[opensuse] LDAP and PAM-LDAP modules
Hi, I'm LDAP newbie, finding my way with configuration of the my first LDAP server on SLES10 SP1. The requirement is that users that access the server via ssh should be authenticated against locally running (i.e. on the same server) LDAP server. 1. Should I install PAM-LDAP rpm package to make such setup work? 2. What is the role of NSS_LDAP package? My understanding it has something to do with nsswitch.conf? Must it be installed is well? -- Warm regards, Michael Green -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi El Jueves, 10 de Abril de 2008, Michael Green escribió:
Hi,
I'm LDAP newbie, finding my way with configuration of the my first LDAP server on SLES10 SP1.
The requirement is that users that access the server via ssh should be authenticated against locally running (i.e. on the same server) LDAP server.
1. Should I install PAM-LDAP rpm package to make such setup work?
2. What is the role of NSS_LDAP package? My understanding it has something to do with nsswitch.conf? Must it be installed is well?
This is a very basic SLES setup, you only had to go to Yast and select eh Ldap client and tell you want users autentified against ldap, then yast will install the required packages also, if you hadn't done it, you should add the default ldap configuration for storing user accounts and groups (in the same ldap client module) the steps from the base installations should be as follows: 1. enter Yast 2. go to network services 3. go to Ldap server 4. add your ldap domain 5. go to ldap client 6. select autentificate users against the ldap server 7. select the options to install the default configuration for autentifications of users and groups now you will be able to add users to your ldap installation with manage users and groups in yast and login via ssh in your sles box HTH -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r.com
Thanks Carlos!
I've followed through and it worked.
Now I've tried to add a couple of groups using both YaST and groupadd
and noticed that the groups after being added appear differently in
the tree:
# ldapsearch -x -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il"
'objectclass=*' -W
Added with YaST2;
# pietro_blocks, bioinfo, biocl.weizmann.ac.il
dn: cn=pietro_blocks,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il
cn: pietro_blocks
gidNumber: 6972
objectClass: top
objectClass: namedObject
objectClass: posixGroup
Added with groupadd:
# pietro_lab, bioinfo, biocl.weizmann.ac.il
dn: cn=pietro_lab,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il
objectClass: posixGroup
objectClass: groupOfNames
cn: pietro_lab
gidNumber: 6973
member:
Do you know why the difference and how should I proceed about this? I
need to do a bulk add of both groups and users. Also I need to
delegate the user management to someone who probably won't run YaST2.
On Thu, Apr 10, 2008 at 10:28 PM, Carlos Lorenzo Matés
Hi
El Jueves, 10 de Abril de 2008, Michael Green escribió:
Hi,
I'm LDAP newbie, finding my way with configuration of the my first LDAP server on SLES10 SP1.
The requirement is that users that access the server via ssh should be authenticated against locally running (i.e. on the same server) LDAP server.
1. Should I install PAM-LDAP rpm package to make such setup work?
2. What is the role of NSS_LDAP package? My understanding it has something to do with nsswitch.conf? Must it be installed is well?
This is a very basic SLES setup, you only had to go to Yast and select eh Ldap client and tell you want users autentified against ldap, then yast will install the required packages
also, if you hadn't done it, you should add the default ldap configuration for storing user accounts and groups (in the same ldap client module)
the steps from the base installations should be as follows:
1. enter Yast 2. go to network services 3. go to Ldap server 4. add your ldap domain 5. go to ldap client 6. select autentificate users against the ldap server 7. select the options to install the default configuration for autentifications of users and groups
now you will be able to add users to your ldap installation with manage users and groups in yast
and login via ssh in your sles box
HTH
-- Warm regards, Michael Green -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Thanks Carlos!
I've followed through and it worked.
