[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Autofs-OpenLDAP Assistance

Santosh Balan wrote:
Can you please guide and provide some appropriate doccumentation or
method as how I hv to go about with the installation of OpenLDAP and
autofs such that it will authenticate my users and automatically
mounts the users partition.

To use ldap for login, you need to get nsswitch and pam to talk ldap. It is easily done by installing libnss-ldapd (or libnss-ldap -- they are functionally equivalent) and libpam-ldap. Package names are likely to be different on your platform -- these are from Debian.

First change /etc/nsswitch.conf so that it reads something like this:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis
automount:      ldap

Then set up /etc/pam.d/common-{account,auth,password,session} with the
following *additions*:

account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

auth    requisite       pam_succeed_if.so uid >= 1000 quiet
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so

password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_ldap.so

(There is probably some silly configuration in the above, but it
works. I haven't looked into the details of PAM yet.)

Next, install autofs5-ldap (or v4 if you want). It is important that you understand the structure of autofs entries in ldap. You can get an overview here: http://efod.se/blog/archive/2006/06/27/autofs-and-ldap

Finally, make sure that your /etc/ldap.conf (or /etc/ldap/ldap.conf),
/etc/autofs_ldap_auth.conf and /etc/nss-ldapd.conf are set up to point
to your ldap directory server.

When things don't work, try running each daemon in debug mode. This
is particularly true for slapd and the nslcd (that comes in
libnss-ldapd). Also have a look in /var/log/auth.log or equivalent, to
see if logins are accepted.