Penguin
Recent Changes
Diff: LDAPAuthentication
EditPageHistoryDiffInfoLikePages

Differences between current version and revision by previous author of LDAPAuthentication.

Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History

Newer page: version 19 Last edited on Friday, April 8, 2005 2:32:17 pm by JohnMcPherson
Older page: version 17 Last edited on Saturday, June 19, 2004 3:18:24 pm by GreigMcGill Revert
@@ -1,5 +1,5 @@
-This is intended to be a brief guide to setting up LDAP authentication under Linux, mainly focusing on the bits that might trip you up. It isn't intended to be perfect -- a lot of the stuff is just the way I've done things and it works for me. Although I've noticed several of the guides around the internet give you a few different ways to do things anyway. 
+This is intended to be a brief guide to setting up [ LDAP] authentication under Linux, mainly focusing on the bits that might trip you up. It isn't intended to be perfect -- a lot of the stuff is just the way I've done things and it works for me. Although I've noticed several of the guides around the internet give you a few different ways to do things anyway. 
  
 __Installing the LDAP Server__ 
  
 Firstly, you'll want to install the LDAP server and get it running. Under Debian, you can simply apt-get install slapd. You may have to compile it or build it from source or whatever. If you want TLS (probably a good idea) under Debian, you'll have to build from source using a source deb or whatever. See LDAPNotes for details on how to do this. 
@@ -55,9 +55,9 @@
 After you've configured this, run the script migrate_all_online.sh and let the tools do all the work. I had a few hiccups here, but that was mainly due to slapd being horribly misconfigured. If you have any problems you can't find solutions to, it's probably a good idea to restart slapd several times, or simply stop it for a while, and try again. I don't really know why, but this seemed to fix some of my problems magically. 
  
 __Setting up PAM__ 
  
-Next, you want to get PAM and NSS working. First, make sure you're on an OS that uses PAM. If you're not, complicated things happen. Fortunately, if you're using Linux, that shouldn't be a problem. You now want to install libpam-ldap and libnss-ldap. Under Debian, apt-get the packages. ('When Debconf asks you for Root login account, its your rootdn.' --TomHibbert) Under anything else, either RPMs or source as usual. Now that you've done that, you get to configure a few files. 
+Next, you want to get [ PAM] and [ NSS] working. First, make sure you're on an OS that uses PAM. If you're not, complicated things happen. Fortunately, if you're using Linux, that shouldn't be a problem. You now want to install libpam-ldap and libnss-ldap. Under Debian, apt-get the packages. ('When Debconf asks you for Root login account, its your rootdn.' --TomHibbert) Under anything else, either RPMs or source as usual. Now that you've done that, you get to configure a few files. 
  
 /etc/ldap/ldap.conf tells LDAP clients where to access the LDAP server. Your slapd configuration may have already set this up for you. You probably want something like this: 
  
  BASE dc=wlug,dc=org,dc=nz 
@@ -72,9 +72,9 @@
  scope sub 
  
 ...and that should be all. Note, you need rootbinddn to get set, and a valid password for it in /etc/ldap.secret (at least, that's where it is under Debian...). This is because you can't see the crypted passwords on the LDAP server as anything other than admin. Also, scobe sub is not included as part of the Debian default config, but I think it's a good idea to have it there. It sets the search scope to all subdirectories. It may be a terrible idea to have it there. 
  
-/etc/libnss-ldap.conf is the configuration file for the LDAP NSS library. You probably want it to contain something like this: 
+/etc/libnss-ldap.conf (see libnss-ldap.conf(5)) is the configuration file for the LDAP [ NSS] library. You probably want it to contain something like this: 
  
  host 127.0.0.1 
  base dc=wlug,dc=org,dc=nz 
  ldap_version 3 
@@ -106,8 +106,11 @@
  
 A good idea is to do a service you can easily test first (say, pop3) and make sure everything's working. You could also temporarily delete your user or a user you care little about from /etc/passwd, /etc/shadow and /etc/group, to ensure that it really is getting things from LDAP. I'm not sure how much of a brilliant idea this is, but if you're careful it should be okay. DON'T REMOVE ROOT FROM /etc/passwd. root isn't in the ldap server. 
  
 So once you can telnet to the pop3 port and log on with pop3 against LDAP, start shifting some other services over, and test them as you go. Note that ssh likes to be restarted after you change it's pam.d file, this caught me out. Be careful shifting things like 'login' over. :) 
+  
+Have a look at http://www.nerdcircus.org/wiki/LDAPClientPam for a few tips and tricks.  
+  
  
 __The End__ 
  
 And that's it! After the services you want to use are shifted over, you're now running a system authenticating off LDAP. Delete your local users and leave the LDAP ones there. Don't delete user root, and don't put root on the LDAP server. It's probably not a good idea. Things may be going a little slowly, so you might want to install nscd(8) to speed things up, as it caches all ldap requests. To set up other machines to authenticate off this server, just perform the steps from "Setting up PAM" and onwards on the other machine, but using the IP of your real LDAP server instead of 127.0.0.1 (obviously).