Difference between revisions of "Nss ldap"
(→Configuring) |
|||
(10 intermediate revisions by 2 users not shown) | |||
Line 35: | Line 35: | ||
=== 32Bit === | === 32Bit === | ||
− | + | Compile the package: | |
+ | |||
+ | CC="gcc ${BUILD32}" USE_ARCH=32 \ | ||
+ | ./configure --prefix=/usr --exec-prefix= \ | ||
+ | --sysconfdir=/etc --mandir=/usr/share/man \ | ||
+ | --libdir=/lib \ | ||
+ | --enable-configurable-krb5-ccname-env \ | ||
+ | --enable-configurable-krb5-ccname-gssapi \ | ||
+ | --enable-configurable-krb5-keytab && | ||
+ | make | ||
+ | |||
+ | Install the package: | ||
+ | |||
+ | make install | ||
=== N32 === | === N32 === | ||
− | + | Compile the package: | |
+ | |||
+ | CC="gcc ${BUILDN32}" USE_ARCH=n32 \ | ||
+ | ./configure --prefix=/usr --exec-prefix= \ | ||
+ | --libdir=/lib32 \ | ||
+ | --sysconfdir=/etc --mandir=/usr/share/man \ | ||
+ | --enable-configurable-krb5-ccname-env \ | ||
+ | --enable-configurable-krb5-ccname-gssapi \ | ||
+ | --enable-configurable-krb5-keytab && | ||
+ | make | ||
+ | |||
+ | Install the package: | ||
+ | |||
+ | make install | ||
=== 64Bit === | === 64Bit === | ||
− | + | Compile the package: | |
+ | |||
+ | CC="gcc ${BUILD64}" USE_ARCH=64 \ | ||
+ | ./configure --prefix=/usr --exec-prefix= \ | ||
+ | --libdir=/lib64 \ | ||
+ | --sysconfdir=/etc --mandir=/usr/share/man \ | ||
+ | --enable-configurable-krb5-ccname-env \ | ||
+ | --enable-configurable-krb5-ccname-gssapi \ | ||
+ | --enable-configurable-krb5-keytab && | ||
+ | make | ||
+ | |||
+ | Install the package: | ||
+ | |||
+ | make install | ||
+ | |||
+ | == Configuring == | ||
+ | |||
+ | === Configuration Files === | ||
+ | |||
+ | When the package was installed the Makefile would have created a example ldap.conf in /etc. This configuration serves as more then a configuration for just nss_ldap. It also configures [[pam_ldap]] and [[Sudo]] among other packages. | ||
+ | |||
+ | Create a basic configuration for nss_ldap: | ||
+ | |||
+ | cat >/etc/ldap.conf << "EOF" | ||
+ | # Begin /etc/ldap.conf | ||
+ | |||
+ | uri ldap://'''''<fqdn of ldap server>'''''/ | ||
+ | base '''''<BASE DN>''''' | ||
+ | |||
+ | ldap_version 3 | ||
+ | |||
+ | bind_policy soft | ||
+ | bind_timelimit 30 | ||
+ | timelimit 30 | ||
+ | |||
+ | # NSS Section | ||
+ | |||
+ | nss_base_passwd ou=People,'''''<BASE DN>''''' | ||
+ | nss_base_group ou=Groups,'''''<BASE DN>''''' | ||
+ | nss_base_shadow ou=People,'''''<BASE DN>''''' | ||
+ | |||
+ | nss_base_hosts ou=Hosts,'''''<BASE DN>''''' | ||
+ | nss_base_networks ou=Networks,'''''<BASE DN>''''' | ||
+ | |||
+ | nss_base_protocols ou=Protocals,'''''<BASE DN>''''' | ||
+ | nss_base_services ou=Services,'''''<BASE DN>''''' | ||
+ | nss_base_rpc ou=Rpc,'''''<BASE DN>''''' | ||
+ | |||
+ | nss_reconnect_tries 3 | ||
+ | |||
+ | # End /etc/ldap.conf | ||
+ | EOF | ||
+ | |||
+ | Create a new nsswitch.conf that knows to look at nss_ldap for information: | ||
+ | |||
+ | cat > /etc/nsswitch.conf << "EOF" | ||
+ | # Begin /etc/nsswitch.conf | ||
+ | |||
+ | passwd: files ldap | ||
+ | group: files ldap | ||
+ | shadow: files ldap | ||
+ | |||
+ | hosts: files dns [UNAVAIL=return] ldap | ||
+ | networks: files ldap | ||
+ | |||
+ | protocols: files ldap | ||
+ | services: files ldap | ||
+ | ethers: files | ||
+ | rpc: files ldap | ||
+ | |||
+ | # End /etc/nsswitch.conf | ||
+ | EOF | ||
+ | |||
+ | {{Note|The <nowiki>[UNAVAIL=return]</nowiki> condition on the hosts line will prevent a circular condition that would loop indefinitely if the dns server is down.}} | ||
+ | |||
+ | === LDAP Directory Entries === | ||
+ | |||
+ | The structure of this directory just serves as an example, You're not bound to follow it to the letter. The following ldif will create some basic OUs that nss_ldap will look for in the directory: | ||
+ | |||
+ | for ou in Aliases Groups Hosts Mounts \ | ||
+ | Netgroup Networks People Protocols \ | ||
+ | Rpc Services; do | ||
+ | echo | ||
+ | echo "dn: ou=$ou,'''''<BASE DN>'''''" | ||
+ | echo "objectClass: top" | ||
+ | echo "objectClass: organizationalUnit" | ||
+ | echo "ou: $ou" | ||
+ | echo | ||
+ | done > temp.ldif | ||
+ | |||
+ | Verify the ldif in a text editor then import the ldif with the following command: | ||
+ | |||
+ | ldapadd -f temp.ldif -x -D "cn=Manager,'''''<BASE DN>'''''" -W | ||
[[Category:Security]] | [[Category:Security]] |
Latest revision as of 16:25, 22 March 2009
Download Source: | http://www.padl.com/download/nss_ldap-264.tar.gz |
---|
Contents
Introduction to Nss ldap
The resolution of the entities defined in RFC 2307 is generally performed by a set of UNIX C library calls (such as getpwnam() to return the attributes of a user). The nss_ldap module provides the means for Solaris and Linux workstations to this information (such as users, hosts, and groups) from LDAP directories.
