Using OpenLDAP for Linux Accounts Management
This document assumes you are using Unbuntu Server 6.06 (dapper) for both the server and client. It also assumes using Kerberos (Active Directory) for all authentication. If you want to use OpenLDAP for authentication, use the pam_ldap
module.
Configuring the server
We want to set-up a host named accounts.student.cs.uwaterloo.ca with the OpenLDAP server to house account information (home directory, login shell, etc...) for Unix computers in the undergraduate teaching environment run by CSCF. Since the students have Active Directory accounts already for the Mac Labs and Terminal server, we'll use the Active Directory for authentication.
- Follow the instructions of the prerequisite steps section of the this document.
- Create an account in AD representing the
ldapservice principal and generate a keytab file. - Install (or merge) the keytab file as
/etc/krb5.keytaband runchmod 600 /etc/krb5.keytab - Run
apt-get install slapd. It doesn't matter what answers you give to the Debian configuration program, since you are just going to blow away the database anyway. We'll assume you have OpenLDAP 2.2.x. - Stop the server by running
/etc/init.d/slapd stop. - Delete the entire contents of
/var/lib/ldap. - Edit
/etc/ldap/slapd.conf. - Initialize the database with some entries.
Configuring the client
We want to configure the host krbtux.student.cs.uwaterloo.ca to make use of accounts that exist in the directory on the OpenLDAP server accounts.student.cs.uwaterloo.ca. We'll use the STUDENT.CS.UWATERLOO.CA realm for authentication.
- Follow the instructions on configuring the host for Kerberos authentication against Active Directory.
- Install the nss-ldap library by running
apt-get install libnss-ldap. - Create a host entry for
krbtuxin the OpenLDAP directory. - Edit
/etc/nsswitch.conf - Edit
/etc/libnss-ldap.conf
The root account will need to run kinit -k host/krbtux.student.cs.uwaterloo.ca so that the host can get credentials to read the data in the directory.
Other things you'll need/want to do
- On the client, find a way for
rootto keep a valid credential cache for thehostservice principal all the time. For example, run/usr/bin/kdestroy;/usr/bin/kinit -k host/krbtux.student.cs.uwaterloo.caviacron. - Wrap the LDAP client-server communications with SSL
- Set-up an OpenLDAP replica server for redundancy.
-- JasonTestart - 22 Mar 2007
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback