Matthew,<br><br>I've been using OpenLDAP for about 6 years now. Currently I'm running 5 Openldap servers, 1 master and 4 replica's for about 40 Linux clients.<br><br>This book was pretty good.<br><br>LDAP System Administration<br>
ByGerald Carter <br>Publisher: O'Reilly Media <br>Released: March 2003 <br>Pages: 310<br><br>Also, OpenLDAP's website is pretty good. And the man pages are good.<br><br>> What schema or attributes do I need to have in the LDAP directory?<br>
Depends one what data you want to keep. I recommend these:<br><br># Schemas<br>include /etc/openldap/schema/core.schema<br>include /etc/openldap/schema/cosine.schema<br>include /etc/openldap/schema/nis.schema<br>
include /etc/openldap/schema/inetorgperson.schema<br>include /etc/openldap/schema/sudo.schema<br>include /etc/openldap/schema/autofs.schema<br><br>> Can I use an email address as the "username" (uid) I want to authenticate?<br>
You might not what the "@" in your "ls -al" results. Thus, you might want to have login and nss use different attributes. I've never tried that.<br><br>Here are my config files:<br> <a href="http://www.ilive4unix.net/doku.php/notes/sec/slapd.conf">http://www.ilive4unix.net/doku.php/notes/sec/slapd.conf</a><br>
<a href="http://www.ilive4unix.net/doku.php/notes/sec/ldap.conf">http://www.ilive4unix.net/doku.php/notes/sec/ldap.conf</a><br><br>Keep in mind that there often two ldap.conf files on a Linux system.<br> * /etc/ldap -> used by PADL's nss-ldap<br>
* /etc/openldap/ldap.conf -> used by openldap's tools<br><br>Different programs are built against the different config files. The /etc/ldap.conf file is the one you need to configure for nss-ldap.<br><br>Make sure you configure backups for your ldap database. I recommend performing a dump and compress is daily and weekly.<br>
<br>Here is a quick backup script.<br><br>#!/bin/sh<br><br>SLAPFILE=/var/backups/ldap/slapd-backup_`date --iso-8601`.ldif<br>if [ ! -d `dirname ${SLAPFILE}` ]; then mkdir -p `dirname ${SLAPFILE}`; fi<br>/usr/sbin/slapcat > "${SLAPFILE}"<br>
chmod 400 "${SLAPFILE}"<br><br>LDIFFILE=/var/backups/ldap/domain.org.`date --iso-8601`.ldif<br>if [ ! -d `dirname ${LDIFFILE}` ]; then mkdir -p `dirname ${LDIFFILE}`; fi<br>BINDDN="uid=bkupadm,ou=admin,DC=domain,DC=org"<br>
ldapsearch -H "ldap://<a href="http://ldap0.domain.org">ldap0.domain.org</a>" -D ${BINDDN} -w 'secretpass' -x -b "DC=domain,DC=org" > ${LDIFFILE}<br>chmod 400 ${LDIFFILE}<br><br>Also, you may want to setup: <b><a href="http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page">http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page</a></b><br>
<br>Hope this helps. Shoot if you have more questions.<br><br>~Travis Sidelinger<br><br><div class="gmail_quote">On Mon, Sep 5, 2011 at 3:39 PM, Matthew Gardlik, Ph.D. <span dir="ltr"><<a href="mailto:matt@mattgardlik.com">matt@mattgardlik.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">I would like to use PAM to authenticate against an OpenLDAP directory<br>
containing user credentials.<br>
<br>
Can anyone direct me to a good resource on this topic. Most of<br>
information I can find online seems fragmented and incomplete. Some of<br>
the questions that I have include: What schema or attributes do I need<br>
to have in the LDAP director? Can I use an email address as the<br>
"username" (uid) I want to authenticate?<br>
<br>
The man page for pam_ldap(5) provided some useful information, but it<br>
still looks like I'm missing something.<br>
<br>
Thank you,<br>
<br>
Matt<br>
_______________________________________________<br>
colug-432 mailing list<br>
<a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>
<a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>"A careful reading of history clearly demonstrates ...<br>that people don't read history carefully.”<br><br>