[BBLISA] openldap recipe(s)

Edward Ned Harvey bblisa3 at nedharvey.com
Thu Nov 6 20:33:33 EST 2008 

I don't have any recipes for LDAP, per the original post requested below.  I do however have a few comments based on recent months of work in this field...

Depending on the goal you want to accomplish...

I do have a recipe (literally three commands) to join linux machines onto Active Dir for authentication.  It only provides authentication though, and POSIX must come from somewhere else.  In my present setup, we're using NIS for posix stuff (relatively easy to set up, very reliable).  I really like how ridiculously easy clients failover to the NIS slave, if something goes wrong with the master.  Or whatever.

In a recent-ish conversation, somebody actually suggested scripting roll-out for passwd/group/shadow files.  Each machine has a "passwd-base" file which contains the unique things (if any) on that machine.  cat passwd-base /some/server/passwd-domain > passwd  After considering Kerberos, LDAP, and NIS, this sounds surprisingly attractive.  You'll never have any problem caused by dependency on some central server having a problem.   ;-)   I don't think I'll actually do it, but it does lower my blood pressure to think about it.




> -----Original Message-----
> From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
> Behalf Of Doug Mildram
> Sent: Thursday, November 06, 2008 5:37 PM
> To: bblisa at bblisa.org
> Subject: [BBLISA] openldap recipe(s)
> 
> LDAP last discussed here @bblisa, not re: installation,initial config;
>  http://www.bblisa.org/pipermail/bblisa/2007-December/001556.html
> Pardon all the food motifs here.  Hungry? Sick? both :)
> 
> MAIN QUESTION: I hope to find a clear complete recipe for
> (openldap install + ) config of linux (redhat based preferred)
> using LDAP authentication.   (UNIX passwd,shadow,group).
> I've read too many, brain going in circles now.
> 
> Stop reading here or risk entering the swamp.
> 
> ====gory detail of the goal, observations, embedded Q's, etc:
> 
> currently been trying cookbooks incl. one at www.openldap.org
>    (homepage docs go to version 2.4, but 2.3 is more prevalent,
>       e.g. RH5/centOS5 has 2.3.  This Quickstart is worth something:
> http://www.openldap.org/doc/admin23/quickstart.html
>      which chooses BDB database, if that matters.
> Quickstart ends near my Step3 below.
>  After that, many things/choices remain on the road to enable auth.
> 
> >From scratch, general steps:
> 
> STEP1:  openldap installed w/server (slapd).
>  On RH5/centOS5,  needed rpm's are:
> $ rpm -aq | grep ldap
> openldap-2.3.27-8.el5_1.3
> openldap-servers-2.3.27-8.el5_1.3
> nss_ldap-253-12.el5
> openldap-clients-2.3.27-8.el5_1.3
> 
> STEP2: slapd configured a bit, and running.  Also DNS in the mix.
>  Choose "domain style" Base DN, e.g. dc=myhouse,dc=local,
>  it's unclear why LDAP docs say the final component (mine= "local")
> should be an approved toplevel domains (is "local" approved?) Anyways,
> trying to make typical choices, w/o an actual registered domain,
> my poor-man DNS server works on local LAN
>       and /etc/resolv.conf has "domain myhouse.local" to be safe.
>  I'll even add a CNAME "auth" for server URL ldap://auth.myhouse.local
> Much detail omitted here in slapd.conf editing.
>  ==end step2; likely to revisit slapd configuration as we go along.
> 
> STEP3: edit /etc/openldap/ldap.conf (the short ldap.conf) so "clients"
> (also on server) like ldapsearch, ldapadd, etc     should work;
> 
> Some initial ldapsearch tests should be here, +more after step4.
> 
> STEP4: create by hand or import user accounts
>               trivial or not, I'm not focused on this yet;
> 
> STEP 5:  In the LONG /etc/ldap.conf, edit "host" and "base"
> and perhaps just add/enable 5 lines for
> pam_filter objectclass=(posixAccount or account? depends on recipe)
> pam_password crypt
> nss_base_passwd ou=People,dc=(mybaseDN)
> nss_base_shadow ou=People,dc=(mybaseDN)
> nss_base_group ou=Group,dc=(mybaseDN)
> 
> 
> STEP 6: mess w/PAM manually (edit /etc/pam.d/system-auth)
>     and/or (GUI,wimp?) run RH command "system-config-authentication"
>    which has LDAP checkboxes in BOTH tabs, confusing?
> 
>      tab "User information" has "Enable LDAP Support"
>                            and "Configure LDAP" lets you
>                  choose TLS or not;
>                  enter LDAP Search Base DN
>                  enter LDAP Server   ldap://auth.myhouse.local
> 
>       the OTHER tab "Authentication" has the SAME thing as above.
> the GUI doesnt help keep "authentication" and "authorization" straight.
>   (authentication = identify/become myself,root,etc; passwd+shadow)
>   (authorization = what am I allowed to do? group,..)
> 
> STEP ? : dump the contents and do the dishes.
> 
> It kills me how many places you hardcode "suffix" (BaseDN) and
> other redundancies in LDIF entries. Elegance != the beauty of x.500
> gumbo.
> 
> Don't forget /etc/nsswitch.conf (passwd,group  "files ldap")
>     if system-config-authorization hasnt done it.
> 
> Makes NIS look like a hot date. Sorry so long.
> Any pointers/advice? -doug
> 
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa

More information about the bblisa mailing list