Hi Nasir,

Here are my notes (in Trac wiki markup format no less) for manually setting
up Ubuntu clients to use our FreeIPA 1.2 server.  I haven't tested the 2.0
branch yet, but I suspect it's primarily the same.

HTH.

-ben

--
| Ben Eisenbraun
| SBGrid Consortium                          | http://sbgrid.org       |
| Harvard Medical School                     | http://hms.harvard.edu  |

== Accounts/Authentication ==
Install required packages:
{{{
apt-get install ldap-utils krb5-user libpam-ldap libnss-ldap nss-updatedb 
libnss-db autofs nfs-common autofs-ldap
}}}
This should spawn a dpkg-configure instance for Kerberos, give the proper 
information.

Edit /etc/nsswitch.conf to include:
{{{
passwd:    files ldap
group:     files ldap
automount: files ldap 
}}}

Edit /etc/ldap.conf to include:
{{{
uri                         ldap://your.server.name
base                        dc=EXAMPLE,dc=COM
bind_policy                 soft
pam_lookup_policy           yes
pam_password                md5
nss_initgroups_ignoreusers  root,ldap
nss_schema                  rfc2307bis
nss_map_attribute           uniqueMember member
ssl                         no
ldap_version                3
pam_filter                  objectClass=posixAccount
}}}

To enable pam-ldap, run:
{{{
pam-auth-update
}}}

To enable autofs-managed home directories, edit /etc/ldap/ldap.conf to read:
{{{
BASE  dc=EXAMPLE,dc=COM
URI   ldap://your.server.name
}}}

For kerberos config, edit /etc/krb5.conf to include 
{{{
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DEV-NETWORK.IN.HWLAB
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 DEV-NETWORK.IN.HWLAB = {
  kdc = your.server.name
  admin_server = your.server.name
 }

[domain_realm]
 dev-network.in.hwlab = EXAMPLE.COM
 .dev-network.in.hwlab = EXAMPLE.COM
}}}

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to