Revision [3784]
Last edited on 2010-08-04 08:58:37 by KenFongAdditions:
Different distro has the same util. On Redhat, it's **authconfig**. On Ubuntu, it's **ldap-auth-config**. Once it is installed, run it once and it will configure your server to use LDAP for authentication. Now the config it generates does not work well for me - it's most likely due to some misconfigurations on my LDAP server. But that can be worked around by editing /etc/ldap.conf. Here is mine:
Notice I did not configure LDAPS so passwords are most likely transmitted in plaintext. You wouldn't want to do that in a production environment. Once that config is updated, it's committed to the system. No restart of anything is required.
====Testing LDAP connection and authentication====
To test that my Linux is now able to retrieve the uid / homedir / shell from LDAP server:
Next thing is of course to try to login with the credentials on LDAP server. Now for some reason, authconfig did not take care of pam for me. So I had to add the followings to
Notice I did not configure LDAPS so passwords are most likely transmitted in plaintext. You wouldn't want to do that in a production environment. Once that config is updated, it's committed to the system. No restart of anything is required.
====Testing LDAP connection and authentication====
To test that my Linux is now able to retrieve the uid / homedir / shell from LDAP server:
Next thing is of course to try to login with the credentials on LDAP server. Now for some reason, authconfig did not take care of pam for me. So I had to add the followings to
Deletions:
Once that config is updated, it's committed to the system. No restart of anything is required. To test that my Linux is now able to retrieve the uid / homedir / shell from LDAP server:
Next thing is of course to try to login with the credentials on LDAP server. Now for some reason, authconfig did not take care of pam configuration for me. So I had to add the followings to
Revision [3783]
Edited on 2010-08-04 08:55:37 by KenFongAdditions:
====ObjectClass and attributes====
One must add the **posixAccount** objectClass to each user as it is required for the later parts. The posixAccount objectClass does not require the attribute **loginShell** be filled in. Make sure that is entered as well.
One must add the **posixAccount** objectClass to each user as it is required for the later parts. The posixAccount objectClass does not require the attribute **loginShell** be filled in. Make sure that is entered as well.
Deletions:
Revision [3782]
Edited on 2010-08-04 08:53:39 by KenFongAdditions:
That works out for me on CentOS, but not on Ubuntu. The latter keeps saying my password is incorrect. I'll try to iron that out later on.
Deletions:
Revision [3781]
Edited on 2010-08-04 08:51:34 by KenFongAdditions:
It's not easy for me but I've made some progress. I use OpenDS as LDAP server, and tested authentication with CentOS 5.5 and Ubuntu 10.04.
Deletions:
Revision [3780]
Edited on 2010-08-04 08:50:17 by KenFongAdditions:
That works out for me on CentOS, but not on Ubuntu. The latter keeps saying my password is incorrect.
Revision [3779]
Edited on 2010-08-04 08:49:36 by KenFongAdditions:
Next thing is of course to try to login with the credentials on LDAP server. Now for some reason, authconfig did not take care of pam configuration for me. So I had to add the followings to
On CentOS: /etc/pam.d/system-auth
On Ubuntu: /etc/pam.d/common-auth|account|password
%%(text;respective file)
On CentOS: /etc/pam.d/system-auth
On Ubuntu: /etc/pam.d/common-auth|account|password
%%(text;respective file)
Deletions:
Revision [3778]
Edited on 2010-08-04 08:44:30 by KenFongAdditions:
Next thing is of course to try to login with the credentials on LDAP server. Now for some reason, authconfig did not take care of pam configuration for me. So I had to add the followings to /etc/pam.d/system-auth (on CentOS)
%%(text;system-auth)
auth sufficient pam_ldap.so
account sufficient pam_ldap.so
password sufficient pam_ldap.so
%%(text;system-auth)
auth sufficient pam_ldap.so
account sufficient pam_ldap.so
password sufficient pam_ldap.so
Deletions:
Revision [3777]
Edited on 2010-08-04 08:39:11 by KenFongAdditions:
> id oper
uid=10002(oper) gid=20001 groups=20001
uid=10002(oper) gid=20001 groups=20001
Revision [3776]
Edited on 2010-08-04 08:35:32 by KenFongAdditions:
One must add the posixAccount objectClass to each user as it is required for the later parts. The posixAccount objectClass does not require the attribute "loginShell" be filled in. Make sure that is entered as well.
