Re: [opensuse] LDAP served network

On Thursday 01 March 2007 09:33, Gaël Lams wrote:
Hi,

I am trying to get my network up on LDAP user authentication.
I have several machines (Three servers and 10 workstations), and a
handful of roaming users that uses several boxes at different times.
I wanted a central user administration instead of having to walk around
and locally add all the new users i get.
.....
Can anyone either point me to a step by step setup, or tell me how to set
the simplest network up: One LDAP server and one LDAP client. That way i
might be able to set the rest up myself...
Server_1 is file a group file server with several shares with common
files for all the systems.
....
Is this doable with LDAP?

I think so, I've all my server performing an ssh ldap authentication,
my external ftp users are also in the ldap directory and I've a few
web based applications using the same ldap back-end for the
authentication.

I don't have so much time, I will give you some background (if you
already know it, delete my email :-) that should help you in doing
what you want, and, in case of problem, help you in solving them

Im my set-up, I use pam to configure the various services to perform
an ldap authentication. In case you didn't know, Pluggable
Authentication Module (PAM) is the UNIX interface that enables
applications to use an independent mechanism for authentication (it
also provides functionality such as accounts management, session
management, and password management).
It's important to understand that PAM only handles that one issue –
authentication: if you use pam_ldap then your authentication
procedures can talk to a remote LDAP server to authenticate users -
but nothing else about your system changes (ie., you still need to
have user accounts in /etc/* files).

Here comes the Name Service Switch (NSS). NSS is similar to PAM in
terms of allowing applications to use different sources for
authentication, but its primary purpose is simple lookups to get
user-attribute related information from the LDAP server (for instance:
the shell, the home directory). It's really just an admin-controlled
backend for the existing UNIX naming functions (gethostbyname,
getpwent, etc.), so that you can configure alternate naming sources.
If you use nss_ldap then you can remove user entries from /etc/* files
and have them live entirely in a remote LDAP server, but this is only
handling naming/lookup functions. Authentication will try and use
whatever the PAM module has been configured to use (it may call NSS
functions and thus "appear" to work sometimes, or it may try and
access /etc/* files directly in which case it will fail as the users
don't exist there anymore).

Software to be installed
pam_ldap, nss_ldap (optional: pam_ssh, if you want to use ssh_agent
with private key)

I will give you an example for the FTP setup:
I have define in my ldap directory an organization called "EXTERNAL"
(lake of immagination :-) to contains the external user

I've then created /etc/pam.d/vsftpd with the following lines
auth required pam_ldap.so config=/etc/pam_ldap_ftp.conf
account required pam_ldap.so config=/etc/pam_ldap_ftp.conf

pam_ldap_ftp.conf is a copy of /etc/ldap.conf. ldap.conf is used to
define the login/ssh authentication configuration. I based all my
set-up on groups and, because it makes sense for me, I created
organizational unit per type of service i want to provide ldap
authentication to (ou=FTP, ou=HTTP, ou=SSH, ....)

For example:
# Group to enforce membership of for the ftp server, define in
pam_ldap_ftp_conf pam_groupdn cn=GP-PLECO,ou=FTP,ou=GROUPS,o=MY_ORG

# Group to enforce membership of for ssh access, define in pam_ldap_conf
pam_groupdn cn=GP-SYSADMIN,ou=SSH,ou=GROUPS,o=MY_ORG

Hope it will help you,

Regards,

Gaël

Its a good start! Thank you very much!


--
         /Rikard

-----------------------------------------------------------------------------
email   : rikard.j@xxxxxxxxxx
web     : http://www.rikjoh.com
mob: : +46 (0)763 19 76 25
------------------------ Public PGP fingerprint ----------------------------
< 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78  46 1C EE 56 >

Attachment: pgpmUrHDrly2R.pgp
Description: PGP signature

Relevant Pages

  • Re: [opensuse] LDAP served network
    ... One LDAP server and one LDAP client. ... I use pam to configure the various services to perform ... an ldap authentication. ...
    (SuSE)
  • Re: Directory Services, LDAP or similar
    ... In other projects, we managed the user authentication by creating tables that define all users and its allowed capacities, then the application queryies that data to verify if a user has access to some feature or not. ... The above ID and password are sent to the service at login time. ... They are using Novell eDirectory at the enterprise level; yes it's LDAP. ... We already do that for three different DB servers; ...
    (borland.public.delphi.non-technical)
  • Re: Directory Services, LDAP or similar
    ... we managed the user authentication by creating tables ... The above ID and password are sent to the service at login ... Novell eDirectory at the enterprise level; yes it's LDAP. ... servers; ...
    (borland.public.delphi.non-technical)
  • LDAP Weirdness (Solaris 9)
    ... I'm having a very odd problem with LDAP authentication on a Solaris 9 ... The LDAP server is running OpenLDAP with a self-signed ... that you would expect for an account that doesn't exist. ...
    (comp.unix.solaris)
  • Re: Solaris 9 authentication and access control into Active Directory
    ... implement a user within your Active Directory for the machine, ... As others have mentioned there's PAM samba SMB integration. ... Recently I've been using LDAP authentication. ...
    (Focus-SUN)