[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Autofs-OpenLDAP Assistance
On Tuesday 29 July 2008 20:19:33 Sven Ulland wrote:
> Santosh Balan wrote:
> > Can you please guide and provide some appropriate doccumentation or
> > method as how I hv to go about with the installation of OpenLDAP and
> > autofs such that it will authenticate my users and automatically
> > mounts the users partition.
Depending on how your infrastructure is set up, you could get home directories
automounted for every user with a single automount (wildcard) rule. Unless you
give more details, it is difficult to know how you are associating the need
for home directories and automount rules.
> To use ldap for login, you need to get nsswitch and pam to talk ldap.
> It is easily done by installing libnss-ldapd (or libnss-ldap -- they
> are functionally equivalent) and libpam-ldap. Package names are likely
> to be different on your platform -- these are from Debian.
>
> First change /etc/nsswitch.conf so that it reads something like this:
>
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
I would avoid compat unless you actually require the features. See the
discussion of compat in nsswitch.conf(5). Additionally, I would avoid adding
ldap to shadow unless you have applications that require access to the
password hash or are intending to use nss_ldap->pam_unix for authentication
(and forego any ldap authorization features).
> hosts: files dns
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
> automount: ldap
>
> Then set up /etc/pam.d/common-{account,auth,password,session} with the
> following *additions*:
>
> common-account:
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
I would rather suggest adding:
account sufficient pam_localuser.so
account sufficient pam_ldap.so
account required pam_deny.so
otherwise password expiry, host attribute use etc. will most likely not work.
> common-auth:
> auth requisite pam_succeed_if.so uid >= 1000 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> common-password:
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> common-session
> session optional pam_ldap.so
pam_ldap doesn't implement session as far as I know, pam_mkhomedir would be a
better candidate for the line above.
>
> (There is probably some silly configuration in the above, but it
> works. I haven't looked into the details of PAM yet.)
Have you tested every aspect with the configuration above?
> Next, install autofs5-ldap (or v4 if you want). It is important that
> you understand the structure of autofs entries in ldap. You can get an
> overview here: http://efod.se/blog/archive/2006/06/27/autofs-and-ldap
>
> Finally, make sure that your /etc/ldap.conf (or /etc/ldap/ldap.conf),
> /etc/autofs_ldap_auth.conf and /etc/nss-ldapd.conf are set up to point
> to your ldap directory server.
>
> When things don't work, try running each daemon in debug mode. This
> is particularly true for slapd and the nslcd (that comes in
> libnss-ldapd). Also have a look in /var/log/auth.log or equivalent, to
> see if logins are accepted.
And disable nscd while troubleshooting.
Regards,
Buchan