Now I've tried to add a couple of groups using both YaST and groupadd and noticed that the groups after being added appear differently in the tree:
# ldapsearch -x -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il" 'objectclass=*' -W
Added with YaST2; # pietro_blocks, bioinfo, biocl.weizmann.ac.il dn: cn=pietro_blocks,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il cn: pietro_blocks gidNumber: 6972 objectClass: top objectClass: namedObject objectClass: posixGroup
Added with groupadd: # pietro_lab, bioinfo, biocl.weizmann.ac.il dn: cn=pietro_lab,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il objectClass: posixGroup objectClass: groupOfNames cn: pietro_lab gidNumber: 6973 member:
Do you know why the difference and how should I proceed about this? There just a small difference in the way that YaST and "groupadd" handle
On Sonntag, 13. April 2008, Michael Green wrote: posixgroups without any member. Normally you can't create any LDAP Group without members, the objectclass "groupOfNames" doesn't allow that. For that reason "groupadd" is by default adding an empty "member" Attribute to the object, while YaST creates an object of the namedObject Objectclass and recreates that object as "groupOfNames" once the first member is added. That behavior should probably unified in the future, though. Care to submit an enhancement request for that?
I need to do a bulk add of both groups and users. Also I need to delegate the user management to someone who probably won't run YaST2. For bulkloading "groupadd" seems to be the appropriate tool. Or create a LDIF file an use ldapadd to poplulate the database.
On Thu, Apr 10, 2008 at 10:28 PM, Carlos Lorenzo Matés
wrote: Hi
El Jueves, 10 de Abril de 2008, Michael Green escribió:
Hi,
I'm LDAP newbie, finding my way with configuration of the my first LDAP server on SLES10 SP1.
The requirement is that users that access the server via ssh should be authenticated against locally running (i.e. on the same server) LDAP server.
1. Should I install PAM-LDAP rpm package to make such setup work?
2. What is the role of NSS_LDAP package? My understanding it has something to do with nsswitch.conf? Must it be installed is well?
This is a very basic SLES setup, you only had to go to Yast and select eh Ldap client and tell you want users autentified against ldap, then yast will install the required packages
also, if you hadn't done it, you should add the default ldap configuration for storing user accounts and groups (in the same ldap client module)
the steps from the base installations should be as follows:
1. enter Yast 2. go to network services 3. go to Ldap server 4. add your ldap domain 5. go to ldap client 6. select autentificate users against the ldap server 7. select the options to install the default configuration for autentifications of users and groups
now you will be able to add users to your ldap installation with manage users and groups in yast
and login via ssh in your sles box
HTH
-- Warm regards, Michael Green
-- Ralf Haferkamp SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ralf,
Thank you for your clear and detailed explanation!
I don't mind at all to send the enhancement request. Which type of ER
is most appropriate for that: "Feature Enhancement" or "Problem with
Existing Problem" or it doesn't matter?
Another q: While trying to add my _first_ user via useradd I stumbled
upon the following error:
gene2:~ # useradd -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il"
--service ldap lssafran
Enter LDAP Password:
Cannot find base ou for new users.
LDAP information update failed: Operations error
I've also noticed, that after having added at _least_ one user via
YaST, I can then add any number of users via useradd without problem.
Can this error be avoided without using YaST, i.e. by adding the first
and all subsequent users via useradd only?
And by the way, as in case of groups, users added via YaST and via
useradd appear differently in ldapsearch:
# User lssafran was added via YaST
dn: uid=lssafran,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il
cn: Marilyn Safran
gidNumber: 6971
givenName: Marilyn
homeDirectory: /home/lssafran
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: Safran
uid: lssafran
uidNumber: 3208
userPassword:: e2NyeXB0fVpOLm9pcW5ZSEtUbm8=
# User michaelg was added via useradd
dn: uid=michaelg,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: michaelg
cn: michaelg
uidNumber: 2406477
gidNumber: 6971
homeDirectory: /home/michaelg
loginShell: /bin/bash
gecos: Michael Green
shadowMin: 0
shadowMax: 99999
shadowLastChange: 13983
userPassword:: e1NTSEF9ajczU0RLVGdRWFF1NGVUVHExZ3JhWEo3Q2IvaFR2dE8=
I guess it can be at least partly attributed to the fact that useradd
is not exactly LDAP-savvy. For example, it gives no way to provide
attribute=value pairs (required by LDAP) which are not part of
/etc/passwd line such as givenName and surName (sn). This attributes
usually get there as a simple text string under "comment" umbrella of
-c flag along with telephone number and God knows what else. Is my
guess right or/and I'm missing something?
