Difference between revisions of "Nss ldap"

Introduction to Nss ldap

The resolution of the entities defined in RFC 2307 is generally performed by a set of UNIX C library calls (such as getpwnam() to return the attributes of a user). The nss_ldap module provides the means for Solaris and Linux workstations to this information (such as users, hosts, and groups) from LDAP directories.

Project Homepage: http://www.padl.com/OSS/nss_ldap.html

Dependencies

Required

• OpenLDAP or OpenLDAP-Client

Optional

• CyrusSASL with (MIT krb5 or Heimdal) support

Non-Multilib

Compile the package:

./configure --prefix=/usr --exec-prefix= \
    --sysconfdir=/etc --mandir=/usr/share/man \
    --enable-configurable-krb5-ccname-env \
    --enable-configurable-krb5-ccname-gssapi \
    --enable-configurable-krb5-keytab &&
make

Install the package:

make install

Multilib

32Bit

Compile the package:

CC="gcc ${BUILD32}" USE_ARCH=32 \
./configure --prefix=/usr --exec-prefix= \
    --sysconfdir=/etc --mandir=/usr/share/man \
    --libdir=/lib \
    --enable-configurable-krb5-ccname-env \
    --enable-configurable-krb5-ccname-gssapi \
    --enable-configurable-krb5-keytab &&
make

Install the package:

make install

N32

Compile the package:

CC="gcc ${BUILDN32}" USE_ARCH=n32 \
./configure --prefix=/usr --exec-prefix= \
    --libdir=/lib32 \
    --sysconfdir=/etc --mandir=/usr/share/man \
    --enable-configurable-krb5-ccname-env \
    --enable-configurable-krb5-ccname-gssapi \
    --enable-configurable-krb5-keytab &&
make

Install the package:

make install

64Bit

Compile the package:

CC="gcc ${BUILD64}" USE_ARCH=64 \
./configure --prefix=/usr --exec-prefix= \
    --libdir=/lib64 \
    --sysconfdir=/etc --mandir=/usr/share/man \
    --enable-configurable-krb5-ccname-env \
    --enable-configurable-krb5-ccname-gssapi \
    --enable-configurable-krb5-keytab &&
make

Install the package:

make install

Configuring

Configuration Files

When the package was installed the Makefile would have created a example ldap.conf in /etc. This configuration serves as more then a configuration for just nss_ldap. It also configures pam_ldap and Sudo among other packages.

Create a basic configuration for nss_ldap:

cat >/etc/ldap.conf << "EOF"
# Begin /etc/ldap.conf

uri ldap://<fqdn of ldap server>/
base <BASE DN>

ldap_version 3

bind_policy soft
bind_timelimit 30
timelimit 30

# NSS Section

nss_base_passwd         ou=People,<BASE DN>
nss_base_group          ou=Groups,<BASE DN>
nss_base_shadow         ou=People,<BASE DN>

nss_base_hosts          ou=Hosts,<BASE DN>
nss_base_networks       ou=Networks,<BASE DN>

nss_base_protocols      ou=Protocals,<BASE DN>
nss_base_services       ou=Services,<BASE DN>
nss_base_rpc            ou=Rpc,<BASE DN>

nss_reconnect_tries     3

# End /etc/ldap.conf
EOF

Create a new nsswitch.conf that knows to look at nss_ldap for information:

cat > /etc/nsswitch.conf << "EOF"
# Begin /etc/nsswitch.conf

passwd: files ldap
group: files ldap
shadow: files ldap

hosts: files dns [UNAVAIL=return] ldap
networks: files ldap

protocols: files ldap
services: files ldap
ethers: files
rpc: files ldap

# End /etc/nsswitch.conf
EOF

Note

The [UNAVAIL=return] condition on the hosts line will prevent a circular condition that would loop indefinitely if the dns server is down.

LDAP Directory Entries

The structure of this directory just serves as an example, You're not bound to follow it to the letter. The following ldif will create some basic OUs that nss_ldap will look for in the directory:

for ou in Aliases Groups Hosts Mounts \
  Netgroup Networks People Protocols \
  Rpc Services; do
    echo
    echo "dn: ou=$ou,<BASE DN>"
    echo "objectClass: top"
    echo "objectClass: organizationalUnit"
    echo "ou: $ou"
    echo
done > temp.ldif

Verify the ldif in a text editor then import the ldif with the following command:

ldapadd -f temp.ldif -x -D "cn=Manager,<BASE DN>" -W