I've been following this thread with interest as i'm looking to make the switch from windows sysadmin (at enterprise level) to linux, and i've been struggling to get decent advice on LDAP integration.
Many thanks Bryan. /Ed 2009/2/10 Bryan Smith <bryansmit...@gmail.com> > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > First, what are the specs on this ldap server...SMP? how much RAM? How > many users do you want to go into it? Will they need to run cron jobs? > > There is no such thing as a really easy way to accomplish this. You can > follow tutorials and howto's but when things don't work, as they should, > such as users not being able to change passwords and incorrect password > hashes being used...you're going to have to learn about a lot of things. > Truthfully, being a newbie to ldap and thinking you'll get it all going > just by reading a howto is a bit misguided as far as ldap is concerned. > Having prior experience working with a directory is only good if you > know what is actually going on at the attribute/object level. > > I'm currently managing an openldap deployment with > replication(slurpd)(Debian Etch of course) with over 1002 users in > it(growing daily). Users can log into any number of FreeBSD, OSX, Linux > or Windows clients. Anything that can authenticate against ldap is fair > play on the network...even firewall rules do ldap lookups. > > I have never seen a true complete openldap howto, the ones I've seen get > you going, but ldap is a different animal all to itself. This is no ftp > server or trivial daemon...ldap requires a lot of hands on and more > error than trial. If you are not making mistakes then you aren't learning. > > You will need a way to administrate the ldap directory, once you get it > installed. I prefer command line, but when beginners usually grab a gui. > There is a large disadvantage to using the gui. You don't really learn > how your tree is arranged and the correct syntax to search only a > certain ou or dc. You just click and search...that leaves large holes in > your knowledge base. BTW there is no ldap gui...just ldap command line > utilities. This is worlds away from administration on Windows or Mac, > which is fairly simple > > You need the following Debian/Ubuntu packages: > > nscd, libnss-ldap, libpam-ldap, slapd, lmigrationtools, dap-utils, > libnet-ldap-perl(optional), phpldapadmin(optional), ldapvi(optional) > > NSCD is a name service caching daemon, which will keep your ldap server > from being destroyed by constant queries once ldap is enabled. Once you > enable ldap in pam anything you can think of queries the server...cron, > ls, cd, everything. Finding a sane config for NSCD is hard at > best...some needed options aren't even in the man page LOL. Even still > NSCD can nearly destroy your system if something goes awry...it'll use > 99 % cpu in a heart beat. > > libnss-ldap and libpam-ldap help get users info from the system to the > server and allow users to log in. libpam-ldap is the main thing needed > on clients to call an ldap server an allow logins. > > sldap...openldap server > > migrationtools are essential to get data from local files into the ldap > server > > ldap-utils are various utilities that will surely discourage you from > learning how to use them initially. They are essential, but require tons > of repetition before you learn them...ldapmodify is "fun" > > libnet-ldap-perl has little scripts that add/remove unix accounts to > ldap by just using adduser/deluser instead of merely in the local files. > There are also other scripts that do various things. Realize that once > you enable ldap...you'll have to add user with ldapadd or else it'll > just be a local login(unless you use libnet-ldap-perl or another script) > > phpldapadmin just a super easy web gui that will make managing users > much easier, but it'll keep you from learning the hard stuff > > ldapvi is a sexy ldap administrator that uses a vi interface, though it > is not for the timid. If you don't know vi, or ldap don't even blink at it. > > Read these and see if you come up with something...ask the group when > you have questions, but please try to install it FIRST then ask > questions. This email is so long I should have made a howto...maybe > sometime later. > > http://www.linux.com/feature/40983 > http://www.securityfocus.com/infocus/1563 > > Bryan > > Raihan Hasnain Rahman wrote: > | I want to setup a Linux Server (preferably Ubuntu Server) for Windows > | and Mac clients. The users should be able to login using their username > | and password from any Windows or Mac workstations. > | > | I have implemented Open Directory (OS X server) before, and familiar > | with Active Directory. But I have almost no idea about Unix systems. I > | know there's OpenLDAP, but I need an easier solution. > | > | Right now I need a tutorial or walkthrough which will guide me to setup > | the whole system. > | > | Thanks in advance. > | > | | > > - -- > A healthy diet includes Linux, Linux and more Linux. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkmSGUwACgkQh+MLjl5SKYTHoQCfbGnk+kFEnekakvmnpUqUkqZo > b3IAnjsFPLVddDAzzG0/FuuQ2FgGFx2a > =RnNu > -----END PGP SIGNATURE----- > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Linux Users Group. To post a message, send email to linuxusersgroup@googlegroups.com To unsubscribe, send email to linuxusersgroup-unsubscr...@googlegroups.com For more options, visit our group at http://groups.google.com/group/linuxusersgroup -~----------~----~----~----~------~----~------~--~---
