Files
Controls-docs/admin-guide/legacy/misc/configureldaponpsipuppet3.rst
T
2021-05-05 14:24:27 +02:00

3.2 KiB

Configure LDAP on psi-puppet3

References

Introduction

This document describes the configuration of LDAP to access user account information on an SL6 system.

Requirements

RPMS:

  • nss-pam-ldapd

Procedure

Configure /etc/nsswitch.conf

The /etc/nsswitch.conf configuration file describes the order in which password-file lookups are performed. To make sure that local accounts take precedence over LDAP accounts, it should have these entries:

passwd: files ldap
shadow: files
group:  files ldap

Configuring /etc/nslcd.conf

The /etc/nslcd.conf configuration file is used to set system-wide defaults to be applied when running ldap clients. This mechanism is available on SLP6.

This section describes the options that are relevant to configure account lookups in the d.psi.ch LDAP service. An example configure file containing the options described below is shown here. Please edit it to suit your needs - in particular the filter passwd entry!:

# the ldaps uri enforces SSL
uri ldaps://d.psi.ch:636
base ou=PSI,dc=d,dc=psi,dc=ch
binddn CN=linux_ldap,OU=Services,OU=IT,DC=d,DC=psi,DC=ch
bindpw *NOT SHOWN*

# ldap base definitions for each nameservice
base passwd ou=Users,ou=PSI,dc=d,dc=psi,dc=ch
base group ou=Groups,ou=PSI,dc=d,dc=psi,dc=ch


filter passwd (&(objectClass=user)(!(objectClass=computer))(msSFU30UidNumber=*)(msSFU30HomeDirectory=*))
map    passwd uid              cn
map    passwd uidNumber        msSFU30UidNumber
map    passwd gidNumber        msSFU30GidNumber
map    passwd loginShell       msSFU30LoginShell
map    passwd gecos            displayName
#  do not resolve the unneeded userPassword
#map    passwd userPassword     msSFU30Password

map    passwd homeDirectory    msSFU30HomeDirectory
#   for our clusters' special environments we may want to use an expression
#   #map    passwd homeDirectory    "/home/${sAMAccountName}"

filter group  (&(objectClass=Group)(msSFU30Name=*))
map    group  uniqueMember     member
map    group  gidNumber        msSFU30GidNumber

timelimit 30

# we may want to use this to reduce standing connections to the LDAP server
idle_timelimit 300

# require that server's certificate is tested. The standard installed CA bundle includes
#        the necessary Root CA cert from QuoVadis
tls_reqcert hard
tls_cacertfile /etc/ssl/certs/ca-bundle.crt

# request paged results from the LDAP server
pagesize 1000

referrals off

Please make sure that the nss-pam-ldapd RPM is installed on your client machine. Run yum install nss-pam-ldapd if this RPM is not installed.

Then, make sure that the nslcd runs, and gets started at boot time:

/sbin/service nslcd restart
/sbin/chkconfig --level 345 nslcd on

Note: the nslcd service must be restarted after changes to the /etc/nslcd.conf have been made! For more information, run man nslcd.conf and/or man nslcd.