Difference between revisions of "LDAP Ramblings"
| Line 13: | Line 13: | ||
Currently not planned, but possible once the setup has been proven. This would allow users to log into any machine using their username and login. Only a select few machines (data aquisition etc.) would retain generic iacuser access. | Currently not planned, but possible once the setup has been proven. This would allow users to log into any machine using their username and login. Only a select few machines (data aquisition etc.) would retain generic iacuser access. | ||
| − | ==LDAP | + | ==LDAP Settings== |
====Debian LDAP VM==== | ====Debian LDAP VM==== | ||
*Distinguished name of the search base:"dc=iac,dc=isu,dc=edu" | *Distinguished name of the search base:"dc=iac,dc=isu,dc=edu" | ||
| Line 19: | Line 19: | ||
*Priviledged account for libpam/libnss ldap: "cn=admin,dc=iac,dc=isu,dc=edu" | *Priviledged account for libpam/libnss ldap: "cn=admin,dc=iac,dc=isu,dc=edu" | ||
*Need to modify /etc/nsswitch.conf to use the "ldap" datasource. Example file /usr/share/doc/libnss-ldap/examples/nsswitch.ldap | *Need to modify /etc/nsswitch.conf to use the "ldap" datasource. Example file /usr/share/doc/libnss-ldap/examples/nsswitch.ldap | ||
| − | + | The following /etc/nsswitch lines: | |
| − | + | passwd: compat | |
| + | group: compat | ||
| + | shadow: compat | ||
| + | hosts: files dns | ||
| + | netgroup: nis | ||
| + | will be changed to: | ||
| + | passwd: files ldap | ||
| + | group: files ldap | ||
| + | #shadow line removed (only needed for pre-nsswitch compat programs?) | ||
| + | hosts: files dns ldap | ||
| + | netgroup: files ldap | ||
| + | |||
====SUSE Test==== | ====SUSE Test==== | ||
*Base DN: dc=iac, dc=isu, dc=edu | *Base DN: dc=iac, dc=isu, dc=edu | ||
| Line 26: | Line 37: | ||
*Default Policy Object DN: cn=Default Password Policy, Append Base DN=true | *Default Policy Object DN: cn=Default Password Policy, Append Base DN=true | ||
The rest of the schema was set up by the SUSE tools | The rest of the schema was set up by the SUSE tools | ||
| + | SUSE /etc/nsswitch.conf file has the following relevent lines: | ||
| + | passwd: compat | ||
| + | group: files ldap | ||
| + | services: files ldap #probably not needed | ||
| + | netgroup: files ldap | ||
| + | aliases: files ldap | ||
| + | passwd_compat: ldap | ||
| + | The line "passwd: ldap" should be able to replace the 2 passwd lines as long as you're not using the "+" NIS notation in the /etc/passwd file? | ||
| − | ==Replication== | + | ==Multimaster Replication== |
*Requires ntp time syncronization between replication servers. | *Requires ntp time syncronization between replication servers. | ||
| − | + | *Only works with OpenLDAP 2.4 (not available in current Debian/Ubuntu/SUSE repositories) | |
| + | *Probably not needed with our very infrequent writes | ||
==Resources== | ==Resources== | ||
Revision as of 01:15, 10 January 2008
Intro
On the IAC's user accessable Linux servers (Brems, web, Inca, backup) there is a need for centralized user authentication. With the addition of email users this need becomes critical. The proposed solution is to use OpenLDAP replicated across the mail servers for redundancy.
Clients
Linux Clients
Administrative users will retain entries in the local /etc/passwd and /etc/shadow files for troubleshooting access. All other users will exist in LDAP and will have individual server permissions.
Email Clients
Ideally email users can be accommodated without having local accounts. If this is not possible, the local shell can be set to disallow logins for security purposes.
Windows Clients
Currently not planned, but possible once the setup has been proven. This would allow users to log into any machine using their username and login. Only a select few machines (data aquisition etc.) would retain generic iacuser access.
LDAP Settings
Debian LDAP VM
- Distinguished name of the search base:"dc=iac,dc=isu,dc=edu"
- LDAP version 3
- Priviledged account for libpam/libnss ldap: "cn=admin,dc=iac,dc=isu,dc=edu"
- Need to modify /etc/nsswitch.conf to use the "ldap" datasource. Example file /usr/share/doc/libnss-ldap/examples/nsswitch.ldap
The following /etc/nsswitch lines:
passwd: compat group: compat shadow: compat hosts: files dns netgroup: nis
will be changed to:
passwd: files ldap group: files ldap #shadow line removed (only needed for pre-nsswitch compat programs?) hosts: files dns ldap netgroup: files ldap
SUSE Test
- Base DN: dc=iac, dc=isu, dc=edu
- Root DN: cn=Administrator, Append Base DN=true
- Default Policy Object DN: cn=Default Password Policy, Append Base DN=true
The rest of the schema was set up by the SUSE tools SUSE /etc/nsswitch.conf file has the following relevent lines:
passwd: compat group: files ldap services: files ldap #probably not needed netgroup: files ldap aliases: files ldap passwd_compat: ldap
The line "passwd: ldap" should be able to replace the 2 passwd lines as long as you're not using the "+" NIS notation in the /etc/passwd file?
Multimaster Replication
- Requires ntp time syncronization between replication servers.
- Only works with OpenLDAP 2.4 (not available in current Debian/Ubuntu/SUSE repositories)
- Probably not needed with our very infrequent writes