----- Original Message ----- From: "Buchan Milne" <bgmilne(a)staff.telkomsa.net To: openldap-technical(a)openldap.org Subject: Re: Autofs-OpenLDAP Assistance Date: Wed, 30 Jul 2008 11:54:25 +0200 On Tuesday 29 July 2008 20:19:33 Sven Ulland wrote: > Santosh Balan wrote: > > Can you please guide and provide some appropriate doccumentation or > > method as how I hv to go about with the installation of OpenLDAP and > > autofs such that it will authenticate my users and automatically > > mounts the users partition. Depending on how your infrastructure is set up, you could get home directories automounted for every user with a single automount (wildcard) rule. Unless you give more details, it is difficult to know how you are associating the need for home directories and automount rules. > To use ldap for login, you need to get nsswitch and pam to talk ldap. > It is easily done by installing libnss-ldapd (or libnss-ldap -- they > are functionally equivalent) and libpam-ldap. Package names are likely > to be different on your platform -- these are from Debian. > First change /etc/nsswitch.conf so that it reads something like this: > passwd: compat ldap > group: compat ldap > shadow: compat ldap I would avoid compat unless you actually require the features. See the discussion of compat in nsswitch.conf(5). Additionally, I would avoid adding ldap to shadow unless you have applications that require access to the password hash or are intending to use nss_ldap->pam_unix for authentication (and forego any ldap authorization features). > hosts: files dns > networks: files > protocols: db files > services: db files > ethers: db files > rpc: db files > netgroup: nis > automount: ldap > Then set up /etc/pam.d/common-{account,auth,password,session} with the > following *additions*: > common-account: > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so I would rather suggest adding: account sufficient pam_localuser.so account sufficient pam_ldap.so account required pam_deny.so otherwise password expiry, host attribute use etc. will most likely not work. > common-auth: > auth requisite pam_succeed_if.so uid >= 1000 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > common-password: > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > common-session > session optional pam_ldap.so pam_ldap doesn't implement session as far as I know, pam_mkhomedir would be a better candidate for the line above. > (There is probably some silly configuration in the above, but it > works. I haven't looked into the details of PAM yet.) Have you tested every aspect with the configuration above? > Next, install autofs5-ldap (or v4 if you want). It is important that > you understand the structure of autofs entries in ldap. You can get an > overview here: http://efod.se/blog/archive/2006/06/27/autofs-and-ldap > Finally, make sure that your /etc/ldap.conf (or /etc/ldap/ldap.conf), > /etc/autofs_ldap_auth.conf and /etc/nss-ldapd.conf are set up to point > to your ldap directory server. > When things don't work, try running each daemon in debug mode. This > is particularly true for slapd and the nslcd (that comes in > libnss-ldapd). Also have a look in /var/log/auth.log or equivalent, to > see if logins are accepted. And disable nscd while troubleshooting. Regards, Buchan