On Thursday 01 March 2007 09:33, Gaël Lams wrote: > Hi, > > > I am trying to get my network up on LDAP user authentication. > > I have several machines (Three servers and 10 workstations), and a > > handful of roaming users that uses several boxes at different times. > > I wanted a central user administration instead of having to walk around > > and locally add all the new users i get. > > ..... > > Can anyone either point me to a step by step setup, or tell me how to set > > the simplest network up: One LDAP server and one LDAP client. That way i > > might be able to set the rest up myself... > > Server_1 is file a group file server with several shares with common > > files for all the systems. > > .... > > Is this doable with LDAP? > > I think so, I've all my server performing an ssh ldap authentication, > my external ftp users are also in the ldap directory and I've a few > web based applications using the same ldap back-end for the > authentication. > > I don't have so much time, I will give you some background (if you > already know it, delete my email :-) that should help you in doing > what you want, and, in case of problem, help you in solving them > > Im my set-up, I use pam to configure the various services to perform > an ldap authentication. In case you didn't know, Pluggable > Authentication Module (PAM) is the UNIX interface that enables > applications to use an independent mechanism for authentication (it > also provides functionality such as accounts management, session > management, and password management). > It's important to understand that PAM only handles that one issue – > authentication: if you use pam_ldap then your authentication > procedures can talk to a remote LDAP server to authenticate users - > but nothing else about your system changes (ie., you still need to > have user accounts in /etc/* files). > > Here comes the Name Service Switch (NSS). NSS is similar to PAM in > terms of allowing applications to use different sources for > authentication, but its primary purpose is simple lookups to get > user-attribute related information from the LDAP server (for instance: > the shell, the home directory). It's really just an admin-controlled > backend for the existing UNIX naming functions (gethostbyname, > getpwent, etc.), so that you can configure alternate naming sources. > If you use nss_ldap then you can remove user entries from /etc/* files > and have them live entirely in a remote LDAP server, but this is only > handling naming/lookup functions. Authentication will try and use > whatever the PAM module has been configured to use (it may call NSS > functions and thus "appear" to work sometimes, or it may try and > access /etc/* files directly in which case it will fail as the users > don't exist there anymore). > > Software to be installed > pam_ldap, nss_ldap (optional: pam_ssh, if you want to use ssh_agent > with private key) > > I will give you an example for the FTP setup: > I have define in my ldap directory an organization called "EXTERNAL" > (lake of immagination :-) to contains the external user > > I've then created /etc/pam.d/vsftpd with the following lines > auth required pam_ldap.so config=/etc/pam_ldap_ftp.conf > account required pam_ldap.so config=/etc/pam_ldap_ftp.conf > > pam_ldap_ftp.conf is a copy of /etc/ldap.conf. ldap.conf is used to > define the login/ssh authentication configuration. I based all my > set-up on groups and, because it makes sense for me, I created > organizational unit per type of service i want to provide ldap > authentication to (ou=FTP, ou=HTTP, ou=SSH, ....) > > For example: > # Group to enforce membership of for the ftp server, define in > pam_ldap_ftp_conf pam_groupdn cn=GP-PLECO,ou=FTP,ou=GROUPS,o=MY_ORG > > # Group to enforce membership of for ssh access, define in pam_ldap_conf > pam_groupdn cn=GP-SYSADMIN,ou=SSH,ou=GROUPS,o=MY_ORG > > Hope it will help you, > > Regards, > > Gaël
Its a good start! Thank you very much! -- /Rikard ----------------------------------------------------------------------------- email : [EMAIL PROTECTED] web : http://www.rikjoh.com mob: : +46 (0)763 19 76 25 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
pgpJYXW44IY6S.pgp
Description: PGP signature
