[BBLISA] openldap recipe(s)

Doug Mildram dmildram at gmail.com
Thu Nov 6 17:36:49 EST 2008 

LDAP last discussed here @bblisa, not re: installation,initial config;
 http://www.bblisa.org/pipermail/bblisa/2007-December/001556.html
Pardon all the food motifs here.  Hungry? Sick? both :)

MAIN QUESTION: I hope to find a clear complete recipe for
(openldap install + ) config of linux (redhat based preferred)
using LDAP authentication.   (UNIX passwd,shadow,group).
I've read too many, brain going in circles now.

Stop reading here or risk entering the swamp.

====gory detail of the goal, observations, embedded Q's, etc:

currently been trying cookbooks incl. one at www.openldap.org
   (homepage docs go to version 2.4, but 2.3 is more prevalent,
      e.g. RH5/centOS5 has 2.3.  This Quickstart is worth something:
http://www.openldap.org/doc/admin23/quickstart.html
     which chooses BDB database, if that matters.
Quickstart ends near my Step3 below.
 After that, many things/choices remain on the road to enable auth.

>From scratch, general steps:

STEP1:  openldap installed w/server (slapd).
 On RH5/centOS5,  needed rpm's are:
$ rpm -aq | grep ldap
openldap-2.3.27-8.el5_1.3
openldap-servers-2.3.27-8.el5_1.3
nss_ldap-253-12.el5
openldap-clients-2.3.27-8.el5_1.3

STEP2: slapd configured a bit, and running.  Also DNS in the mix.
 Choose "domain style" Base DN, e.g. dc=myhouse,dc=local,
 it's unclear why LDAP docs say the final component (mine= "local")
should be an approved toplevel domains (is "local" approved?) Anyways,
trying to make typical choices, w/o an actual registered domain,
my poor-man DNS server works on local LAN
      and /etc/resolv.conf has "domain myhouse.local" to be safe.
 I'll even add a CNAME "auth" for server URL ldap://auth.myhouse.local
Much detail omitted here in slapd.conf editing.
 ==end step2; likely to revisit slapd configuration as we go along.

STEP3: edit /etc/openldap/ldap.conf (the short ldap.conf) so "clients"
(also on server) like ldapsearch, ldapadd, etc     should work;

Some initial ldapsearch tests should be here, +more after step4.

STEP4: create by hand or import user accounts
              trivial or not, I'm not focused on this yet;

STEP 5:  In the LONG /etc/ldap.conf, edit "host" and "base"
and perhaps just add/enable 5 lines for
pam_filter objectclass=(posixAccount or account? depends on recipe)
pam_password crypt
nss_base_passwd ou=People,dc=(mybaseDN)
nss_base_shadow ou=People,dc=(mybaseDN)
nss_base_group ou=Group,dc=(mybaseDN)


STEP 6: mess w/PAM manually (edit /etc/pam.d/system-auth)
    and/or (GUI,wimp?) run RH command "system-config-authentication"
   which has LDAP checkboxes in BOTH tabs, confusing?

     tab "User information" has "Enable LDAP Support"
                           and "Configure LDAP" lets you
                 choose TLS or not;
                 enter LDAP Search Base DN
                 enter LDAP Server   ldap://auth.myhouse.local

      the OTHER tab "Authentication" has the SAME thing as above.
the GUI doesnt help keep "authentication" and "authorization" straight.
  (authentication = identify/become myself,root,etc; passwd+shadow)
  (authorization = what am I allowed to do? group,..)

STEP ? : dump the contents and do the dishes.

It kills me how many places you hardcode "suffix" (BaseDN) and
other redundancies in LDIF entries. Elegance != the beauty of x.500 gumbo.

Don't forget /etc/nsswitch.conf (passwd,group  "files ldap")
    if system-config-authorization hasnt done it.

Makes NIS look like a hot date. Sorry so long.
Any pointers/advice? -doug

More information about the bblisa mailing list