admin:*:10001:20001:admin:/home/admin:/bin/bash
admin:*:10001:20001:admin:/home/admin:/bin/bash
Deletions:
admin:*:10001:20001:admin:/home/admin:
Revision [3775]
Edited on 2010-08-04 08:27:48 by KenFongAdditions:
====LDAP server====
First I need a LDAP server. I used OpenDS because my company has some successful deployment with it. The installation is pretty straight forward and it comes with a GUI control panel (I think it's under $opends-home/bin/control-panel). Once the installation wizard finishes, it will ask you if you want to create an initial DN. I did it and I created a subdomain called "webservers". Under that domain, I created two users "admin" and "oper". I also created a couple of groups. The screenshot below illustrates the tree structure:
{{image url="images/opends.png"}}
Initially, these users I created can only be seen with shelldap, that's because by default, opends does not add the "posixAccount" objectClass to these users. But shelldap gives you a quick way to confirm ldap is up and running, and that it can be queried:
%%
shelldap --basedn dc=webservers,dc=comme,dc=ca --server 192.168.13.10
~ > list
cn=admin
cn=oper
cn=operators
cn=superusers
%%
One must add the posixAccount objectClass to each user as it is required for the later parts.
====Configuring Linux to use LDAP====
Different distro has the same util. On Redhat, it's authconfig. On Ubuntu, it's ldap-auth-config. Once it is installed, run it once and it will configure your server to use LDAP for authentication. Now the config it generates does not work well - it's most likely due to some misconfigurations on my LDAP server. But that can be worked around by editing /etc/ldap.conf. Here is mine:
%%
base dc=webservers,dc=comme,dc=ca
uri ldap://192.168.13.10/
ldap_version 2
pam_password md5
%%
Once that config is updated, it's committed to the system. No restart of anything is required. To test that my Linux is now able to retrieve the uid / homedir / shell from LDAP server:
%%
> getent passwd | grep admin
admin:*:10001:20001:admin:/home/admin:
%%
Next thing is of course to try to login with the credentials on LDAP server.
First I need a LDAP server. I used OpenDS because my company has some successful deployment with it. The installation is pretty straight forward and it comes with a GUI control panel (I think it's under $opends-home/bin/control-panel). Once the installation wizard finishes, it will ask you if you want to create an initial DN. I did it and I created a subdomain called "webservers". Under that domain, I created two users "admin" and "oper". I also created a couple of groups. The screenshot below illustrates the tree structure:
{{image url="images/opends.png"}}
Initially, these users I created can only be seen with shelldap, that's because by default, opends does not add the "posixAccount" objectClass to these users. But shelldap gives you a quick way to confirm ldap is up and running, and that it can be queried:
%%
shelldap --basedn dc=webservers,dc=comme,dc=ca --server 192.168.13.10
~ > list
cn=admin
cn=oper
cn=operators
cn=superusers
%%
One must add the posixAccount objectClass to each user as it is required for the later parts.
====Configuring Linux to use LDAP====
Different distro has the same util. On Redhat, it's authconfig. On Ubuntu, it's ldap-auth-config. Once it is installed, run it once and it will configure your server to use LDAP for authentication. Now the config it generates does not work well - it's most likely due to some misconfigurations on my LDAP server. But that can be worked around by editing /etc/ldap.conf. Here is mine:
%%
base dc=webservers,dc=comme,dc=ca
uri ldap://192.168.13.10/
ldap_version 2
pam_password md5
%%
Once that config is updated, it's committed to the system. No restart of anything is required. To test that my Linux is now able to retrieve the uid / homedir / shell from LDAP server:
%%
> getent passwd | grep admin
admin:*:10001:20001:admin:/home/admin:
%%
Next thing is of course to try to login with the credentials on LDAP server.
Deletions:
First I need a LDAP server. I used OpenDS because my company has some successful deployment with it. The installation is pretty straight forward and it comes with a GUI control panel (I think it's under $opends-home/bin/control-panel). Once the installation wizard finishes, it will ask you if you want to create an initial DN. I did it and I created a subdomain called "webservers". Under that domain, I created two users "admin" and "oper". The screenshot below illustrates the tree structure:
