[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Linux: OpenLdap, PAM in cluster enviroment
Quoting "Chris G. Sellers" <sellers@Oakland.edu>:
> Frank,
> Your looking to port your current
> /etc/passwd:/etc/shadow:/etc/group information into the LDAP
> datbase? Am I correct?
>
> This can be done. You can you the LDAPADD and LDAPMOD tools that come
> with PADL or other LDAP areas. You'll need to somehow stream the
> information from your current files to the LDAP database.
Installing the following Debian GNU/Linux packages will prepare your systems
to use PAM_LDAP...
Needed on all the nodes:
libnss-ldap NSS module for using LDAP as a naming service
libpam-ldap Pluggable Authentication Module allowing LDAP interfaces
Needed on the server (obviously :)
openldapd OpenLDAP server (slapd).
Good to have, atleast while developing the database and testing it out etc
openldap-utils OpenLDAP utilities.
openldap-guide OpenLDAP Admin Guide
Then, to convert your existing userdatabase (/etc/{passwd|shadow|group}, use the
LDAP MigrationTools from padl (http://www.padl.com/tools.html).
Then, when the database is in order, and you have verified that it 'should' work,
change all the files in '/etc/pam.d/*' to use pam_ldap as authenticator library...
This must naturaly be done on ALL the nodes.
This is how my 'ssh' file looks like (just for reference, it took me quite some time
to get that part to fully work :)
There is no 'pam_ldap' for the session stuff yet, and I'm not shure why you would want
one, I forgot what it's for :)
----- s n i p -----
#%PAM-1.0
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass shadow
auth required pam_env.so # [1]
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass shadow
password required pam_ldap.so
session required pam_unix.so
session optional pam_lastlog.so # [1]
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_mkhomedir.so skel=/etc/skel/
----- s n i p -----
And if you want your mailsystem to use this to, I can recomend a patched QMail.
There's a patch that lets qmail use a LDAP database to lookup users, AND also
(by yours truly :) have all the configuration files that qmail usually have in
/var/qmail/control in the same database, very convenient for large sites... One
place to do changes...
And since 'imap' and 'ipop3d' (from the Debian package with the same name) can
use PAM, It's easy to have imap/pop lookup users from that LDAP database.
This is how we have based our whole infrastructure at work, and also on my own
personal machines, very convenient, I must say... OpenLDAP have been a life saver
for me!