Christof.Meerwald@ ldap.notes

> notes
>> ldap

translate to German (by SYSTRAN)

Quick-Start Guide to LDAP (Lightweight Directory Access Protocol)

You know, Unix traditionally uses /etc/passwd and /etc/group to store user account information. But because keeping these files in sync in large networks is nearly impossible, YP/NIS soon became the de-facto standard for keeping Unix user account information on a central server (and it is still widely used in Unix networks). But it never made it out of the Unix world and Microsoft invented its own Windows Domain concept when it made its first steps into the network world. Although samba now also offers some Windows Domains client support for Unix workstations, the two worlds still can't really talk to each other. One way out of the desaster seems to be LDAP the Lightweight Directory Access Protocol which now Microsoft has embraced and extended with its Active Directory.

Obviously, the first step to do for your move to LDAP is to set up an LDAP server. And Directory Administrator is a good choice for helping you with creating users and groups in your new database (unless of course you want to convert your existing account information with some hand-written scripts).

Having set-up your server, installing client support is the next step. You will need LDAP support for PAM and NSS (Name Service Switch). On Debian GNU/Linux the relevant packages are called libnss-ldap and libpam-ldap (type apt-get install libnss-ldap libpam-ldap to install them).

Edit /etc/pam_ldap.conf, e.g.

base dc=cmeerw,dc=net
ldap_version 3
rootbinddn cn=admin,dc=cmeerw,dc=net
pam_filter objectclass=posixAccount
pam_min_uid 1000
pam_password exop

Having "rootbinddn" set (and having the corresponding password stored in /etc/ldap.secret) enables you to change users' passwords as root without having to know the LDAP password (and is necessary to have Samba sync your Unix passwords when users change their Windows password).

Edit your PAM configuration files in /etc/pam.d. As a rule of thumb, add pam_ldap.so (with "sufficient") before pam_unix.so and add "use_first_pass" to the pam_unix.so entry for "auth". For example, here is my /etc/pam.d/other:

auth       sufficient pam_ldap.so \
auth       required   pam_unix.so nullok use_first_pass

account    sufficient pam_ldap.so \
account    required   pam_unix.so

session    required   pam_unix.so
session    required   pam_limits.so

password   required   pam_ldap.so ignore_unknown_user
password   optional   pam_unix.so min=4 max=16 md5 try_first_pass

BTW, the filter argument is a non-standard extension of the Debian package (but unfortunately, it's broken so you might have to use my unofficial libpam-ldap package for Debian woody.

Edit /etc/libnss-ldap.conf, e.g.

base dc=cmeerw,dc=net
ldap_version 3
nss_base_passwd         ou=People,dc=cmeerw,dc=net?one
nss_base_shadow         ou=Unavailable,dc=cmeerw,dc=net?one
nss_base_group          ou=Groups,dc=cmeerw,dc=net?one
nss_base_hosts          ou=Hosts,dc=cmeerw,dc=net?one
nss_base_services       ou=Services,dc=cmeerw,dc=net?one
nss_base_networks       ou=Networks,dc=cmeerw,dc=net?one
nss_base_protocols      ou=Protocols,dc=cmeerw,dc=net?one
nss_base_rpc            ou=Rpc,dc=cmeerw,dc=net?one
nss_base_ethers         ou=Ethers,dc=cmeerw,dc=net?one
nss_base_netmasks       ou=Networks,dc=cmeerw,dc=net?one
nss_base_bootparams     ou=Ethers,dc=cmeerw,dc=net?one
nss_base_aliases        ou=Aliases,dc=cmeerw,dc=net?one
nss_base_netgroup       ou=Netgroup,dc=cmeerw,dc=net?one

One thing to note here is that nss_base_shadow points to ou=Unavailable,dc=cmeerw,dc=net which is -- as the name suggests -- unavailable. This kludge is necessary to ensure that the PAM Unix Account module will fail for LDAP users and thus the use of the PAM LDAP Account module will be enforced for LDAP users (because the PAM LDAP module will also check the host attribute through the filter argument).

Edit /etc/nsswitch.conf, e.g.

passwd:         files ldap
group:          files ldap
shadow:         files ldap

Finally, you can delete users and groups from /etc/passwd, /etc/shadow and /etc/group (but keep at least one user account so you can still login even when the LDAP server is not available for some reason).

One more thing to note. Current versions of umount seem to have a small bug when using both the "force" and the "remount" (read-only) options. Unfortunately, this is exactly what the Debian shutdown scripts (particularly /etc/rc0.d/S40umountfs) try to do, so your /usr filesystem might not be unmounted/remounted correctly when using libnss-ldap. I have just filed a bug report for Debian's mount/util-linux package and have put up a fixed package on my Debian page.



This Web page is licensed under the Creative Commons Attribution - NonCommercial - Share Alike License. Any use is subject to the Privacy Policy.

Revision: 1.8, http://cmeerw.org/notes/ldap.html
Last modified: Sat Jan 25 21:05:29 2003
Christof Meerwald <cmeerw@cmeerw.org>
XMPP: cmeerw@cmeerw.org