Marcelo Moulin wrote:
First of all, i would like to thank you Chuck for your important help !
Then, another questions and comments... :)
My pleasure, I contribute when I can.
On 4/20/06, Chuck Theobald <[EMAIL PROTECTED]> wrote:
Marcelo Moulin wrote:
Hello all !!
I'm starting to implement one LDAP-server in my University but before
i would like to have some advices from experts and work in the right
way.
So, let's go.
1) All of my clients should be authenticated and authorized by the
server. Therefore should I install all components like open-ldap,
pam_ldap, nss_ldap as i read in the internet or I can install just
some components. I'm talking about Linux systems.
To do authentication and authorization, you will need all three
components on your clients and at least openldap on your server. You
will need to touch four client configuration files:
/etc/ldap.conf
/etc/openldap/ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth
and install your cacert.pem file (assuming you are doing secure
connections, as you should). Note that both ldap.conf files point to
the cacert.pem file. These locations are on a Gentoo 2.6 installation,
the locations will be similar for other distros.
I'm not using any kind of CA right now because i am just wondering
about to put everything working.
I was really thinking why they use two ldap.conf. What is the big deal
? It makes me confused.
Not using secure communications to start is good, it eliminates one
source of problems, but be sure to add it when everything else is working.
The dual ldap.conf files have confused many more than you. This is an
unfortunate circumstance, but the nss_ldap people chose ldap.conf for
their config file. This is /etc/ldap.conf. Openldap uses
/etc/openldap/ldap.conf.
Second, i use Gentoo too but, unfortunately , I must use Zenwalk
distro as clients and believe me it is very awful (i am sorry if
someone uses it here). But my server is SUSE.
Note that, in my experience, the most finicky part of this is PAM. Each
distro and unix flavor seems to have its own ideas about how PAM is
configured. In my case, the system-auth file is a file used by a number
of services. Do not promise delivery until you have the configuration
for PAM down for all your distros.
PAM is really strange to install. I did everything right (i think) but
i could not find any pam.conf or even worse any pam.d/ . Should i just
copy from source and place in /etc/pam.d/ ?
PAM is odd, but the installation is straightforward. You should find
either /etc/pam.conf (old way) or /etc/pam.d/<whatever> (new way).
Further questions on PAM should be taken to a more appropriate list.
Regards,
Chuck
2) And what about Windows OS? I need to use SAMBA to do the same as I
mentioned above?
Is this the best way? I need to use NIS?
We have Samba set up as our domain controller with:
passdb backend = ldapsam:ldap://our-top-secret-machine.domain.not
in the smb.conf file with other ldap parameters set appropriately. We
create accounts using the smbldap tools, and use phpldapadmin as the
maintenance system.
Our system took months of tweaking off and on to get it all figured out.
I hope this helps to shorten your time-to-production.
It will help. Thank you very much.
Good luck,
hehehe.I will need that, for sure. Thanks.. :)
Chuck
Regards,
Marcelo
--
Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
