Work in progress

This site is in the process of being reviewed and updated.

Introduction

The advantages of realm membership are central management and authentication, and single sign-on.

Steps

  1. Configure schema.
  2. Configure ACI.
  3. Configure partitions.
  4. Configure admin.
  5. Configure indices.
  6. Load LDIF.
  7. Load users.
  8. Load groups.
  9. Load automounts.
  10. Configure clients.

Create the Directory Structure

Each entry in the directory is identified uniquely with a distinguished name (dn). The dn for example.com is dn: dc=example, dc=com. The organizationalUnit (ou) provides a method for grouping entries. The directory structure is shown in Listing 2.

Listing 2. LDAP distinguished names are organized into a tree of organizational units.

+ dc=example,dc=com
|- ou=Users                   Persons
|  |- ou=contacts,ou=people   Email contacts
|- ou=Groups                  System groups
|- ou=auto.master             Automount master map
|- ou=auto.home               Automount map
|- ou=auto.misc               Automount map
|- ou=Machines                Machine accounts

We create the top level entries in LDAP Interchange Format (LDIF) and save them to example.ldif.

Choosing a UID/GID Scheme

By storing user account information in Apache Directory, you can use the same user name and password on any Linux machine. To start, you must decide which user names should be entered in LDAP.

Typical User Scheme for UID/GIDs

Type of account

UID

System accounts

UID < 500

Local users and groups

499 < UID < 1,000

Single sign-on accounts

999 > UID

This user scheme allows for local users and groups and single sign-on accounts.

Creating user entries

A user login entry is identified by the login name as uid. Login users are members of ou=Users, resulting in this dn:

dn: uid=hnelson,ou=Users,dc=example,dc=com

The full entry contains attributes that are needed to control account access.

dn:uid=hnelson,ou=Users,dc=example,dc=com
uid: hnelson
cn: Horatio Nelson
sn: Nelson
givenname: Horatio
mail: Horatio.Nelson@example.com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uidNumber: 5000
homeDirectory: /h/hnelson
loginShell: /bin/bash
description: Horatio Nelson
displayName: Horatio Nelson
gecos: Horatio Nelson
gidNumber: 500
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

Add the user entries to LDAP and test with an ldapsearch command, as discussed above:

ldapadd -x -D 'uid=admin,ou=system' -W -f Users.ldif

Because the login users belong to ou=Users, you now may look up their e-mail addresses within your e-mail client.

Creating Group Entries

You need to make a group entry for each group to be shared between multiple Linux computers. Each user also needs a group entry for the user private group. A group entry is identified by cn, and each group belongs to ou=Groups. For example:

dn: cn=hnelson,ou=Groups,dc=example,dc=com

A user private group would look like this:

dn: cn=hnelson,ou=Groups,dc=example,dc=com
objectclass: posixGroup
objectclass: top
cn: hnelson
userPassword: {crypt}x
gidNumber: 5000

A shared group would look like:

dn: cn=developers,ou=Groups,dc=example,dc=com
objectclass: posixGroup
objectclass: top
cn: developers
gidNumber: 5001
memberUid: hnelson
memberUid: whornblower

Add the group entries to LDAP and test with an ldapsearch command:

ldapadd -x -D 'uid=admin,ou=system' -W -f group.ldif

Populating the Database

This is a compilation of ldif files used to populate the database.

rootdn.ldif

The main organization entry for the database as well as the administrative user.

ou.ldif

The organizational units: Automount, Users, Groups, Machines, Idmap.

person.ldif

A sample user entry.

group.ldif

Unix groups.

machines.ldif

Machine accounts. The objectClasses for user accounts and machine accounts are different. Be careful while assigning uid to new user and machine accounts, they should not be repeated. Note that we start users at 1000 and machines at 20000.

auto.direct.ldif

Automount maps.

auto.home.ldif

Entries to automount home directories. Note: we do this with wild cards instead of adding one entry per user. Linux uses the auto.home maps and the / as the wild card while Solaris uses the auto_map and the * for the wild card.

auto.master.ldif

Information about available maps. Used by the automount daemon.

Configure the Linux LDAP Client

For users, verify that /etc/nsswitch.conf has the following entries:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

For autofs, verify that /etc/nsswitch.conf has the following entry:

automount:  files ldap

Verify that /etc/ldap.conf has these entries:

host ldap1.example.com
base dc=example,dc=com

Verify that /etc/openldap/ldap.conf has these entries:

HOST ldap1.example.com
BASE dc=example,dc=com

Final Linux Server Configuration

The user's password and group entries must be removed from the password and group files on the NFS server where home directories live. Create backups and then edit /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow to remove the LDAP real people entries.

  • No labels