexity requirements like minimum length and character types.

Conclusion

Linux user and group management encompasses account creation, permission configuration, sudo access, and enterprise authentication systems. Understanding passwd/shadow files, group permissions, SGID bits, and centralized authentication with LDAP and Kerberos is essential for secure multi-user environments.

Choose appropriate authentication methods: local accounts for small systems, LDAP for centralized management, and Kerberos for enterprise SSO. Implement least privilege, monitor access, and maintain security through regular audits and password policies.