Quick-Start Guide to LDAP (Lightweight Directory Access Protocol)
You know, Unix traditionally uses /etc/passwd and /etc/group to store user account information. But because keeping these files in sync in large networks is nearly impossible, YP/NIS soon became the de-facto standard for keeping Unix user account information on a central server (and it is still widely used in Unix networks). But it never made it out of the Unix world and Microsoft invented its own Windows Domain concept when it made its first steps into the network world. Although samba now also offers some Windows Domains client support for Unix workstations, the two worlds still can't really talk to each other. One way out of the desaster seems to be LDAP the Lightweight Directory Access Protocol which now Microsoft has embraced and extended with its Active Directory.
Obviously, the first step to do for your move to LDAP is to set up an LDAP server. And Directory Administrator is a good choice for helping you with creating users and groups in your new database (unless of course you want to convert your existing account information with some hand-written scripts).
Having set-up your server, installing client support is the next step. You will need LDAP support for PAM and NSS (Name Service Switch). On Debian GNU/Linux the relevant packages are called libnss-ldap and libpam-ldap (type apt-get install libnss-ldap libpam-ldap to install them).
Edit /etc/pam_ldap.conf, e.g.
host 127.0.0.1 base dc=cmeerw,dc=net ldap_version 3 rootbinddn cn=admin,dc=cmeerw,dc=net pam_filter objectclass=posixAccount pam_min_uid 1000 pam_password exop
Having "rootbinddn" set (and having the corresponding password stored in /etc/ldap.secret) enables you to change users' passwords as root without having to know the LDAP password (and is necessary to have Samba sync your Unix passwords when users change their Windows password).
Edit your PAM configuration files in /etc/pam.d. As a rule of thumb, add pam_ldap.so (with "sufficient") before pam_unix.so and add "use_first_pass" to the pam_unix.so entry for "auth". For example, here is my /etc/pam.d/other:
auth sufficient pam_ldap.so \ filter=|(host=edge.cmeerw.net)(host=\*) auth required pam_unix.so nullok use_first_pass account sufficient pam_ldap.so \ filter=|(host=edge.cmeerw.net)(host=\*) account required pam_unix.so session required pam_unix.so session required pam_limits.so password required pam_ldap.so ignore_unknown_user password optional pam_unix.so min=4 max=16 md5 try_first_pass
BTW, the filter argument is a non-standard extension of the Debian package (but unfortunately, it's broken so you might have to use my unofficial libpam-ldap package for Debian woody.
Edit /etc/libnss-ldap.conf, e.g.
host 127.0.0.1 base dc=cmeerw,dc=net ldap_version 3 nss_base_passwd ou=People,dc=cmeerw,dc=net?one nss_base_shadow ou=Unavailable,dc=cmeerw,dc=net?one nss_base_group ou=Groups,dc=cmeerw,dc=net?one nss_base_hosts ou=Hosts,dc=cmeerw,dc=net?one nss_base_services ou=Services,dc=cmeerw,dc=net?one nss_base_networks ou=Networks,dc=cmeerw,dc=net?one nss_base_protocols ou=Protocols,dc=cmeerw,dc=net?one nss_base_rpc ou=Rpc,dc=cmeerw,dc=net?one nss_base_ethers ou=Ethers,dc=cmeerw,dc=net?one nss_base_netmasks ou=Networks,dc=cmeerw,dc=net?one nss_base_bootparams ou=Ethers,dc=cmeerw,dc=net?one nss_base_aliases ou=Aliases,dc=cmeerw,dc=net?one nss_base_netgroup ou=Netgroup,dc=cmeerw,dc=net?one
One thing to note here is that nss_base_shadow points to ou=Unavailable,dc=cmeerw,dc=net which is -- as the name suggests -- unavailable. This kludge is necessary to ensure that the PAM Unix Account module will fail for LDAP users and thus the use of the PAM LDAP Account module will be enforced for LDAP users (because the PAM LDAP module will also check the host attribute through the filter argument).
Edit /etc/nsswitch.conf, e.g.
passwd: files ldap group: files ldap shadow: files ldap
Finally, you can delete users and groups from /etc/passwd, /etc/shadow and /etc/group (but keep at least one user account so you can still login even when the LDAP server is not available for some reason).
One more thing to note. Current versions of umount seem to have a small bug when using both the "force" and the "remount" (read-only) options. Unfortunately, this is exactly what the Debian shutdown scripts (particularly /etc/rc0.d/S40umountfs) try to do, so your /usr filesystem might not be unmounted/remounted correctly when using libnss-ldap. I have just filed a bug report for Debian's mount/util-linux package and have put up a fixed package on my Debian page.
Revision: 1.8, cmeerw.org/notes/ldap.html|
Last modified: Sat Jan 25 21:05:29 2003
Christof Meerwald <firstname.lastname@example.org>