Work in progress
This site is in the process of being reviewed and updated.
Introduction
The advantages of realm membership are central management and authentication, and single sign-on.
Steps
- Configure schema.
- Configure ACI.
- Configure partitions.
- Configure admin.
- Configure indices.
- Load LDIF.
- Load users.
- Load groups.
- Load automounts.
- Configure clients.
Create the Directory Structure
Each entry in the directory is identified uniquely with a distinguished name (dn). The dn for example.com is dn: dc=example, dc=com. The organizationalUnit (ou) provides a method for grouping entries. The directory structure is shown in Listing 2.
Listing 2. LDAP distinguished names are organized into a tree of organizational units.
+ dc=example,dc=com |- ou=Users Persons | |- ou=contacts,ou=people Email contacts |- ou=Groups System groups |- ou=auto.master Automount master map |- ou=auto.home Automount map |- ou=auto.misc Automount map |- ou=Machines Machine accounts
We create the top level entries in LDAP Interchange Format (LDIF) and save them to example.ldif.
Choosing a UID/GID Scheme
By storing user account information in Apache Directory, you can use the same user name and password on any Linux machine. To start, you must decide which user names should be entered in LDAP.
Typical User Scheme for UID/GIDs
Type of account |
UID |
---|---|
System accounts |
UID < 500 |
Local users and groups |
499 < UID < 1,000 |
Single sign-on accounts |
999 > UID |
This user scheme allows for local users and groups and single sign-on accounts.
Creating user entries
A user login entry is identified by the login name as uid. Login users are members of ou=Users, resulting in this dn:
dn: uid=hnelson,ou=Users,dc=example,dc=com
The full entry contains attributes that are needed to control account access.
dn:uid=hnelson,ou=Users,dc=example,dc=com uid: hnelson cn: Horatio Nelson sn: Nelson givenname: Horatio mail: Horatio.Nelson@example.com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uidNumber: 5000 homeDirectory: /h/hnelson loginShell: /bin/bash description: Horatio Nelson displayName: Horatio Nelson gecos: Horatio Nelson gidNumber: 500 userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
Add the user entries to LDAP and test with an ldapsearch command, as discussed above:
ldapadd -x -D 'uid=admin,ou=system' -W -f Users.ldif
Because the login users belong to ou=Users, you now may look up their e-mail addresses within your e-mail client.
Creating Group Entries
You need to make a group entry for each group to be shared between multiple Linux computers. Each user also needs a group entry for the user private group. A group entry is identified by cn, and each group belongs to ou=Groups. For example:
dn: cn=hnelson,ou=Groups,dc=example,dc=com
A user private group would look like this:
dn: cn=hnelson,ou=Groups,dc=example,dc=com objectclass: posixGroup objectclass: top cn: hnelson userPassword: {crypt}x gidNumber: 5000
A shared group would look like:
dn: cn=developers,ou=Groups,dc=example,dc=com objectclass: posixGroup objectclass: top cn: developers gidNumber: 5001 memberUid: hnelson memberUid: whornblower
Add the group entries to LDAP and test with an ldapsearch command:
ldapadd -x -D 'uid=admin,ou=system' -W -f group.ldif
Populating the Database
This is a compilation of ldif files used to populate the database.
rootdn.ldif |
The main organization entry for the database as well as the administrative user. |
ou.ldif |
The organizational units: Automount, Users, Groups, Machines, Idmap. |
person.ldif |
A sample user entry. |
group.ldif |
Unix groups. |
machines.ldif |
Machine accounts. The objectClasses for user accounts and machine accounts are different. Be careful while assigning uid to new user and machine accounts, they should not be repeated. Note that we start users at 1000 and machines at 20000. |
auto.direct.ldif |
Automount maps. |
auto.home.ldif |
Entries to automount home directories. Note: we do this with wild cards instead of adding one entry per user. Linux uses the auto.home maps and the / as the wild card while Solaris uses the auto_map and the * for the wild card. |
auto.master.ldif |
Information about available maps. Used by the automount daemon. |
Configure the Linux LDAP Client
For users, verify that /etc/nsswitch.conf has the following entries:
passwd: files ldap shadow: files ldap group: files ldap
For autofs, verify that /etc/nsswitch.conf has the following entry:
automount: files ldap
Verify that /etc/ldap.conf has these entries:
host ldap1.example.com
base dc=example,dc=com
Verify that /etc/openldap/ldap.conf has these entries:
HOST ldap1.example.com
BASE dc=example,dc=com
Final Linux Server Configuration
The user's password and group entries must be removed from the password and group files on the NFS server where home directories live. Create backups and then edit /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow to remove the LDAP real people entries.