Sihnon wiki

User Tools

Site Tools

You are here: start » ldap_openldap
ldap_openldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
ldap_openldap [2014/11/24 01:14]
0.0.0.0 created 		ldap_openldap [2014/11/24 02:20] (current)
ben
Line 4: Line 4:
 OpenLDAP provides a place to store central user accounts and other configuration information which multiple machines can read. The advantages are that all machines on the network have a consistent view of user accounts, UIDs, passwords etc, and they are very easy to maintain. OpenLDAP provides a place to store central user accounts and other configuration information which multiple machines can read. The advantages are that all machines on the network have a consistent view of user accounts, UIDs, passwords etc, and they are very easy to maintain.
  
-LDAP can also store configuration for <tt>sudo</tt>, as well as Samba configuration and postfix mail routing.+LDAP can also store configuration for ''sudo'', as well as Samba configuration and postfix mail routing.
  
 This guide walks through setting up the LDAP services used at sihnon.net, which includes one master LDAP server (ldap.sihnon.net) and one slave (ldap-slave.sihnon.net). This guide walks through setting up the LDAP services used at sihnon.net, which includes one master LDAP server (ldap.sihnon.net) and one slave (ldap-slave.sihnon.net).
Line 54: Line 54:
 {{File|/etc/ldap.conf|<code>6@@</code>}} {{File|/etc/ldap.conf|<code>6@@</code>}}
  
-Put the password for the account specified by rootdn in <tt>/etc/ldap.secret</tt>+Put the password for the account specified by rootdn in ''/etc/ldap.secret''
  
 {{File|/etc/ldap.conf.sudo|<code>7@@</code>}} {{File|/etc/ldap.conf.sudo|<code>7@@</code>}}
Line 77: Line 77:
  
 ===== Cached Credentials ===== ===== Cached Credentials =====
-The setup described above requires a permanent connection to an LDAP server, else noone will be able to log in. On a local network, you can get around this with redundant LDAP servers, but for a laptop which leaves the network the problem is critical. Fortunately, <tt>pam_ccreds</tt> is designed to solve the problem. The required packages are only available in the [[http://gentoo-overlays.zugaina.org/swegener/portage/|Swegener]] overlay at the moment, so add it with:+The setup described above requires a permanent connection to an LDAP server, else noone will be able to log in. On a local network, you can get around this with redundant LDAP servers, but for a laptop which leaves the network the problem is critical. Fortunately, ''pam_ccreds'' is designed to solve the problem. The required packages are only available in the [[http://gentoo-overlays.zugaina.org/swegener/portage/|Swegener]] overlay at the moment, so add it with:
  
 {{Root|<source lang="bash"> {{Root|<source lang="bash">
Line 89: Line 89:
  
 Add the following to configuration to make nss revert to the cached credentials if there's no connection to the directory service. Add the following to configuration to make nss revert to the cached credentials if there's no connection to the directory service.
-{{File|/etc/nsswitch.conf|<syntax lang="conf">+{{File|/etc/nsswitch.conf|<code conf>
 passwd:      compat ldap [[NOTFOUND=return]] db passwd:      compat ldap [[NOTFOUND=return]] db
 shadow:      compat ldap [[NOTFOUND=return]] db shadow:      compat ldap [[NOTFOUND=return]] db
-</syntax>}}+</code>}}
  
 Configure pam to update the cache on successful logins, and accept cached credentials when no server is available. Configure pam to update the cache on successful logins, and accept cached credentials when no server is available.
-{{File|/etc/pam.d/system-auth|<syntax lang="pamconf">+{{File|/etc/pam.d/system-auth|<code pamconf>
 auth        required    pam_env.so auth        required    pam_env.so
 auth        [[success=ignore|default=1]] pam_localuser.so auth        [[success=ignore|default=1]] pam_localuser.so
Line 112: Line 112:
 account     [[authinfo_unavail=ignore|default=done]] pam_ldap.so account     [[authinfo_unavail=ignore|default=done]] pam_ldap.so
 account     sufficient  pam_permit.so account     sufficient  pam_permit.so
-</syntax>}}+</code>}}
  
 Log in once, and your credentials should be cached. You can check with the following command Log in once, and your credentials should be cached. You can check with the following command
Line 130: Line 130:
 ==== I have no name! ==== ==== I have no name! ====
 Check the following Check the following
-  * Make sure that <tt>/etc/ldap.secret</tt> exists with suitable permissions (0600), and contains the correct password for the the LDAP root account (<tt>cn=root,dc=sihnon,dc=net</tt>). +  * Make sure that ''/etc/ldap.secret'' exists with suitable permissions (0600), and contains the correct password for the the LDAP root account (''cn=root,dc=sihnon,dc=net''). 
-  * Make sure that <tt>/etc/ldap.conf</tt> is world readable.+  * Make sure that ''/etc/ldap.conf'' is world readable.
   * Make sure that the CA certificate file is world readable.   * Make sure that the CA certificate file is world readable.
  
 ==== Getent passwd returns no LDAP accounts ==== ==== Getent passwd returns no LDAP accounts ====
-If root can run <tt>getent passwd</tt> ok, but a mortal user cannot, check the following:+If root can run ''getent passwd'' ok, but a mortal user cannot, check the following:
  
   * Check that the SSL CA certificates are world-readable   * Check that the SSL CA certificates are world-readable
-  * Try raising the debug level for <tt>slapd</tt> on <tt>ldap.sihnon.net</tt> with <tt>loglevel stats</tt>+  * Try raising the debug level for ''slapd'' on ''ldap.sihnon.net'' with ''loglevel stats''
  
 ==== Sudo refuses to search LDAP ==== ==== Sudo refuses to search LDAP ====
-Sudo 1.7.0 now uses <tt>nsswitch.conf</tt> to tell it where to look for configuration, which is a change over 1.6.9 and earlier. Be sure to configure nsswitch as documented above to tell sudo to read the LDAP configuration+Sudo 1.7.0 now uses ''nsswitch.conf'' to tell it where to look for configuration, which is a change over 1.6.9 and earlier. Be sure to configure nsswitch as documented above to tell sudo to read the LDAP configuration
  
 ===== See also ===== ===== See also =====
ldap_openldap.1416791659.txt.gz · Last modified: 2014/11/24 01:14 by 0.0.0.0

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki