Configuring Your System to Authenticate Using OpenLDAP
|
This section provides a brief overview of how to configure a Red Hat Linux system to authenticate using OpenLDAP. Unless you are an OpenLDAP expert, you will probably need more documentation than is provided here. Please see the references provided in the “Additional Resources” section for more information.
Install the Necessary LDAP Packages
First, you should make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the openldap-server package. The LDAP client machines need the following packages installed: openldap, openldap-clients, and nss_ldap.
Edit the Configuration Files
Use the directions in the following sections to edit each configuration file so that appropriate information is supplied to LDAP processes.
Edit slapd.conf
Edit the /etc/openldap/slapd.conf file to make sure it matches the specifics of your organization.
Edit /etc/ldap.conf and /etc/openldap/ldap.conf
On all client machines, both /etc/ldap.conf and /etc/openldap/ldap.conf need to contain the proper server and search base information for your organization. The simplest way to do this is to run the authconfig application and select Use LDAP on the User Information Configuration screen. You can also edit these files manually.
Edit /etc/nsswitch.conf
On all client machines, the /etc/nsswitch.conf file must be edited to use LDAP. The simplest way to do this is to run the authconfig application and select Use LDAP on the User Information Configuration screen. If editing /etc/nsswitch.conf manually, add ldap to the appropriate fields. For example:
passwd: files ldap shadow: files ldap group: files ldap
PAM and LDAP
To have standard PAM-enabled applications use LDAP for authentication, run authconfig and select Use LDAP Authentication on the Authentication Configuration screen. For more on configuring PAM, consult Chapter 25 and the PAM man pages.
Migrating Old Authentication Information to LDAP Format
The /usr/share/openldap/migration/ directory contains a set of shell and Perl scripts for migrating authentication information into LDAP format.
| Note | You must have Perl installed on your system to use these scripts. |
First, modify the migrate_common.ph file so that it reflects your domain. The default DNS domain should be changed from its default value to something like:
$DEFAULT_MAIL_DOMAIN = "your_company";
The default base should also be changed, to something like:
$DEFAULT_BASE = "dc=your_company,dc=com";
The job of migrating a user database into a format LDAP can read falls to a group of migration scripts installed with the nss_ldap package. Using Table 17-1, decide which script to run in order to migrate your user database.
| Existing name service | Is LDAP running? | Script to Use |
|---|---|---|
| /etc flat files | Yes | migrate_all_online.sh |
| /etc flat files | No | migrate_all_offline.sh |
| NetInfo | Yes | migrate_all_netinfo_online.sh |
| NetInfo | No | migrate_all_netinfo_offline.sh |
| NIS (YP) | Yes | migrate_all_nis_online.sh |
| NIS (YP) | No | migrate_all_nis_offline.sh |
Run the appropriate script based on your existing name service. The README and the migration-tools.txt files in the /usr/share/openldap/migration directory provide more details on how to migrate the information.
|
EAN: 2147483647
Pages: 278