Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
RE: [SLE] LDAP How to
  • From: "Drew Burchett" <DrewB@xxxxxxxxxxxxxxxxxx>
  • Date: Mon, 24 Apr 2006 06:57:03 -0500
  • Message-id: <1E75E79B854C814784D0E8C5BA55AF76C02AE0@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> >> Is there any good suse 10 and ldap how to's available? I have
exhausted
> >> my little ldap experience in trying to help get my friend going but
now
> >> luck.

I don't know that all these steps are strictly necessary because I
cobbled this together from a number of different howtos, but here's how
I set my box up to authenticate against AD using LDAP.

Edit /etc/ldap.conf as below:

host my.ldap.host
base DC=domain,DC=local
ldap_version 3
binddn cn=aduser,dc=domain,dc=local
bindpw aduserpass
scope sub
nss_base_passwd ou=Users,dc=domain,dc=local?sub
nss_base_shadow ou=Users,dc=domain,dc=local?sub
nss_base_group ou=Users,dc=domain,dc=local?sub
pam_password ad
pam_login_attribute sAMAccountName
pam_member_attribute msSFU30PosixMember
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos msSFU30Gecos
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
ssl no

Edit /etc/samba/smb.conf

[global]
unix charset = LOCALE
workgroup = OLK_LOCAL
realm = DOMAIN.LOCAL
server string = Monitor Server
security = ADS
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
ldap ssl = no
template shell = /bin/bash
printing = cups
winbind use default domain = yes
[homes]
comment = Home Directories
valid users = %S
browseable = No
read only = No

Edit /etc/nsswitch.conf

passwd: compat ldap
shadow: files ldap
group: compat ldap

hosts: files dns wins
networks: files dns
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
publickey: files
bootparams: files
automount: files
aliases: files ldap
passwd_compat: ldap
group_compat: ldap
netgroup: files ldap

Edit /etc/pam.d/common-auth

auth sufficient pam_ldap.so
auth required pam_env.so
auth required pam_unix2.so use_first_pass

Edit /etc/pam.d/common-account

account sufficient pam_ldap.so
account required pam_unix2.so

Edit /etc/krb5.conf

[libdefaults]
default_realm = DOMAIN.LOCAL
clockskew = 300

[realms]
ONLINEKY.LOCAL = {
kdc = mydomainserver.domain.local
default_domain = DOMAIN.LOCAL
admin_server = mydomainserver.domain.local
}

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}


Restart your machine and make sure smbd, nmbd and winbindd are running.
Wbinfo -u should give you a list of ldap users. Getent passwd should
show ALL users, ldap and local, and getent group should show all groups,
ldap and local. If you aren't using AD, you probably don't need the
Kerberos setup.

Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone: (270)527-3293
Fax: (270)527-3132



--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

--
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.


< Previous Next >