[BBLISA] openldap recipe(s)

[Daniel Hagerty]

"Doug Mildram" <dmildram at gmail.com> writes:

> MAIN QUESTION: I hope to find a clear complete recipe for
> (openldap install + ) config of linux (redhat based preferred)
> using LDAP authentication.   (UNIX passwd,shadow,group).
> I've read too many, brain going in circles now.

    The problem with "recipe" here is that there are a lot of
variables, and many of these variables are your call to make constant.

> should be an approved toplevel domains (is "local" approved?) Anyways,

    I forget where, but local is in fact approved for exactly your use
case.

> pam_filter objectclass=(posixAccount or account? depends on recipe)

    This one's up to you.  objectClass is how you specify which
attributes the LDAP server will insist upon having to create a given
object.  The setup on one random domain I work with has it so that
posixAccounts are what nss/pam filter for, and there are some other
account-like things that aren't posixAccounts.  As a result, these
other things don't exist on unix machines, don't get unix user ids,
home directories, etc.

>    which has LDAP checkboxes in BOTH tabs, confusing?

    One of these is for configuring nss, the other is for
authentication.  As a counterexample, if you were configuring against
activedirectory or another ldap + kerberos system, you'd configure
ldap for the nss portion, but kerberos for the auth.

> Makes NIS look like a hot date. Sorry so long.

    It's not exactly a fair comparison.  NIS is very fixed in its
overall function, as is the OS interface to it.  LDAP ends up being a
lot more things to a lot more customers, and as usual, you pay for it.