LDAP/Authentication on Linux
Contents |
[edit] Warning
The instructions below are not complete. The instructions as they are are just a skeleton for completing the integration. --Gregory.Szorc 19:51, August 30, 2005 (EDT)
There are complete instructions based on Ubuntu 6.06.1 at the Filer Wiki which should benefit users of other Linux distributions as well. --Simon.Kuhn 20:32, September 21, 2006 (EDT)
[edit] What It Is
This article explains how to configure a Linux installation to use the Case LDAP servers for authentication. By following this guide, a person (if permitted) can log into a Linux machine using his or her Case network username and password. Also, the Linux UID of this user will be the same across all computers, which means permissions and ACL's can remain intact. This is especially beneficial for NFS mounts.
[edit] Requirements
The following software and libraries are required to use this guide.
[edit] Procedure
[edit] Edit /etc/nsswitch.conf
The nsswitch.conf file tells Linux where to find information about such things as users, passwords, hostnames, group membership, etc. For this guide, we are just concerned with usernames and passwords.
We can tell Linux to first look at local files and then LDAP for user authentication. Find the lines beginning with passwd and shadow and append ldap to the list.
For example:
passwd: files ldap shadow: files ldap
[edit] Edit ldap.conf
When nss_ldap is installed, it most likely put an ldap.conf file somewhere, most likely in /etc/. On some installations, the file could be libnss-ldap.conf or similar. This file allows you to set the connection settings for NSS.
An example ldap.conf
uri ldaps://ldap-replica1.cwru.edu ldaps://ldap-replica2.cwru.edu ldaps://ldap-replica3.cwru.edu base o=cwru.edu,o=isp TLS_REQCERT never
[edit] Edit PAM Configs
/etc/pam.d/login needs to have pam_ldap.so inserted into the stack for auth, passwd, and account. It is recommended to put it near the top
auth sufficient pam_ldap.so passwd sufficient pam_ldap.so account sufficient pam_ldap.so