Tuesday, 7 April 2009

CENTOS:Configuring a System to Authenticate Using OpenLDAP

Install openLdap client

# yum install openldap-clients

Install authconfig package if necessary.

# yum install authconfig

Start text mode utility. (I use it on servers where there are no X Windows Systems.)

# authconfig-tui

In first window select

User Information (Use LDAP) and Authenication (Use LDAP Authenication) press Next

In second window fill the following:

Server: ldap://ldap1.company.com,ldap://ldap2.company.com

Base DN: dc=example,dc=com

Now you can use LDAP to access the server.

NOTE:Change examlple.com to your LDAP domain

In graphical version (authconfig-gtk) there are third bookmark, where is useful checkmark

Create home directories on the first login.

or

use command

authconfig --enablemkhomedir --updateall


NOTE: If you are using ONLY authorized LDAP connections (or restrict public access to some fields as PASSWORD) you have to modify file /etc/ldap.conf and add LDAP bind account what have at least read access to all necessary LDAP information (password fields for all users for example)

#cat ldap.conf

#

base dc=example,dc=com

uri ldap://ldap1.example.com/ ldap://ldap2.example.com/

ldap_version 3

binddn cn=read-user,dc=example,dc=com

bindpw PASSWORD

rootbinddn cn=read-user,dc=example,dc=com

port 389

timelimit 30

bind_timelimit 5

bind_policy soft

idle_timelimit 30

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_min_uid 1000

pam_max_uid 100000

pam_crypt local

# In this case all accounts have to be stored in OU=systems !!!

nss_base_passwd ou=systems,dc=example,dc=com?one

nss_base_shadow ou=systems,dc=example,dc=com?one

# Groups stored in separate OU=Groups

nss_base_group ou=groups,dc=example,dc=com?one

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5


No comments: