3.2 KiB
Configure LDAP on psi-puppet3
References
- https://intranet.psi.ch/AIT/LdapActiveDirectoryIntegrationPSI
- http://linux.web.cern.ch/linux/docs/account-mgmt.shtml
Introduction
This document describes the configuration of LDAP to access user account information on an SL6 system.
Requirements
RPMS:
- nss-pam-ldapd
Procedure
Configure /etc/nsswitch.conf
The /etc/nsswitch.conf configuration file describes the order in which password-file lookups are performed. To make sure that local accounts take precedence over LDAP accounts, it should have these entries:
passwd: files ldap
shadow: files
group: files ldap
Configuring /etc/nslcd.conf
The /etc/nslcd.conf configuration file is used to set system-wide defaults to be applied when running ldap clients. This mechanism is available on SLP6.
This section describes the options that are relevant to configure account lookups in the d.psi.ch LDAP service. An example configure file containing the options described below is shown here. Please edit it to suit your needs - in particular the filter passwd entry!:
# the ldaps uri enforces SSL
uri ldaps://d.psi.ch:636
base ou=PSI,dc=d,dc=psi,dc=ch
binddn CN=linux_ldap,OU=Services,OU=IT,DC=d,DC=psi,DC=ch
bindpw *NOT SHOWN*
# ldap base definitions for each nameservice
base passwd ou=Users,ou=PSI,dc=d,dc=psi,dc=ch
base group ou=Groups,ou=PSI,dc=d,dc=psi,dc=ch
filter passwd (&(objectClass=user)(!(objectClass=computer))(msSFU30UidNumber=*)(msSFU30HomeDirectory=*))
map passwd uid cn
map passwd uidNumber msSFU30UidNumber
map passwd gidNumber msSFU30GidNumber
map passwd loginShell msSFU30LoginShell
map passwd gecos displayName
# do not resolve the unneeded userPassword
#map passwd userPassword msSFU30Password
map passwd homeDirectory msSFU30HomeDirectory
# for our clusters' special environments we may want to use an expression
# #map passwd homeDirectory "/home/${sAMAccountName}"
filter group (&(objectClass=Group)(msSFU30Name=*))
map group uniqueMember member
map group gidNumber msSFU30GidNumber
timelimit 30
# we may want to use this to reduce standing connections to the LDAP server
idle_timelimit 300
# require that server's certificate is tested. The standard installed CA bundle includes
# the necessary Root CA cert from QuoVadis
tls_reqcert hard
tls_cacertfile /etc/ssl/certs/ca-bundle.crt
# request paged results from the LDAP server
pagesize 1000
referrals off
Please make sure that the nss-pam-ldapd RPM is installed on your client machine. Run yum install nss-pam-ldapd if this RPM is not installed.
Then, make sure that the nslcd runs, and gets started at boot time:
/sbin/service nslcd restart
/sbin/chkconfig --level 345 nslcd on
Note: the nslcd service must be restarted after changes to the /etc/nslcd.conf have been made! For more information, run man nslcd.conf and/or man nslcd.