[colug-432] PAM and LDAP

Matthew Gardlik, Ph.D. matt at mattgardlik.com
Tue Sep 6 05:27:46 EDT 2011 

Thanks, Travis.  I've been able to get OpenLDAP up and running and add 
to the directory.  However, I haven't been able to get PAM to 
authenticate to the directory yet.  This is my first time I've tried to 
do this, so I may just need to play with it a little more.  I'll give it 
another look later this week when I have a little more time.

Thanks again,

Matt

-- 
Matthew M. Gardlik, Ph.D.
Registered Patent Agent, Reg. No. 67,089
614-607-0710
matt at mattgardlik.com
http://www.mattgardlik.com/

On 9/5/11 10:19 PM, Travis Sidelinger wrote:
> Matthew,
>
> I've been using OpenLDAP for about 6 years now.  Currently I'm running 5
> Openldap servers, 1 master and 4 replica's for about 40 Linux clients.
>
> This book was pretty good.
>
> LDAP System Administration
> ByGerald Carter
> Publisher: O'Reilly Media
> Released: March 2003
> Pages: 310
>
> Also, OpenLDAP's website is pretty good.  And the man pages are good.
>
>  > What schema or attributes do I need to have in the LDAP directory?
> Depends one what data you want to keep.  I recommend these:
>
> # Schemas
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/sudo.schema
> include         /etc/openldap/schema/autofs.schema
>
>  > Can I use an email address as the "username" (uid) I want to
> authenticate?
> You might not what the "@" in your "ls -al" results.  Thus, you might
> want to have login and nss use different attributes.  I've never tried that.
>
> Here are my config files:
> http://www.ilive4unix.net/doku.php/notes/sec/slapd.conf
> http://www.ilive4unix.net/doku.php/notes/sec/ldap.conf
>
> Keep in mind that there often two ldap.conf files on a Linux system.
>    * /etc/ldap -> used by PADL's nss-ldap
>    * /etc/openldap/ldap.conf -> used by openldap's tools
>
> Different programs are built against the different config files.  The
> /etc/ldap.conf file is the one you need to configure for nss-ldap.
>
> Make sure you configure backups for your ldap database.  I recommend
> performing a dump and compress is daily and weekly.
>
> Here is a quick backup script.
>
> #!/bin/sh
>
> SLAPFILE=/var/backups/ldap/slapd-backup_`date --iso-8601`.ldif
> if [ ! -d `dirname ${SLAPFILE}` ]; then mkdir -p `dirname ${SLAPFILE}`; fi
> /usr/sbin/slapcat > "${SLAPFILE}"
> chmod 400 "${SLAPFILE}"
>
> LDIFFILE=/var/backups/ldap/domain.org.`date --iso-8601`.ldif
> if [ ! -d `dirname ${LDIFFILE}` ]; then mkdir -p `dirname ${LDIFFILE}`; fi
> BINDDN="uid=bkupadm,ou=admin,DC=domain,DC=org"
> ldapsearch -H "ldap://ldap0.domain.org <http://ldap0.domain.org>" -D
> ${BINDDN} -w 'secretpass' -x -b "DC=domain,DC=org" > ${LDIFFILE}
> chmod 400 ${LDIFFILE}
>
> Also, you may want to setup:
> *http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page*
>
> Hope this helps.  Shoot if you have more questions.
>
> ~Travis Sidelinger
>
> On Mon, Sep 5, 2011 at 3:39 PM, Matthew Gardlik, Ph.D.
> <matt at mattgardlik.com <mailto:matt at mattgardlik.com>> wrote:
>
>     I would like to use PAM to authenticate against an OpenLDAP directory
>     containing user credentials.
>
>     Can anyone direct me to a good resource on this topic.  Most of
>     information I can find online seems fragmented and incomplete.  Some of
>     the questions that I have include:  What schema or attributes do I need
>     to have in the LDAP director?  Can I use an email address as the
>     "username" (uid) I want to authenticate?
>
>     The man page for pam_ldap(5) provided some useful information, but it
>     still looks like I'm missing something.
>
>     Thank you,
>
>     Matt
>     _______________________________________________
>     colug-432 mailing list
>     colug-432 at colug.net <mailto:colug-432 at colug.net>
>     http://lists.colug.net/mailman/listinfo/colug-432
>
>
>
>
> --
> "A careful reading of history clearly demonstrates ...
> that people don't read history carefully.”
>
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432

More information about the colug-432 mailing list