On Mon, Apr 14, 2008 at 3:27 PM, Ralf Haferkamp
Thanks Carlos!
I've followed through and it worked.
Now I've tried to add a couple of groups using both YaST and groupadd and noticed that the groups after being added appear differently in the tree:
# ldapsearch -x -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il" 'objectclass=*' -W
Added with YaST2; # pietro_blocks, bioinfo, biocl.weizmann.ac.il dn: cn=pietro_blocks,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il cn: pietro_blocks gidNumber: 6972 objectClass: top objectClass: namedObject objectClass: posixGroup
Added with groupadd: # pietro_lab, bioinfo, biocl.weizmann.ac.il dn: cn=pietro_lab,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il objectClass: posixGroup objectClass: groupOfNames cn: pietro_lab gidNumber: 6973 member:
Do you know why the difference and how should I proceed about this? There just a small difference in the way that YaST and "groupadd" handle
On Sonntag, 13. April 2008, Michael Green wrote: posixgroups without any member. Normally you can't create any LDAP Group without members, the objectclass "groupOfNames" doesn't allow that. For that reason "groupadd" is by default adding an empty "member" Attribute to the object, while YaST creates an object of the namedObject Objectclass and recreates that object as "groupOfNames" once the first member is added. That behavior should probably unified in the future, though. Care to submit an enhancement request for that?
I need to do a bulk add of both groups and users. Also I need to delegate the user management to someone who probably won't run YaST2. For bulkloading "groupadd" seems to be the appropriate tool. Or create a LDIF file an use ldapadd to poplulate the database.
On Thu, Apr 10, 2008 at 10:28 PM, Carlos Lorenzo Matés
wrote: Hi
El Jueves, 10 de Abril de 2008, Michael Green escribió:
Hi,
I'm LDAP newbie, finding my way with configuration of the my first LDAP server on SLES10 SP1.
The requirement is that users that access the server via ssh should be authenticated against locally running (i.e. on the same server) LDAP server.
1. Should I install PAM-LDAP rpm package to make such setup work?
2. What is the role of NSS_LDAP package? My understanding it has something to do with nsswitch.conf? Must it be installed is well?
This is a very basic SLES setup, you only had to go to Yast and select eh Ldap client and tell you want users autentified against ldap, then yast will install the required packages
also, if you hadn't done it, you should add the default ldap configuration for storing user accounts and groups (in the same ldap client module)
the steps from the base installations should be as follows:
1. enter Yast 2. go to network services 3. go to Ldap server 4. add your ldap domain 5. go to ldap client 6. select autentificate users against the ldap server 7. select the options to install the default configuration for autentifications of users and groups
now you will be able to add users to your ldap installation with manage users and groups in yast
and login via ssh in your sles box
HTH
-- Warm regards, Michael Green
-- Ralf Haferkamp
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- Warm regards, Michael Green -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Montag, 14. April 2008, Michael Green wrote:
Ralf,
Thank you for your clear and detailed explanation! I don't mind at all to send the enhancement request. Which type of ER is most appropriate for that: "Feature Enhancement" or "Problem with Existing Problem" or it doesn't matter? I am not exactly sure what you are referring to, here. Especially what "Problem with Existing Problem" is. :)
Another q: While trying to add my _first_ user via useradd I stumbled upon the following error:
gene2:~ # useradd -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il" --service ldap lssafran Enter LDAP Password: Cannot find base ou for new users. LDAP information update failed: Operations error
I've also noticed, that after having added at _least_ one user via YaST, I can then add any number of users via useradd without problem. Hm, it seems that useradd is unable to find a suitable parent object for the new user. I don't know exactly what useradd does here. Might be worth another feature request (allowing to specify the parent object for a new user).
