Mailinglist Archive: opensuse (1480 mails)

< Previous Next >
Re: [opensuse] NFS security [Was: SAMBA.]
On 17/03/12 22:43, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-03-17 16:31, lynn wrote:
On 17/03/12 15:12, Carlos E. R. wrote:
You may want the certificate for something else other than LDAP server
verification. Anyway, you don't need to have a server certificate if this
is just a test lan. Get it working without security first. In Yast LDAP
Client, don't check the sssd or tls options.
Noted.

I think that the certificate I had created previously (years ago) I did
because dovecot required it. I think it was dovecot, not sure now. So I'll
try again to create it correctly (Thunderbird did complain once about
incorrect certificate or something).

As I said, not that easy.

To be able to start again, you need to get rid of the root-ca. It's in
either /var/lib/ca-certificates or /var/lib/CAM. Depending on how far you
got, there may also be a server certificate under /etc/openldap. Lose that
too.
I was thinking on those lines.

/var/lib/ca-certificates: ca-bundle.pem, gcj-cacerts, java-cacerts, dated
sep 15 2011, so they are not the files.

/var/lib/CAM:

Two directories named as my phony business name, so this is the place.

Ok, deleted all that, created new certificate, but ldap module still
refused to continue.


The files in /etc/ldap are some dated 2005, some 2011, so they are not of
interest.


One thing which really helped us was to draw out the tree of what you are
trying to put into the database. Make sure that _every_ node is unique. I
mean draw it with pen and paper and blu-tak it to your screen. With LDAP,
having an aim is essential, otherwise the learning curve is just too steep.
e.g. start with just cn, uid, gid and 'phone number. Armed with that you
should be able to pinpoint everyone both personally and over NFS.

Understandable... but I have absolutely no idea of what to put on all those
fields. I have been trying since 1998 when I started with Linux to put up
an Ldap server. My initial intention was simply to store mail addresses of
my friends, to be able to import them in any mail browser, because it is
the only standard all mail clients understand.

This time, for NFS usage, I have absolutely no idea what to put. If Yast
does it with me clicking "next", fine, otherwise I quit.

I have always abandoned.

In all these years I have never put up an LDAP server.

Compared with Microsoft Windows Active Directory, which is put up in under
an hour (mostly waiting for it to finish with me doing nothing), ldap is
terribly difficult.

I quit again.

This is absurdly difficult.

Don't quit. You're nearly there! Just take my advice. For now, _forget about the certificate_. That's the only reason you have not got a database yet. You can always add the security layer just before you go live.

The only two objectClasses you need for NFS are posixAccount and posixGroup. These are defined in the rcf2307 schema that you already have if you have installed openldap. I think it's selected as default. If not, you can choose it in the Yast LDAP Server dialogue. You put into it exactly what you have under /etc/passwd, /etc/group and /etc/shadow. Yast User Management will create the users and groups for you. You can choose there if you want them written to /etc or to LDAP. You can then add 'phone numbers, e-mail addresses etc. Once you have LDAP, you wonder how you managed so long without it.

It's interesting that you mention AD since we use a script to add Linux users to it. Interesting too that m$ lost the European court case which made them divulge their LDAP AD schema. We have the Samba guys to thank for that. If you want AD under Linux then you have Samba4 but it's a bit over the top for just nfs and 'phone numbers;-)

Salu2,
L x


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >