How to configure varios operating systems to authenticate users and provide name/group data via LDAP.
See also: AppleOsx, AppleSoftware, LdapClient, AppleOsxIntegration, AppleOsxIntegrationWithOpenLdap
Contents
Apple OSX
10.3 Panther
See AppleOsxIntegrationWithOpenLdap
Debian Linux
Not done yet. Here's a decent list of how to get started:
Redhat Linux
Redhat 9
Run authconfig as root and configure the two windows with the following information:
User Information Configuration
- [*] Cache Information
- [ ] Use NIS
- [*] Use LDAP Authentication
- [ ] Use TLS
- Server: ldap01.spack.org,ldap02.spack.org,ldap03.spack.org
- Base DN: dc=spack,dc=org
Authentication Configuration
- [ ] Use Shadow Passwords
- [ ] Use MD5 Passwords
- [*] Use LDAP Authentication
- [ ] Use TLS
- Server: ldap01.spack.org,ldap02.spack.org,ldap03.spack.org
- Base DN: dc=spack,dc=org
Redhat 7.2
Should work the same as 9, however I noticed that enabling nscd (name service caching daemon) caused LDAP to completely fail. If you have problems try disabling the "Cache Information" setting in the above dialog.
Notes
You can test what the system sees by using the getent command on Linux. Note that this is also very useful for reconstructing system files from ldap data for backup and pushing out to DMZ boxes which can't see the LDAP server. For example:
# getent passwd | grep adam ashand:x:1010:100:Adam Shand:/home/adam:/bin/bash ashand:x:1010:100:Adam Shand (ldap):/home/adam:/bin/bash
Network Appliance
Data On Tap 6.4
You can configure the NetworkAppliance boxes to get their Unix password/shadow/group data from LDAP by making these changes:
filer> options ldap ldap.base dc=spack,dc=org ldap.enable on ldap.port 389 ldap.servers ldap01.spack.org,ldap02.spack.org,ldap03.spack.org ldap.servers.preferred ldap01
You don't need a username/password in with OpenLdap because anonymous binds work just fine. If you've disabled anonymous binds, or are using and LDAP server which doesn't support anonymous binds (like MicrosoftWindows ActiveDirectory) then you can specify a priveldged user to do the bind as like this:
ldap.name cn=root,dc=spack,dc=org ldap.passwd secret
And then edit the /vol/vol0/etc/nsswitch.conf file in the standard mannor:
passwd: ldap files group: ldap files shadow: ldap files
SGI Irix
Irix 6.5(?)
I have yet to suceed with any of this under SgiIrix however this is the best information I have.
See also: http://www.ccm.ece.vt.edu/~lscharf/samd/?topic=IRIX
# /var/ns/ldap.conf
#
# UNS LDAP library config file (RFC2307 Compliant)
#
# see ldap.conf(4) for syntax
#
# (From ldap.conf, by Juan C. Gomez, gomez@engr.sgi.com, 05/04/1999)
# ----------------- START LOCAL DOMAIN --------------------------
; SECURITY
security ssl ; none, ssl
cipher RSA_RC4_40_MD5
domain ; An empty domain name identifies the local domain
; SERVER SPECIFICATION
server xxx.xxx.xxx.xxx
version 2
base "dc=example,dc=com"
scope subtree ; subtree, onelevel, sbase
binddn "cn=Manager,dc=sv,dc=vt,dc=edu"
bindpwd "secret"
regsub USERPASSWORD{{CRYPT\}}{}
; SCHEMA DEFINITION
table passwd.byname
filter_lookup (&(OBJECTCLASS=POSIXACCOUNT)(UID=%s))
filter_list (OBJECTCLASS=POSIXACCOUNT)
format "UID:USERPASSWORD:UIDNUMBER:GIDNUMBER:GECOS:HOMEDIRECTORY:LOGINSHELL"
table passwd.byuid
filter_lookup (&(OBJECTCLASS=POSIXACCOUNT)(UIDNUMBER=%s))
format "UID:USERPASSWORD:UIDNUMBER:GIDNUMBER:GECOS:HOMEDIRECTORY:LOGINSHELL"
table group.byname
filter_lookup (&(OBJECTCLASS=POSIXGROUP)(CN=%s))
