Differences between revisions 20 and 21
Revision 20 as of 2007-05-17 03:58:04
Size: 4701
Editor: ?qqqqqqqq
Comment:
Revision 21 as of 2009-03-16 03:33:12
Size: 4709
Editor: anonymous
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
''' Back to Home Page ["BuildingALinuxDomain"] ''' ''' Back to Home Page [[BuildingALinuxDomain]] '''
Line 121: Line 121:
http://img175.imageshack.us/img175/8835/authap0.jpg {{http://img175.imageshack.us/img175/8835/authap0.jpg}}
Line 125: Line 125:
http://img501.imageshack.us/img501/7460/auth2va1.jpg {{http://img501.imageshack.us/img501/7460/auth2va1.jpg}}

Back to Home Page BuildingALinuxDomain

This page decribes the steps on connecting a linux client to a ldap domain.

For a Debian or Fedora based system

This is a Client install for a Debian based system, to communicate with an LDAP Server.

Lets start off by addressing a bug that effects installs.

(bug #51315)

There is a current bug with the Ldap configuration that looks for the group nvram to correct this problem create the group nvram on the client machine.

addgroup --system nvram(kubuntu) or addgroup --system kvm(debian)

Next install the required packages

aptitude install libnss-ldap libpam-ldap nscd
  • ldap-utils is an optional package (it can be used to query the ldap database remotely) libnss-ldap allows ldap to be used as a naming service libpam-ldap is used to authenticate users to ldap nscd is used to cache lookups so the ldap server wont be queried every time authentication is made.

Once the packages start being unpacked you will see these questions:

  • ldap server uniform


which is your IP address / hostname of the LDAP server

  • Distinguished name of search base of your LDAP domain. ie: dc=my,dc=domain You'll be asked the version "Version 3" best in most cases.

    ldap account for root


enter your root account for ldap server with the dc=my,dc=domain

  • Enter root password Configure LIBNSS-LDAP OK On the next screen you'll be asked if you want to make root the DB admin...... "yes". Does the DB requires logging in, say "No" Next Root login account for LDAP. Typicaly: cn=manager,dc=my,dc=domain Then you'll need to enter the LDAP password for the LDAP account

Next we need to modify a couple different files

Files(libnss-ldap.conf, libnss-ldap.conf, /etc/libnss-ldap.secret, /etc/pam_ldap.conf and /etc/pam_ldap.secret)

== These files should have already been configured during the default installation of the packages, if an error occurs double check these files ==

vi /etc/libnss-ldap.conf
  • (double check files)
  • host ldap


ensure ldap name or IP address is correct

  • base dc=debuntu,dc=local


again ensure that these files are set to specify the LDAP name and the Localhost name from above.

  • rootbinddn cn=admin,dc=debuntu,dc=local

vi /etc/libnss-ldap.secret

(ensure password correct)--


  • XXXXX

vi /etc/pam_ldap.conf
  • (double check files)
  • host ldap base dc=debuntu,dc=local rootbinddn cn=admin,dc=debuntu,dc=local

vi /etc/pam_ldap.secret

(ensure password correct)--


  • XXXXX

These configuration files need to be configured to create sufficient password authentication access

pam configuration files need to be modfied a bit like:

vi /etc/pam.d/common-account }}}

  • account sufficient pam_ldap.so account required pam_unix.so

vi /etc/pam.d/common-auth
  • auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure

vi /etc/pam.d/common-password
  • password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5

vi /etc/pam.d/common-session
  • session sufficient pam_ldap.so session required pam_unix.so

Finally, let's edit nsswitch configuration file so that the system will be able to switch from local system authentication to ldap authentication.

vim /etc/nsswitch.conf
  • passwd: files ldap group: files ldap shadow: files ldap

With everything entered correctly you should have a working LDAP Client :)

Fedora Client

The Fedora or redhat client is slightly easier.

 /usr/bin/authconfig-tui

http://img175.imageshack.us/img175/8835/authap0.jpg

Check the boxes, then click next

http://img501.imageshack.us/img501/7460/auth2va1.jpg

Enter your server DNS name or IP address and your domain name. Click ok and your done.