Can this error be avoided without using YaST, i.e. by adding the first and all subsequent users via useradd only?
And by the way, as in case of groups, users added via YaST and via useradd appear differently in ldapsearch:
# User lssafran was added via YaST [..]
# User michaelg was added via useradd [..]
I guess it can be at least partly attributed to the fact that useradd is not exactly LDAP-savvy. For example, it gives no way to provide attribute=value pairs (required by LDAP) which are not part of /etc/passwd line such as givenName and surName (sn). This attributes usually get there as a simple text string under "comment" umbrella of -c flag along with telephone number and God knows what else. Is my guess right or/and I'm missing something? I think you guess is pretty accurate.
-- Ralf Haferkamp SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Apr 15, 2008 at 10:44 AM, Ralf Haferkamp
On Montag, 14. April 2008, Michael Green wrote:
Ralf,
Thank you for your clear and detailed explanation! I don't mind at all to send the enhancement request. Which type of ER is most appropriate for that: "Feature Enhancement" or "Problem with Existing Problem" or it doesn't matter? I am not exactly sure what you are referring to, here. Especially what "Problem with Existing Problem" is. :)
Sorry, I should have mentioned that I am referring to this page http://www.novell.com/enhancement_request/
Another q: While trying to add my _first_ user via useradd I stumbled upon the following error:
gene2:~ # useradd -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il" --service ldap lssafran Enter LDAP Password: Cannot find base ou for new users. LDAP information update failed: Operations error
I've also noticed, that after having added at _least_ one user via YaST, I can then add any number of users via useradd without problem.
Hm, it seems that useradd is unable to find a suitable parent object for the new user. I don't know exactly what useradd does here. Might be worth another feature request (allowing to specify the parent object for a new user).
If so, then it raises another question, how come useradd is able to figure out what parent ou to pick for the next user? Does useradd do it by taking ou of the first user is stumbles upon in DIT or does it pick a random one? What if I have several groups of users under different ou's? I realize that these questions would be better handled by someone who is familiar with the source code of useradd. -- Warm regards, Michael Green -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Dienstag, 15. April 2008, Michael Green wrote:
On Tue, Apr 15, 2008 at 10:44 AM, Ralf Haferkamp
wrote: On Montag, 14. April 2008, Michael Green wrote:
Ralf,
Thank you for your clear and detailed explanation! I don't mind at all to send the enhancement request. Which type of ER is most appropriate for that: "Feature Enhancement" or "Problem with Existing Problem" or it doesn't matter?
I am not exactly sure what you are referring to, here. Especially what "Problem with Existing Problem" is. :)
Sorry, I should have mentioned that I am referring to this page http://www.novell.com/enhancement_request/ Ah, ok. I guess "Feature Enhancement" would match here.
Another q: While trying to add my _first_ user via useradd I stumbled upon the following error:
gene2:~ # useradd -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il" --service ldap lssafran Enter LDAP Password: Cannot find base ou for new users. LDAP information update failed: Operations error
I've also noticed, that after having added at _least_ one user via YaST, I can then add any number of users via useradd without problem.
Hm, it seems that useradd is unable to find a suitable parent object for the new user. I don't know exactly what useradd does here. Might be worth another feature request (allowing to specify the parent object for a new user).
If so, then it raises another question, how come useradd is able to figure out what parent ou to pick for the next user? Does useradd do it by taking ou of the first user is stumbles upon in DIT or does it pick a random one? Yeah, it does something like this. AFAIK it first checks for existing users and takes the same parent that this user has. If there are no existing users for the availability of specific well known ou's, like ou=people. An additional commandline option would really help to do less guess work here.
What if I have several groups of users under different ou's? It takes the one of the first user returned by the server.
I realize that these questions would be better handled by someone who is familiar with the source code of useradd.
-- Ralf Haferkamp SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Carlos Lorenzo Matés
-
Michael Green
-
Ralf Haferkamp