Hi,
I am trying to get my network up on LDAP user authentication. I have several machines (Three servers and 10 workstations), and a handful of roaming users that uses several boxes at different times. I wanted a central user administration instead of having to walk around and locally add all the new users i get. ..... Can anyone either point me to a step by step setup, or tell me how to set the simplest network up: One LDAP server and one LDAP client. That way i might be able to set the rest up myself... Server_1 is file a group file server with several shares with common files for all the systems. .... Is this doable with LDAP?
I think so, I've all my server performing an ssh ldap authentication, my external ftp users are also in the ldap directory and I've a few web based applications using the same ldap back-end for the authentication. I don't have so much time, I will give you some background (if you already know it, delete my email :-) that should help you in doing what you want, and, in case of problem, help you in solving them Im my set-up, I use pam to configure the various services to perform an ldap authentication. In case you didn't know, Pluggable Authentication Module (PAM) is the UNIX interface that enables applications to use an independent mechanism for authentication (it also provides functionality such as accounts management, session management, and password management). It's important to understand that PAM only handles that one issue – authentication: if you use pam_ldap then your authentication procedures can talk to a remote LDAP server to authenticate users - but nothing else about your system changes (ie., you still need to have user accounts in /etc/* files). Here comes the Name Service Switch (NSS). NSS is similar to PAM in terms of allowing applications to use different sources for authentication, but its primary purpose is simple lookups to get user-attribute related information from the LDAP server (for instance: the shell, the home directory). It's really just an admin-controlled backend for the existing UNIX naming functions (gethostbyname, getpwent, etc.), so that you can configure alternate naming sources. If you use nss_ldap then you can remove user entries from /etc/* files and have them live entirely in a remote LDAP server, but this is only handling naming/lookup functions. Authentication will try and use whatever the PAM module has been configured to use (it may call NSS functions and thus "appear" to work sometimes, or it may try and access /etc/* files directly in which case it will fail as the users don't exist there anymore). Software to be installed pam_ldap, nss_ldap (optional: pam_ssh, if you want to use ssh_agent with private key) I will give you an example for the FTP setup: I have define in my ldap directory an organization called "EXTERNAL" (lake of immagination :-) to contains the external user I've then created /etc/pam.d/vsftpd with the following lines auth required pam_ldap.so config=/etc/pam_ldap_ftp.conf account required pam_ldap.so config=/etc/pam_ldap_ftp.conf pam_ldap_ftp.conf is a copy of /etc/ldap.conf. ldap.conf is used to define the login/ssh authentication configuration. I based all my set-up on groups and, because it makes sense for me, I created organizational unit per type of service i want to provide ldap authentication to (ou=FTP, ou=HTTP, ou=SSH, ....) For example: # Group to enforce membership of for the ftp server, define in pam_ldap_ftp_conf pam_groupdn cn=GP-PLECO,ou=FTP,ou=GROUPS,o=MY_ORG # Group to enforce membership of for ssh access, define in pam_ldap_conf pam_groupdn cn=GP-SYSADMIN,ou=SSH,ou=GROUPS,o=MY_ORG Hope it will help you, Regards, Gaël