Tim at 20:01, 29 September 2007

2007-09-29T20:01:01Z

←Older revision		Revision as of 20:01, 29 September 2007
Line 86:		Line 86:
	TLS_REQCERT demand<br/>		TLS_REQCERT demand<br/>
	</code>		</code>
		+
		+	[[Category:Admin]]

Evan at 22:16, 15 May 2006

2006-05-15T22:16:35Z

New page

== Migrating the User Database ==

The migrationtools package will generate LDIF files based on information in /etc/shadow and /etc/passwd. The ldapadd command can be used to import these files into the database. The migrationtools utilities may include certain Kerberos-related attributes in the LDIF fields that slapd may not understand. These should be removed before importing the LDIF files, or else ldapadd will give an error.

<code>
cd /usr/share/migrationtools 
./migrate_passwd.pl /etc/passwd | egrep -vi "krb|kerb" > /tmp/users.ldif 
./migrate_group.pl /etc/group > /tmp/groups.ldif 
ldapadd -D "cn=admin,dc=example,dc=com" -W -x -f /tmp/users.ldif 
ldapadd -D "cn=admin,dc=example,dc=com" -W -x -f /tmp/groups.ldif 
rm /tmp/groups.ldif /tmp/users.ldif 
</code>

== LDAP and NSS ==

To configure NSS to use LDAP for directory lookups, add the following to /etc/nsswitch.conf

<code>
passwd: ldap files 
group: ldap files 
shadow: ldap files 
</code>

== LDAP and PAM ==

Add the following to /etc/pam_ldap.conf to tell the pam_ldap module how to access the user directory over LDAP. This assumes the LDAP server is on localhost.

<code>
host 127.0.0.1 
base ou=People,dc=example,dc=com 
ldap_version 3 
rootbinddn cn=admin,dc=example,dc=com 
pam_password exop 
</code>

pam_password controls the hashing function used when changing passwords. The exop (extended operation) option is recommended, as then password are hashed using MD5 or SHA or whatever slapd is set up to use.

Add the following to the common files in /etc/pam.d in order to configure PAM to use LDAP in conjunction with /etc/passwd and /etc/shadow. This setup assumes that users exist in both /etc/shadow|passwd and in the LDAP directory. It may not be appropriate when only system users (such as root) exist in /etc/passwd and regular users exist only in the LDAP directory.

For /etc/pam.d/common-account:

<code>
account [success=1 default=ignore] pam_ldap.so 
account required pam_unix.so use_first_pass 
account required pam_permit.so 
</code>

For /etc/pam.d/comment-auth:

<code>
auth [success=1 default=ignore] pam_ldap.so 
auth required pam_unix.so try_first_pass 
auth required pam_permit.so 
</code>

For /etc/pam.d/common-password:

<code>
password required pam_ldap.so ignore_unknown_user 
password optional pam_unix.so nullok obscure min=6 md5 try_first_pass 
</code>

== LDAP and SSL ==

Add the following to slapd.conf to configure slapd to use TLS.

<code>TLSCipherSuite HIGH:MEDIUM:+SSLv2 
TLSCertificateFile /etc/ssl/certs/hostname.crt 
TLSCertificateKeyFile /etc/ssl/private/hostname.key 
TLSCACertificateFile /etc/ssl/CA/cacert.pem 
TLSVerifyClient demand</code>

TLSCertificateFile contains the server certificate used by slapd. TLSCertificateKeyFile contains the server key. TLSCACertificateFile contains the CA certificate which signed both server and client certificates. TLSVerifyClient determines how forgiving slapd should be with clients who provide faulty certificates - demand is the strongest form of verification.

You will also need to configure slapd to serve on port 636 (ldaps) as well as port 389 (ldap). Adding the following line to /etc/default/slapd will configure slapd to only listen on port 389 on localhost but accept connections on port 636 on all interfaces.

<code>
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:///"
</code>

LDAP clients will need to know the location of the CA certificate file in order to verify the server's identity. Add the following to /etc/ldap/ldap.conf:

<code>
TLS_CACERT /etc/ssl/antiflux/cacert.pem 
TLS_REQCERT demand 
</code>

Using LDAP for Authentication - Revision history

Tim at 20:01, 29 September 2007

Evan at 22:16, 15 May 2006