[ldap] Re: Few questions

Thu, 20 Apr 2006 08:02:02 -0700 

Marcelo Moulin wrote:

Hello all !!
I'm starting to implement one LDAP-server in my University but before
i would like to have some advices from experts and work in the right
way.

So, let's go.

1) All of my clients should be authenticated and authorized by the
server. Therefore should I install all components like open-ldap,
pam_ldap, nss_ldap as i read in the internet or I can install just
some components. I'm talking about Linux systems.
To do authentication and authorization, you will need all three components on your clients and at least openldap on your server. You will need to touch four client configuration files: 

/etc/ldap.conf
/etc/openldap/ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth
and install your cacert.pem file (assuming you are doing secure connections, as you should). Note that both ldap.conf files point to the cacert.pem file. These locations are on a Gentoo 2.6 installation, the locations will be similar for other distros.
Note that, in my experience, the most finicky part of this is PAM. Each distro and unix flavor seems to have its own ideas about how PAM is configured. In my case, the system-auth file is a file used by a number of services. Do not promise delivery until you have the configuration for PAM down for all your distros. 



2) And what about Windows OS? I need to use SAMBA to do the same as I
mentioned above?
Is this the best way? I need to use NIS?


We have Samba set up as our domain controller with:

       passdb backend = ldapsam:ldap://our-top-secret-machine.domain.not
in the smb.conf file with other ldap parameters set appropriately. We create accounts using the smbldap tools, and use phpldapadmin as the maintenance system.
Our system took months of tweaking off and on to get it all figured out. I hope this helps to shorten your time-to-production. 

Good luck,
Chuck



Thank you in advance.

Best regards,
Marcelo

---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.



--
Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345

---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

Reply via email to