Hi Friends,
I am new to this LDAP community. I am haivng redhat evironment on my servers and my clients are also linux based thin clients or redhat linux based clients. I am trying to configure LDAP to authenticate my user to login to the machine and then automatically mount a partition to the user's machine. I have searched through the net and unable to find an appropriate doccumentation on the same. Can you please guide and provide some appropriate doccumentation or method as how I hv to go about with the installation of OpenLDAP and autofs such that it will authenticate my users and automatically mounts the users partition.
Thanks and Regards Santosh Balan +91-9819419509
=
Santosh Balan wrote:
Can you please guide and provide some appropriate doccumentation or method as how I hv to go about with the installation of OpenLDAP and autofs such that it will authenticate my users and automatically mounts the users partition.
To use ldap for login, you need to get nsswitch and pam to talk ldap. It is easily done by installing libnss-ldapd (or libnss-ldap -- they are functionally equivalent) and libpam-ldap. Package names are likely to be different on your platform -- these are from Debian.
First change /etc/nsswitch.conf so that it reads something like this:
passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis automount: ldap
Then set up /etc/pam.d/common-{account,auth,password,session} with the following *additions*:
common-account: account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
common-auth: auth requisite pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
common-password: password sufficient pam_ldap.so use_authtok password required pam_deny.so
common-session session optional pam_ldap.so
(There is probably some silly configuration in the above, but it works. I haven't looked into the details of PAM yet.)
Next, install autofs5-ldap (or v4 if you want). It is important that you understand the structure of autofs entries in ldap. You can get an overview here: http://efod.se/blog/archive/2006/06/27/autofs-and-ldap
Finally, make sure that your /etc/ldap.conf (or /etc/ldap/ldap.conf), /etc/autofs_ldap_auth.conf and /etc/nss-ldapd.conf are set up to point to your ldap directory server.
When things don't work, try running each daemon in debug mode. This is particularly true for slapd and the nslcd (that comes in libnss-ldapd). Also have a look in /var/log/auth.log or equivalent, to see if logins are accepted.
sven
On Tuesday 29 July 2008 20:19:33 Sven Ulland wrote:
Santosh Balan wrote:
Can you please guide and provide some appropriate doccumentation or method as how I hv to go about with the installation of OpenLDAP and autofs such that it will authenticate my users and automatically mounts the users partition.
Depending on how your infrastructure is set up, you could get home directories automounted for every user with a single automount (wildcard) rule. Unless you give more details, it is difficult to know how you are associating the need for home directories and automount rules.
To use ldap for login, you need to get nsswitch and pam to talk ldap. It is easily done by installing libnss-ldapd (or libnss-ldap -- they are functionally equivalent) and libpam-ldap. Package names are likely to be different on your platform -- these are from Debian.
First change /etc/nsswitch.conf so that it reads something like this:
passwd: compat ldap group: compat ldap shadow: compat ldap
I would avoid compat unless you actually require the features. See the discussion of compat in nsswitch.conf(5). Additionally, I would avoid adding ldap to shadow unless you have applications that require access to the password hash or are intending to use nss_ldap->pam_unix for authentication (and forego any ldap authorization features).
hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis automount: ldap
Then set up /etc/pam.d/common-{account,auth,password,session} with the following *additions*:
common-account: account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
I would rather suggest adding:
account sufficient pam_localuser.so account sufficient pam_ldap.so account required pam_deny.so
otherwise password expiry, host attribute use etc. will most likely not work.
common-auth: auth requisite pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
common-password: password sufficient pam_ldap.so use_authtok password required pam_deny.so
common-session session optional pam_ldap.so
pam_ldap doesn't implement session as far as I know, pam_mkhomedir would be a better candidate for the line above.
(There is probably some silly configuration in the above, but it works. I haven't looked into the details of PAM yet.)
Have you tested every aspect with the configuration above?
Next, install autofs5-ldap (or v4 if you want). It is important that you understand the structure of autofs entries in ldap. You can get an overview here: http://efod.se/blog/archive/2006/06/27/autofs-and-ldap
Finally, make sure that your /etc/ldap.conf (or /etc/ldap/ldap.conf), /etc/autofs_ldap_auth.conf and /etc/nss-ldapd.conf are set up to point to your ldap directory server.
When things don't work, try running each daemon in debug mode. This is particularly true for slapd and the nslcd (that comes in libnss-ldapd). Also have a look in /var/log/auth.log or equivalent, to see if logins are accepted.
And disable nscd while troubleshooting.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Santosh Balan -
Sven Ulland