-----Original Message----- From: Drew Burchett Sent: Monday, April 24, 2006 6:57 AM To: Suse Subject: RE: [SLE] LDAP How to
Is there any good suse 10 and ldap how to's available? I have exhausted my little ldap experience in trying to help get my friend going but now luck.
I don't know that all these steps are strictly necessary because I cobbled this together from a number of different howtos, but here's how I set my box up to authenticate against AD using LDAP.
Edit /etc/ldap.conf as below:
host my.ldap.host base DC=domain,DC=local ldap_version 3 binddn cn=aduser,dc=domain,dc=local bindpw aduserpass scope sub nss_base_passwd ou=Users,dc=domain,dc=local?sub nss_base_shadow ou=Users,dc=domain,dc=local?sub nss_base_group ou=Users,dc=domain,dc=local?sub pam_password ad pam_login_attribute sAMAccountName pam_member_attribute msSFU30PosixMember nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup Group nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos msSFU30Gecos nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_attribute uniqueMember msSFU30PosixMember ssl no
Edit /etc/samba/smb.conf
[global] unix charset = LOCALE workgroup = OLK_LOCAL realm = DOMAIN.LOCAL server string = Monitor Server security = ADS username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 printcap name = cups ldap ssl = no template shell = /bin/bash printing = cups winbind use default domain = yes [homes] comment = Home Directories valid users = %S browseable = No read only = No
Edit /etc/nsswitch.conf
passwd: compat ldap shadow: files ldap group: compat ldap
hosts: files dns wins networks: files dns services: files ldap protocols: files rpc: files ethers: files netmasks: files publickey: files bootparams: files automount: files aliases: files ldap passwd_compat: ldap group_compat: ldap netgroup: files ldap
Edit /etc/pam.d/common-auth
auth sufficient pam_ldap.so auth required pam_env.so auth required pam_unix2.so use_first_pass
Edit /etc/pam.d/common-account
account sufficient pam_ldap.so account required pam_unix2.so
Edit /etc/krb5.conf
[libdefaults] default_realm = DOMAIN.LOCAL clockskew = 300
[realms] ONLINEKY.LOCAL = { kdc = mydomainserver.domain.local default_domain = DOMAIN.LOCAL admin_server = mydomainserver.domain.local }
[logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [domain_realm] .DOMAIN.LOCAL = DOMAIN.LOCAL [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 try_first_pass = true }
Restart your machine and make sure smbd, nmbd and winbindd are running. Wbinfo -u should give you a list of ldap users. Getent passwd should show ALL users, ldap and local, and getent group should show all groups, ldap and local. If you aren't using AD, you probably don't need the Kerberos setup.
Drew Burchett United Systems & Software http://www.united-systems.com Phone: (270)527-3293 Fax: (270)527-3132
-- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient,
Oh, and one other thing I forgot to mention. This may not pertain to your situation, but I could not get this to work at all until I uninstalled the openldap that came with SuSE and recompiled a downloaded version that excluded the cyrus sasl libraries Drew Burchett United Systems & Software http://www.united-systems.com Phone: (270)527-3293 Fax: (270)527-3132 please
contact the sender by reply e-mail and destroy all copies of the original message.
-- This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.