Re: central authentication with LDAP
On Mon, 28 Jan 2002 21:31, Florian Bantner wrote:
> On Mon, 28 Jan 2002, Patrick Hsieh wrote:
> 2b. Create group-entries according to posixGroup
> Perhaps it is possible to combine them in one entry since debian
> uses the same number for uid, gid of one person. I'm currently
> trying this and it seems to work.
NB, it is not required to store any group data in LDAP. For most
installations the group data does not change often at all, and it can be more
easily stored in /etc/group. Using /etc/group for the data instead of LDAP
reduces the number of queries (keep in mind that queries have to be done for
supplemental groups too).
> 3. Install libpamldap & libnssldap
> nss is a complete replacement for all programs' access to the
> user-database. It should be possible to run a system with users in
> ldap without the pam_ldap module. when nsswitch is configured all
> requests to pam_unix go to ldap anyway.
> QUESTION: For what exactly do I need the pam_ldap module?
nss allows you to replace /etc/passwd and /etc/shadow with LDAP.
The PAM LDAP allows you to use non-SUID programs to change user-modifyable
data (password, finger name, and shell) based on password authentication. It
allows you to use different crypt methods, different LDAP settings for
different services (only in woody), and UID/GID limits to what the LDAP can
specify, such as UID > 100 (not sure if potato has it).
> auth sufficient pam_rootok.so
> auth sufficient pam_ldap.so
> auth required pam_unix.so use_first_pass
> account sufficient pam_ldap.so
> account required pam_unix.so
> session required pam_unix.so
I suggest putting pam_unix first and pam_ldap later in the list. If you do
otherwise then an LDAP problem can make it impossible to login which is a
real bitch. I once had that happen to servers at a secure hosting facility,
that was a real PITA.
> 6. setup libnss-ldap.conf to access your ldap-server
You could probably run without it, but "ls -l" won't show the user-names, and
many programs won't like it. libnss-ldap is only used after you've logged in.
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page