User Tools

Site Tools


ldap_openldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
ldap_openldap [2014/11/24 02:19]
ben
ldap_openldap [2014/11/24 02:20] (current)
ben
Line 4: Line 4:
 OpenLDAP provides a place to store central user accounts and other configuration information which multiple machines can read. The advantages are that all machines on the network have a consistent view of user accounts, UIDs, passwords etc, and they are very easy to maintain. OpenLDAP provides a place to store central user accounts and other configuration information which multiple machines can read. The advantages are that all machines on the network have a consistent view of user accounts, UIDs, passwords etc, and they are very easy to maintain.
  
-LDAP can also store configuration for <tt>sudo</tt>, as well as Samba configuration and postfix mail routing.+LDAP can also store configuration for ''​sudo''​, as well as Samba configuration and postfix mail routing.
  
 This guide walks through setting up the LDAP services used at sihnon.net, which includes one master LDAP server (ldap.sihnon.net) and one slave (ldap-slave.sihnon.net). This guide walks through setting up the LDAP services used at sihnon.net, which includes one master LDAP server (ldap.sihnon.net) and one slave (ldap-slave.sihnon.net).
Line 54: Line 54:
 {{File|/​etc/​ldap.conf|<​code>​6@@</​code>​}} {{File|/​etc/​ldap.conf|<​code>​6@@</​code>​}}
  
-Put the password for the account specified by rootdn in <tt>/​etc/​ldap.secret</tt>+Put the password for the account specified by rootdn in ''​/​etc/​ldap.secret''​
  
 {{File|/​etc/​ldap.conf.sudo|<​code>​7@@</​code>​}} {{File|/​etc/​ldap.conf.sudo|<​code>​7@@</​code>​}}
Line 77: Line 77:
  
 ===== Cached Credentials ===== ===== Cached Credentials =====
-The setup described above requires a permanent connection to an LDAP server, else noone will be able to log in. On a local network, you can get around this with redundant LDAP servers, but for a laptop which leaves the network the problem is critical. Fortunately, ​<tt>pam_ccreds</​tt> ​is designed to solve the problem. The required packages are only available in the [[http://​gentoo-overlays.zugaina.org/​swegener/​portage/​|Swegener]] overlay at the moment, so add it with:+The setup described above requires a permanent connection to an LDAP server, else noone will be able to log in. On a local network, you can get around this with redundant LDAP servers, but for a laptop which leaves the network the problem is critical. Fortunately, ​''​pam_ccreds'' ​is designed to solve the problem. The required packages are only available in the [[http://​gentoo-overlays.zugaina.org/​swegener/​portage/​|Swegener]] overlay at the moment, so add it with:
  
 {{Root|<​source lang="​bash">​ {{Root|<​source lang="​bash">​
Line 130: Line 130:
 ==== I have no name! ==== ==== I have no name! ====
 Check the following Check the following
-  * Make sure that <tt>/​etc/​ldap.secret</​tt> ​exists with suitable permissions (0600), and contains the correct password for the the LDAP root account (<tt>cn=root,​dc=sihnon,​dc=net</tt>). +  * Make sure that ''​/​etc/​ldap.secret'' ​exists with suitable permissions (0600), and contains the correct password for the the LDAP root account (''​cn=root,​dc=sihnon,​dc=net''​). 
-  * Make sure that <tt>/​etc/​ldap.conf</​tt> ​is world readable.+  * Make sure that ''​/​etc/​ldap.conf'' ​is world readable.
   * Make sure that the CA certificate file is world readable.   * Make sure that the CA certificate file is world readable.
  
 ==== Getent passwd returns no LDAP accounts ==== ==== Getent passwd returns no LDAP accounts ====
-If root can run <tt>getent passwd</​tt> ​ok, but a mortal user cannot, check the following:+If root can run ''​getent passwd'' ​ok, but a mortal user cannot, check the following:
  
   * Check that the SSL CA certificates are world-readable   * Check that the SSL CA certificates are world-readable
-  * Try raising the debug level for <tt>slapd</​tt> ​on <tt>ldap.sihnon.net</​tt> ​with <tt>loglevel stats</tt>+  * Try raising the debug level for ''​slapd'' ​on ''​ldap.sihnon.net'' ​with ''​loglevel stats''​
  
 ==== Sudo refuses to search LDAP ==== ==== Sudo refuses to search LDAP ====
-Sudo 1.7.0 now uses <tt>nsswitch.conf</​tt> ​to tell it where to look for configuration,​ which is a change over 1.6.9 and earlier. Be sure to configure nsswitch as documented above to tell sudo to read the LDAP configuration+Sudo 1.7.0 now uses ''​nsswitch.conf'' ​to tell it where to look for configuration,​ which is a change over 1.6.9 and earlier. Be sure to configure nsswitch as documented above to tell sudo to read the LDAP configuration
  
 ===== See also ===== ===== See also =====
ldap_openldap.txt · Last modified: 2014/11/24 02:20 by ben