[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Linux: OpenLdap, PAM in cluster enviroment



Quoting "Chris G. Sellers" <sellers@Oakland.edu>:

> Frank,
> 	Your looking to port your current
> /etc/passwd:/etc/shadow:/etc/group information into the LDAP
> datbase?   Am I correct?
> 
> This can be done.  You can you the LDAPADD and LDAPMOD tools that come
> with PADL or other LDAP areas.  You'll need to somehow stream the
> information from your current files to the LDAP database.  

Installing the following Debian GNU/Linux packages will prepare your systems
to use PAM_LDAP...

    Needed on all the nodes:
        libnss-ldap             NSS module for using LDAP as a naming service
        libpam-ldap             Pluggable Authentication Module allowing LDAP interfaces

    Needed on the server (obviously :)
        openldapd               OpenLDAP server (slapd).

    Good to have, atleast while developing the database and testing it out etc
        openldap-utils          OpenLDAP utilities.
        openldap-guide          OpenLDAP Admin Guide

Then, to convert your existing userdatabase (/etc/{passwd|shadow|group}, use the
LDAP MigrationTools from padl (http://www.padl.com/tools.html).

Then, when the database is in order, and you have verified that it 'should' work,
change all the files in '/etc/pam.d/*' to use pam_ldap as authenticator library...
This must naturaly be done on ALL the nodes.

This is how my 'ssh' file looks like (just for reference, it took me quite some time
to get that part to fully work :)

There is no 'pam_ldap' for the session stuff yet, and I'm not shure why you would want
one, I forgot what it's for :)

----- s n i p -----
#%PAM-1.0
auth		required	pam_nologin.so
auth		sufficient	pam_ldap.so
auth		required	pam_unix.so try_first_pass shadow
auth		required	pam_env.so # [1]

account		sufficient	pam_ldap.so
account		required	pam_unix.so try_first_pass shadow

password	required	pam_ldap.so

session		required	pam_unix.so
session		optional	pam_lastlog.so # [1]
session		optional	pam_motd.so # [1]
session		optional	pam_mail.so standard noenv # [1]
session		required	pam_mkhomedir.so skel=/etc/skel/
----- s n i p -----

And if you want your mailsystem to use this to, I can recomend a patched QMail.
There's a patch that lets qmail use a LDAP database to lookup users, AND also
(by yours truly :) have all the configuration files that qmail usually have in
/var/qmail/control in the same database, very convenient for large sites... One
place to do changes...

And since 'imap' and 'ipop3d' (from the Debian package with the same name) can
use PAM, It's easy to have imap/pop lookup users from that LDAP database.


This is how we have based our whole infrastructure at work, and also on my own
personal machines, very convenient, I must say... OpenLDAP have been a life saver
for me!