Re: central authentication with LDAP

To: debian-isp@lists.debian.org
Subject: Re: central authentication with LDAP
From: Florian Bantner <f.bantner@axon-e.de>
Date: Mon, 28 Jan 2002 11:31:00 +0100
Message-id: <[🔎] 20020128113100.A10169@axon-e.de>
Reply-to: f.bantner@axon-e.de
In-reply-to: <[🔎] 20020128155132.094D.PAHUD@pahud.net>; from pahud@pahud.net on Mon, Jan 28, 2002 at 03:55:08PM +0800
References: <[🔎] 20020128155132.094D.PAHUD@pahud.net>

On Mon, 28 Jan 2002, Patrick Hsieh wrote:

> Hello list,
> 
> I just installed openldap and make my own address book on it.
> Now I'd like to make my Debian GNU/Linux login and authenticate from the
> LDAP server, where should I begin?
> 
> I installed libpam-ldap, is it all I have to install?
> Is there any toturial or howto talking about this deployment?
> 
> Any ideas highly appreciated.

Depends. I did so recently with potatoe. What I had to do:

1. Create your directory-structure in a way which best fits your needs.

2a. Create the user-entries according to posixAccount- and shadowAccount-scheme

I wasn't able to find the schema definition for openldap1.2 so I had
to create it manual from the schema which comes with openldap2.

2b. Create group-entries according to posixGroup

Perhaps it is possible to combine them in one entry since debian
uses the same number for uid, gid of one person. I'm currently
trying this and it seems to work.

3. Install libpamldap & libnssldap

nss is a complete replacement for all programs' access to the
user-database. It should be possible to run a system with users in
ldap without the pam_ldap module. when nsswitch is configured all
requests to pam_unix go to ldap anyway.

QUESTION: For what exactly do I need the pam_ldap module?

4. setup libpam (pam_ldap.conf) to access your ldap-server

5. setup the programs' confs in /etc/pam.d/ e.g. for su (which I used for testing)

auth       sufficient pam_rootok.so
auth       sufficient   pam_ldap.so
auth       required   pam_unix.so use_first_pass
account    sufficient   pam_ldap.so
account    required   pam_unix.so
session    required   pam_unix.so

6. setup libnss-ldap.conf to access your ldap-server

7. setup nsswitch.conf to use the libnss-ldap module e.g.

passwd:	compat	ldap
group:	compat	ldap
shadow:	compat	ldap

8. Cross fingers. Push the button.

Hope that helps,

Florian

-- 
--------------------------------------------------
Florian Bantner          AXON-E Interaktive Medien
Tel. +49-941-599 854 4      Fax. +49-941-599 854 1
Mail f.bantner@axon-e.de
Key  http://www.axon-e.de/gpg/f.bantner.key
1191 0C87 D9DB 3217 ABBA  5223 6D74 AB19 5C9D FC49
--------------------------------------------------

Reply to:

Follow-Ups:
- Re: central authentication with LDAP
  - From: Russell Coker <russell@coker.com.au>

References:
- central authentication with LDAP
  - From: Patrick Hsieh <pahud@pahud.net>

Prev by Date: Re: Multiple dhcp servers.
Next by Date: Re: central authentication with LDAP
Previous by thread: central authentication with LDAP
Next by thread: Re: central authentication with LDAP
Index(es):
- Date
- Thread