[colug-432] PAM and LDAP

Mon Sep 5 22:19:41 EDT 2011

Matthew,

I've been using OpenLDAP for about 6 years now.  Currently I'm running 5
Openldap servers, 1 master and 4 replica's for about 40 Linux clients.

This book was pretty good.

LDAP System Administration
ByGerald Carter
Publisher: O'Reilly Media
Released: March 2003
Pages: 310

Also, OpenLDAP's website is pretty good.  And the man pages are good.

> What schema or attributes do I need to have in the LDAP directory?
Depends one what data you want to keep.  I recommend these:

# Schemas
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/sudo.schema
include         /etc/openldap/schema/autofs.schema

> Can I use an email address as the "username" (uid) I want to authenticate?
You might not what the "@" in your "ls -al" results.  Thus, you might want
to have login and nss use different attributes.  I've never tried that.

Here are my config files:
  http://www.ilive4unix.net/doku.php/notes/sec/slapd.conf
  http://www.ilive4unix.net/doku.php/notes/sec/ldap.conf

Keep in mind that there often two ldap.conf files on a Linux system.
  * /etc/ldap -> used by PADL's nss-ldap
  * /etc/openldap/ldap.conf -> used by openldap's tools

Different programs are built against the different config files.  The
/etc/ldap.conf file is the one you need to configure for nss-ldap.

Make sure you configure backups for your ldap database.  I recommend
performing a dump and compress is daily and weekly.

Here is a quick backup script.

#!/bin/sh

SLAPFILE=/var/backups/ldap/slapd-backup_`date --iso-8601`.ldif
if [ ! -d `dirname ${SLAPFILE}` ]; then mkdir -p `dirname ${SLAPFILE}`; fi
/usr/sbin/slapcat > "${SLAPFILE}"
chmod 400 "${SLAPFILE}"

LDIFFILE=/var/backups/ldap/domain.org.`date --iso-8601`.ldif
if [ ! -d `dirname ${LDIFFILE}` ]; then mkdir -p `dirname ${LDIFFILE}`; fi
BINDDN="uid=bkupadm,ou=admin,DC=domain,DC=org"
ldapsearch -H "ldap://ldap0.domain.org" -D ${BINDDN} -w 'secretpass' -x -b
"DC=domain,DC=org" > ${LDIFFILE}
chmod 400 ${LDIFFILE}

Also, you may want to setup: *
http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page*

Hope this helps.  Shoot if you have more questions.

~Travis Sidelinger

On Mon, Sep 5, 2011 at 3:39 PM, Matthew Gardlik, Ph.D. <matt at mattgardlik.com
> wrote:

> I would like to use PAM to authenticate against an OpenLDAP directory
> containing user credentials.
>
> Can anyone direct me to a good resource on this topic.  Most of
> information I can find online seems fragmented and incomplete.  Some of
> the questions that I have include:  What schema or attributes do I need
> to have in the LDAP director?  Can I use an email address as the
> "username" (uid) I want to authenticate?
>
> The man page for pam_ldap(5) provided some useful information, but it
> still looks like I'm missing something.
>
> Thank you,
>
> Matt
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>

-- 
"A careful reading of history clearly demonstrates ...
that people don't read history carefully.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20110905/77b8a2f8/attachment.html 