[BBLISA] openldap recipe(s)
Daniel Hagerty
hag at linnaean.org
Fri Nov 7 08:39:23 EST 2008
"Doug Mildram" <dmildram at gmail.com> writes:
> MAIN QUESTION: I hope to find a clear complete recipe for
> (openldap install + ) config of linux (redhat based preferred)
> using LDAP authentication. (UNIX passwd,shadow,group).
> I've read too many, brain going in circles now.
The problem with "recipe" here is that there are a lot of
variables, and many of these variables are your call to make constant.
> should be an approved toplevel domains (is "local" approved?) Anyways,
I forget where, but local is in fact approved for exactly your use
case.
> pam_filter objectclass=(posixAccount or account? depends on recipe)
This one's up to you. objectClass is how you specify which
attributes the LDAP server will insist upon having to create a given
object. The setup on one random domain I work with has it so that
posixAccounts are what nss/pam filter for, and there are some other
account-like things that aren't posixAccounts. As a result, these
other things don't exist on unix machines, don't get unix user ids,
home directories, etc.
> which has LDAP checkboxes in BOTH tabs, confusing?
One of these is for configuring nss, the other is for
authentication. As a counterexample, if you were configuring against
activedirectory or another ldap + kerberos system, you'd configure
ldap for the nss portion, but kerberos for the auth.
> Makes NIS look like a hot date. Sorry so long.
It's not exactly a fair comparison. NIS is very fixed in its
overall function, as is the OS interface to it. LDAP ends up being a
lot more things to a lot more customers, and as usual, you pay for it.
More information about the bblisa
mailing list