Project Homepage: http://www.padl.com/OSS/nss_ldap.html
Dependencies
Required
Optional
Non-Multilib
Compile the package:
./configure --prefix=/usr --exec-prefix= \ --sysconfdir=/etc --mandir=/usr/share/man \ --enable-configurable-krb5-ccname-env \ --enable-configurable-krb5-ccname-gssapi \ --enable-configurable-krb5-keytab && make
Install the package:
make install
Multilib
32Bit
Compile the package:
CC="gcc ${BUILD32}" USE_ARCH=32 \ ./configure --prefix=/usr --exec-prefix= \ --sysconfdir=/etc --mandir=/usr/share/man \ --libdir=/lib \ --enable-configurable-krb5-ccname-env \ --enable-configurable-krb5-ccname-gssapi \ --enable-configurable-krb5-keytab && make
Install the package:
make install
N32
Compile the package:
CC="gcc ${BUILDN32}" USE_ARCH=n32 \ ./configure --prefix=/usr --exec-prefix= \ --libdir=/lib32 \ --sysconfdir=/etc --mandir=/usr/share/man \ --enable-configurable-krb5-ccname-env \ --enable-configurable-krb5-ccname-gssapi \ --enable-configurable-krb5-keytab && make
Install the package:
make install
64Bit
Compile the package:
CC="gcc ${BUILD64}" USE_ARCH=64 \ ./configure --prefix=/usr --exec-prefix= \ --libdir=/lib64 \ --sysconfdir=/etc --mandir=/usr/share/man \ --enable-configurable-krb5-ccname-env \ --enable-configurable-krb5-ccname-gssapi \ --enable-configurable-krb5-keytab && make
Install the package:
make install
Configuring
Configuration Files
When the package was installed the Makefile would have created a example ldap.conf in /etc. This configuration serves as more then a configuration for just nss_ldap. It also configures pam_ldap and Sudo among other packages.
Create a basic configuration for nss_ldap:
cat >/etc/ldap.conf << "EOF" # Begin /etc/ldap.conf uri ldap://<fqdn of ldap server>/ base <BASE DN> ldap_version 3 bind_policy soft bind_timelimit 30 timelimit 30 # NSS Section nss_base_passwd ou=People,<BASE DN> nss_base_group ou=Groups,<BASE DN> nss_base_shadow ou=People,<BASE DN> nss_base_hosts ou=Hosts,<BASE DN> nss_base_networks ou=Networks,<BASE DN> nss_base_protocols ou=Protocals,<BASE DN> nss_base_services ou=Services,<BASE DN> nss_base_rpc ou=Rpc,<BASE DN> nss_reconnect_tries 3 # End /etc/ldap.conf EOF
Create a new nsswitch.conf that knows to look at nss_ldap for information:
cat > /etc/nsswitch.conf << "EOF" # Begin /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files dns [UNAVAIL=return] ldap networks: files ldap protocols: files ldap services: files ldap ethers: files rpc: files ldap # End /etc/nsswitch.conf EOF
LDAP Directory Entries
The structure of this directory just serves as an example, You're not bound to follow it to the letter. The following ldif will create some basic OUs that nss_ldap will look for in the directory:
for ou in Aliases Groups Hosts Mounts \ Netgroup Networks People Protocols \ Rpc Services; do echo echo "dn: ou=$ou,<BASE DN>" echo "objectClass: top" echo "objectClass: organizationalUnit" echo "ou: $ou" echo done > temp.ldif
Verify the ldif in a text editor then import the ldif with the following command:
ldapadd -f temp.ldif -x -D "cn=Manager,<BASE DN>" -W