Unflushed Buffers

Solaris got me re-interested in LDAP since Sun likes directory services, but I’m not using Sun’s LDAP server. Reading up on the documentation I was told this sets it all up:

ldapclient manual -v -a defaultsearchbase=dc=scriptforge,dc=org -a domainname=scriptforge.org IP_ADDRESS_OF_LDAP_SERVER

This will take a minute or so to run as services are stopped, changes made and services restarted. The output shows what it is doing and what files it is changing. Take a look at some of these config changes. One thing I found is that this process changes hostname lookup from DNS to LDAP which is what I didn’t want. This was changed by editing /etc/nsswitch.conf hosts line as follows:

hosts: dns files

Now we can get Solaris to query the LDAP passwd tree with:

getent passwd USERNAME

getent group GROUPNAME

Even finger works, but login does not (try SSH into the box with an LDAP username, it won’t work). This is because PAM hasn’t been configured to authenticate by LDAP. Edit /etc/pam.conf and there are different services listed (login, rlogin, ppp, other, passwd, and some kerberos ones) We need to change auth required pam_unix_auth.so.1 lines to auth sufficient pam_unix_auth.so.1 and then under the pam_dial_auth.so.1 lines we add this line:

login auth required pam_ldap.so.1

Add these lines for the different services as you see them in the file (ie change the login above to rlogin, rsh, ppp, other, passwd as needed).

STUCK! Damn this didn’t work! Anyone? Oh well may go get the samba integration going…

Setting up automounting

{not yet written}

Automounts and LDAP

{not yet written}

2 comments

Now we have the directory running on a server and some accounts migrated, time to use it. There is a caveat before you start on Ubuntu. I advise setting a root password so you can log in as root rather than sudo, as I lost the ability to do so after I removed local accounts and my directory login was not in the sudoers file. When it’s running and you have your accounts set right you can go back to using sudo.

In the list of users and groups in your directory, perhaps you should change the uids and gids so that they are unique across your systems - for example start at 5000 instead of 1000.

Install the following package:

apt-get install ldap-auth-client

This will install the packages necessary to switch to LDAP authentication. Dpkg will ask you questions as to which LDAP server you will authenticate to, and ask for admin credentials so root can change passwords on the server. These responses are stored in /etc/ldap.conf but I reckon it’s easier to let debconf manage this config. If you need to change your answers, run this:

dpkg-reconfigure ldap-auth-config

Now to switch PAM (pluggable authentication modules) over to LDAP. This is done by:

auth-client-config -p lac_ldap -a

Now if you take a look in the /etc/pam.d/common-* files you will see entries like this:

auth sufficient pam_ldap.so

And if you try your login now (eg by ssh to the server) you will probably be able to login using LDAP authentication. Next step is to make sure all these LDAP users get their home directory from the server. This is where automount comes into play. Up to now I’ve just exported the entire /home on the file server by NFS, but that shows everyone’s home directory on servers that may not need it.

Setting up automounting

Need to install the autofs package (will install nfs-common for mounting NFS filesystems, if needed):

apt-get install autofs nfs-common

Then we edit the /etc/auto.master and add the line:

/home /etc/auto.home –timeout=90

Then create the file /etc/auto.home with the line:

* –fstype=nfs4,rw,proto=tcp,port=2049 NFS_SERVER:/home

As you can see, I’m using NFSv4, so on the server I have /export/home in the pseudo-filesystem bound to my real filesystem /home. On both client and server the file /etc/default/nfs-common needs to have NEED_IDMAPD=yes and the file /etc/idmapd.conf needs to have the same Domain = line.

Best to restart everything.

SERVER: /etc/init.d/nfs-common restart
SERVER: /etc/init.d/nfs-kernel-server restart
CLIENT: /etc/init.d/nfs-common restart
CLIENT: /etc/init.d/autofs start

Now try to ssh userinldap@localhost and you should be able to log in, and autofs will mount the home directory.

Automounts and LDAP

On the OpenLDAP server and Linux clients, both of which are Ubuntu, install the autofs-ldap package:

apt-get install autofs-ldap

On the LDAP server, edit /etc/ldap/slapd.conf and add this line after the core.schema and cosine.schema lines:

include /etc/ldap/schema/autofs.schema

Restart the directory with /etc/init.d/slapd restart. Now we need to add automount information into the LDAP tree. Here’s a good LDIF file to start:

dn: ou=auto.master, dc=scriptforge,dc=org
ou: auto.master
objectClass: top
objectClass: automountMap

dn: cn=faulteh,ou=auto.home, dc=scriptforge,dc=org
objectClass: automount
automountInformation: -fstype=nfs4,rw,proto=tcp,port=2049,hard,intr serenity:/home/faulteh
cn: faulteh

dn: cn=/home,ou=auto.master, dc=scriptforge,dc=org
objectClass: automount
automountInformation: ldap:serenity:ou=auto.home,dc=scriptforge,dc=org –timeout 90
cn: /home

dn: ou=auto.home, dc=scriptforge,dc=org
ou: auto.home
objectClass: top
objectClass: organizationalUnit

Open the directory viewer in a web browser and see what this LDIF has done. Now we need the client to get this information instead of using the /etc/auto.* files.

Edit the file /etc/nsswitch.conf to add the line:

automount: ldap

Edit the file /etc/ldap/ldap.conf to change the BASE and URI to suit your server. Restarting the autofs with /etc/init.d/autofs restart and logging in with ssh everything should be working.

On to the Solaris clients

1 comment