This is a little breakdown of what it took to get an OEL 6 machine to act as a client to an HP Directory Server. This is not a one size fits all solution. I would suggest that this post be used as a guide. NOTE: I am not using TLS.
You'll need a few prerequisites:
# vi /etc/nsswitch.conf
# vi /etc/pam_ldap.conf
You need to edit the following lines to match your environment.
Then uncomment, or add these lines:
Again, you need to edit the following lines to match your environment.
From this point you want to turn on nslcd and start the services.
That should do it. You can test the service with getent.
At this point you can modify /etc/pam.d/system-auth and /etc/pam.d/password-auth. Here is what they shuold look like. Your looking for the pam_ldap.so lines.
system-auth
password-auth
Now you can test logging into the system using an ldap account. Hopefully everything works. If not, feel free to leave me a comment. And yes, I know I could have used authconfig. I'm just old school.
# yum install openldap-clients nss_ldapNext we will do some file editing:
# vi /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
# vi /etc/pam_ldap.conf
You need to edit the following lines to match your environment.
base dc=your,dc=domain
uri ldap://ldap1.your.domain/ ldap://ldap2.your.domain/
Then uncomment, or add these lines:
pam_lookup_policy yes
pam_password exop
Again, you need to edit the following lines to match your environment.
base dc=your,dc=domain
uri ldap://ldap1.your.domain/ ldap://ldap2.your.domain/
From this point you want to turn on nslcd and start the services.
# chkconfig nslcd on
# service nslcd start
That should do it. You can test the service with getent.
# getent passwd
# getent group
At this point you can modify /etc/pam.d/system-auth and /etc/pam.d/password-auth. Here is what they shuold look like. Your looking for the pam_ldap.so lines.
system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session optional pam_ldap.so
password-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session optional pam_ldap.so
Now you can test logging into the system using an ldap account. Hopefully everything works. If not, feel free to leave me a comment. And yes, I know I could have used authconfig. I'm just old school.
Comments
Post a Comment