filter_list (OBJECTCLASS=POSIXGROUP)
format "CN:USERPASSWORD:GIDNUMBER:(MEMBERUID,)"
table group.bygid
filter_lookup (&(OBJECTCLASS=POSIXGROUP)(GIDNUMBER=%s))
format "CN:USERPASSWORD:GIDNUMBER:(MEMBERUID,)"
table group.bymember
filter_lookup (&(OBJECTCLASS=POSIXGROUP)(MEMBERUID=%s))
format "GIDNUMBER,"
single_line "MEMBERUID:"
table ethers.byname
require MACADDRESS
filter_lookup (&(OBJECTCLASS=IEEE802DEVICE)(CN=%s))
filter_list (OBJECTCLASS=IEEE802DEVICE)
format "MACADDRESS\t(CN )"
table ethers.byaddr
require MACADDRESS
filter_lookup (&(OBJECTCLASS=IEEE802DEVICE)(MACADDRESS=%s))
format "MACADDRESS\t(CN )"
table shadow.byname
filter_lookup (&(OBJECTCLASS=SHADOWACCOUNT)(UID=%s))
filter_list (OBJECTCLASS=SHADOWACCOUNT)
format "UID:USERPASSWORD:SHADOWLASTCHANGE:SHADOWMIN:SHADOWMAX:SHADOWWARNING:SHADOWINACTIVE:SHADOWEXPIRE:SHADOWFLAG"
table services.byname
default tcp
filter_lookup (&(OBJECTCLASS=IPSERVICE)(CN=%s)(IPSERVICEPROTOCOL=%s))
filter_list (OBJECTCLASS=IPSERVICE)
format "CN\tIPSERVICEPORT/IPSERVICEPROTOCOL (CN )"
table services.byport
default tcp
filter_lookup (&(OBJECTCLASS=IPSERVICE)(IPSERVICEPORT=%s)(IPSERVICEPROTOCOL=%s))
format "CN\tIPSERVICEPORT/IPSERVICEPROTOCOL (CN )"
table rpc.byname
filter_lookup (&(OBJECTCLASS=ONCRPC)(CN=%s))
filter_list (OBJECTCLASS=ONCRPC)
format "CN\tONCRPCNUMBER (CN )"
table rpc.bynumber
filter_lookup (&(OBJECTCLASS=ONCRPC)(ONCRPCNUMBER=%s))
format "CN\tONCRPCNUMBER (CN )"
table protocols.byname
filter_lookup (&(OBJECTCLASS=IPPROTOCOL)(CN=%s))
filter_list (OBJECTCLASS=IPPROTOCOL)
format "CN\tIPPROTOCOLNUMBER (CN )"
table protocols.bynumber
filter_lookup (&(OBJECTCLASS=IPPROTOCOL)(IPPROTOCOLNUMBER=%s))
format "CN\tIPPROTOCOLNUMBER (CN )"
table hosts.byname
filter_lookup (&(OBJECTCLASS=IPHOST)(CN=%s))
filter_list (OBJECTCLASS=IPHOST)
format "IPHOSTNUMBER\t(CN )"
table hosts.byaddr
filter_lookup (&(OBJECTCLASS=IPHOST)(IPHOSTNUMBER=%s))
format "IPHOSTNUMBER\t(CN )"
table networks.byname
filter_lookup (&(OBJECTCLASS=IPNETWORK)(CN=%s))
filter_list (OBJECTCLASS=IPNETWORK)
format "CN\tIPNETWORKNUMBER (CN )"
table networks.byaddr
filter_lookup (&(OBJECTCLASS=IPNETWORK)(IPNETWORKNUMBER=%s))
format "CN\tIPNETWORKNUMBER (CN )"
table mail.aliases
require MAIL
filter_lookup (&(OBJECTCLASS=MAILRECIPIENT)(CN=%s))
filter_list (OBJECTCLASS=MAILRECIPIENT)
format "(MAIL, )"
table auto.home
filter_lookup (&(OBJECTCLASS=AUTOMOUNT)(CN=%s))
filter_list (OBJECTCLASS=AUTOMOUNT)
format "CN AUTOMOUNTINFORMATION"
# For details on this file see the nsswitch.conf(4) manual page. # # After editing this file the nsd daemon must be sent a SIGHUP signal for # it to notice. Do a "killall -HUP nsd". # automount(dynamic): files ldap auto.home: ldap capability: files ldap clearance: files ldap ethers: files ldap group: files ldap hosts: files ldap dns mac: files ldap mail(null_extend_key): ndbm(file=/etc/aliases) ldap netgroup: ldap networks: files ldap passwd: files ldap protocols: ldap [success=return] files rpc: files ldap services: files ldap shadow(mode=0700): files jlimits: mdbm ldap
# /etc/auto_master: /hosts -hosts -nosuid,nodev /home auto.home -nosuid,nodev
Note: Since I did not provide a path, autofs will query according to /etc/nsswitch.conf. Not that the automount(dynamic) entry has to contain "files" in order for auto_master to be processed at all.
Sun Solaris
Solaris 8
See Solaris8Ldap
Microsoft Windows
Not done yet but via an LDAP enabled Samba server is probably your best bet.