[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Autofs-OpenLDAP Assistance

To: "Buchan Milne" <bgmilne@staff.telkomsa.net>, openldap-technical@openldap.org
Subject: Re: Autofs-OpenLDAP Assistance
From: "Santosh Balan" <santosh.balan@linuxmail.org>
Date: Thu, 31 Jul 2008 15:37:18 +0800
Cc: Sven Ulland <sveniu@ifi.uio.no>
Content-disposition: inline

Hi Buchan,

The below settings you are saying are to be done on client side. But how would you configure seetings in ldap or the server side. How would the ldif files look like. Also I need it to communicate and authenticate for my qmail users. And my qmail users mails are stored in the /home partition of the Mail server. Then will it not conflict with my mail server's and login user's partition. How will I over come this issue.

Can you please revert on the same. Anyways thanks for your reply.

Thanks and Regards
Santosh Balan
+91-9819419509

> ----- Original Message -----
> From: "Buchan Milne" <bgmilne@staff.telkomsa.net>
> To: openldap-technical@openldap.org
> Subject: Re: Autofs-OpenLDAP Assistance
> Date: Wed, 30 Jul 2008 11:54:25 +0200
> 
> 
> On Tuesday 29 July 2008 20:19:33 Sven Ulland wrote:
> > Santosh Balan wrote:
> > > Can you please guide and provide some appropriate doccumentation or
> > > method as how I hv to go about with the installation of OpenLDAP and
> > > autofs such that it will authenticate my users and automatically
> > > mounts the users partition.
> 
> Depending on how your infrastructure is set up, you could get home directories
> automounted for every user with a single automount (wildcard) rule. Unless you
> give more details, it is difficult to know how you are associating the need
> for home directories and automount rules.
> 
> > To use ldap for login, you need to get nsswitch and pam to talk ldap.
> > It is easily done by installing libnss-ldapd (or libnss-ldap -- they
> > are functionally equivalent) and libpam-ldap. Package names are likely
> > to be different on your platform -- these are from Debian.
> >
> > First change /etc/nsswitch.conf so that it reads something like this:
> >
> > passwd:         compat ldap
> > group:          compat ldap
> > shadow:         compat ldap
> 
> I would avoid compat unless you actually require the features. See the
> discussion of compat in nsswitch.conf(5). Additionally, I would avoid adding
> ldap to shadow unless you have applications that require access to the
> password hash or are intending to use nss_ldap->pam_unix for authentication
> (and forego any ldap authorization features).
> 
> > hosts:          files dns
> > networks:       files
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> > netgroup:       nis
> > automount:      ldap
> >
> > Then set up /etc/pam.d/common-{account,auth,password,session} with the
> > following *additions*:
> >
> > common-account:
> >  account     sufficient    pam_succeed_if.so uid < 1000 quiet
> >  account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> >  account     required      pam_permit.so
> 
> I would rather suggest adding:
> 
> account sufficient pam_localuser.so
> account sufficient pam_ldap.so
> account required pam_deny.so
> 
> otherwise password expiry, host attribute use etc. will most likely not work.
> 
> > common-auth:
> >  auth    requisite       pam_succeed_if.so uid >= 1000 quiet
> >  auth    sufficient      pam_ldap.so use_first_pass
> >  auth    required        pam_deny.so
> >
> > common-password:
> >  password    sufficient    pam_ldap.so use_authtok
> >  password    required      pam_deny.so
> >
> > common-session
> >  session     optional      pam_ldap.so
> 
> pam_ldap doesn't implement session as far as I know, pam_mkhomedir would be a
> better candidate for the line above.
> 
> >
> > (There is probably some silly configuration in the above, but it
> > works. I haven't looked into the details of PAM yet.)
> 
> Have you tested every aspect with the configuration above?
> 
> > Next, install autofs5-ldap (or v4 if you want). It is important that
> > you understand the structure of autofs entries in ldap. You can get an
> > overview here: http://efod.se/blog/archive/2006/06/27/autofs-and-ldap
> >
> > Finally, make sure that your /etc/ldap.conf (or /etc/ldap/ldap.conf),
> > /etc/autofs_ldap_auth.conf and /etc/nss-ldapd.conf are set up to point
> > to your ldap directory server.
> >
> > When things don't work, try running each daemon in debug mode. This
> > is particularly true for slapd and the nslcd (that comes in
> > libnss-ldapd). Also have a look in /var/log/auth.log or equivalent, to
> > see if logins are accepted.
> 
> 
> And disable nscd while troubleshooting.
> 
> Regards,
> Buchan

>


=


-- 
Powered by Outblaze

Prev by Date: Re: Organizational Unit Listing
Next by Date: Re: slapd 2.4.10 and replication
Index(es):
- Chronological
- Thread