RE: [SLE] LDAP How to

24 Apr 2006


      ...
-----Original Message-----
From: Drew Burchett
Sent: Monday, April 24, 2006 6:57 AM
To: Suse
Subject: RE: [SLE] LDAP How to
...
...
...
Is there any good suse 10 and ldap how to's available? I have
exhausted
my little ldap experience in trying to help get my friend going
but
now
luck.
I don't know that all these steps are strictly necessary because I
cobbled this together from a number of different howtos, but here's
how
I set my box up to authenticate against AD using LDAP.
Edit /etc/ldap.conf as below:
host    my.ldap.host
base    DC=domain,DC=local
ldap_version    3
binddn  cn=aduser,dc=domain,dc=local
bindpw  aduserpass
scope   sub
nss_base_passwd ou=Users,dc=domain,dc=local?sub
nss_base_shadow ou=Users,dc=domain,dc=local?sub
nss_base_group  ou=Users,dc=domain,dc=local?sub
pam_password    ad
pam_login_attribute     sAMAccountName
pam_member_attribute    msSFU30PosixMember
nss_map_objectclass     posixAccount    user
nss_map_objectclass     shadowAccount   user
nss_map_objectclass     posixGroup      Group
nss_map_attribute       uid     sAMAccountName
nss_map_attribute       uidNumber       msSFU30UidNumber
nss_map_attribute       gidNumber       msSFU30GidNumber
nss_map_attribute       loginShell      msSFU30LoginShell
nss_map_attribute       gecos           msSFU30Gecos
nss_map_attribute       userPassword    msSFU30Password
nss_map_attribute       homeDirectory   msSFU30HomeDirectory
nss_map_attribute       uniqueMember    msSFU30PosixMember
ssl     no
Edit /etc/samba/smb.conf
[global]
        unix charset = LOCALE
        workgroup = OLK_LOCAL
        realm = DOMAIN.LOCAL
        server string = Monitor Server
        security = ADS
        username map = /etc/samba/smbusers
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        printcap name = cups
        ldap ssl = no
        template shell = /bin/bash
        printing = cups
        winbind use default domain = yes
[homes]
        comment = Home Directories
        valid users = %S
        browseable = No
        read only = No
Edit /etc/nsswitch.conf
passwd: compat  ldap
shadow: files   ldap
group:  compat  ldap
hosts:  files   dns     wins
networks:       files   dns
services:       files ldap
protocols:      files
rpc:    files
ethers: files
netmasks:       files
publickey:      files
bootparams:     files
automount:      files
aliases:        files ldap
passwd_compat:  ldap
group_compat:   ldap
netgroup:       files ldap
Edit /etc/pam.d/common-auth
auth    sufficient      pam_ldap.so
auth    required        pam_env.so
auth    required        pam_unix2.so use_first_pass
Edit /etc/pam.d/common-account
account         sufficient      pam_ldap.so
account required        pam_unix2.so
Edit /etc/krb5.conf
[libdefaults]
        default_realm = DOMAIN.LOCAL
        clockskew = 300
[realms]
ONLINEKY.LOCAL = {
        kdc = mydomainserver.domain.local
        default_domain = DOMAIN.LOCAL
        admin_server = mydomainserver.domain.local
}
[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log
[domain_realm]
        .DOMAIN.LOCAL = DOMAIN.LOCAL
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 0
        try_first_pass = true
}
Restart your machine and make sure smbd, nmbd and winbindd are
running.
Wbinfo -u should give you a list of ldap users.  Getent passwd should
show ALL users, ldap and local, and getent group should show all
groups,
ldap and local.  If you aren't using AD, you probably don't need the
Kerberos setup.
Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone:  (270)527-3293
Fax:     (270)527-3132
--
CONFIDENTIALITY NOTICE: This e-mail message, including any
attachments, is
for the sole use of the intended recipient(s) and may contain
confidential
and privileged information. Any unauthorized review, use, disclosure
or
distribution is prohibited. If you are not the intended recipient,
Oh, and one other thing I forgot to mention.  This may not pertain to
your situation, but I could not get this to work at all until I
uninstalled the openldap that came with SuSE and recompiled a downloaded
version that excluded the cyrus sasl libraries

Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone:  (270)527-3293
Fax:     (270)527-3132


please
...
contact the sender by reply e-mail and destroy all copies of the
original
message.
--
This message has been scanned for viruses and dangerous content by
MailScanner and is believed to be clean.
--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.