Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
RE: [SLE] LDAP How to
  • From: "Drew Burchett" <DrewB@xxxxxxxxxxxxxxxxxx>
  • Date: Mon, 24 Apr 2006 06:57:03 -0500
  • Message-id: <1E75E79B854C814784D0E8C5BA55AF76C02AE0@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> >> Is there any good suse 10 and ldap how to's available? I have
> >> my little ldap experience in trying to help get my friend going but
> >> luck.

I don't know that all these steps are strictly necessary because I
cobbled this together from a number of different howtos, but here's how
I set my box up to authenticate against AD using LDAP.

Edit /etc/ldap.conf as below:

base DC=domain,DC=local
ldap_version 3
binddn cn=aduser,dc=domain,dc=local
bindpw aduserpass
scope sub
nss_base_passwd ou=Users,dc=domain,dc=local?sub
nss_base_shadow ou=Users,dc=domain,dc=local?sub
nss_base_group ou=Users,dc=domain,dc=local?sub
pam_password ad
pam_login_attribute sAMAccountName
pam_member_attribute msSFU30PosixMember
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos msSFU30Gecos
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
ssl no

Edit /etc/samba/smb.conf

unix charset = LOCALE
workgroup = OLK_LOCAL
server string = Monitor Server
security = ADS
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
ldap ssl = no
template shell = /bin/bash
printing = cups
winbind use default domain = yes
comment = Home Directories
valid users = %S
browseable = No
read only = No

Edit /etc/nsswitch.conf

passwd: compat ldap
shadow: files ldap
group: compat ldap

hosts: files dns wins
networks: files dns
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
publickey: files
bootparams: files
automount: files
aliases: files ldap
passwd_compat: ldap
group_compat: ldap
netgroup: files ldap

Edit /etc/pam.d/common-auth

auth sufficient
auth required
auth required use_first_pass

Edit /etc/pam.d/common-account

account sufficient
account required

Edit /etc/krb5.conf

default_realm = DOMAIN.LOCAL
clockskew = 300

kdc = mydomainserver.domain.local
default_domain = DOMAIN.LOCAL
admin_server = mydomainserver.domain.local

kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true

Restart your machine and make sure smbd, nmbd and winbindd are running.
Wbinfo -u should give you a list of ldap users. Getent passwd should
show ALL users, ldap and local, and getent group should show all groups,
ldap and local. If you aren't using AD, you probably don't need the
Kerberos setup.

Drew Burchett
United Systems & Software
Phone: (270)527-3293
Fax: (270)527-3132

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.

< Previous Next >