Integrating LDAP into Linux

When you have user accounts stored in LDAP, you can authenticate your users against them. Three things need to take place to make this happen:

1. When the system needs to find information about a user (UID, home directory, or so on), it queries the name switch service. The NSS is a core component that allows glibc to find information from the system. This includes user, group, and host data.

The NSS is controlled through the /etc/nsswitch.conf file, and you need to change its default lookup of files (explicitly checking /etc/passwd and so on) to query the LDAP server defined in /etc/ldap.conf:

passwd: files ldap group: files ldap

When set, restart the Name Service Cache Daemon (NSCD) with rcnscd restart.

NSCD is the bane of an LDAP user's life. NSCD caches NSS lookups on the system so that subsequent lookups do not need to query the original NSS source. If bizarre things are happening when you use LDAP to authenticate users, try restarting the NSCD cache and see if that fixes the problem.

2. Tell your LDAP system to use a specific LDAP to source its data. To do this, you need to edit the file /etc/ldap.conf. This file defines certain LDAP client information — most importantly the LDAP server and the default search base (as we used previously with the -b command-line option). In this environment, the ldap.conf file contains a server specification of localhost because this is where the LDAP data is, and also a base of o=Acme,c=UK.

host 127.0.0.1 base o=Acme,c=UK

3. Configure PAM to use the LDAP server. This has been greatly simplified in recent times with the use of the /etc/security/pam_unix2.conf file.

Edit the pam_unix2.conf file and edit the auth, password, and account entries:

auth: use_ldap nullok account: use_ldap password: use_ldap nullok

This instructs any PAM entries using pam_unix2 to try the LDAP server for information.

When PAM and NSS have been configured, run SuSEconfig to commit your configuration changes. You should now be able to log in to the system as a user stored in LDAP. Because you have told NSS to use files and then LDAP for information, the root account that is stored in /etc/passwd is safe.

If you are having a problem authenticating as a normal user, check what /var/log/messages says about it. You will usually see a good description of the problem.

Was this article helpful?

0 0

Post a comment