Difference between revisions of "SAC:Setup LDAP Authentication"

From OSGeo
Jump to: navigation, search
m (Pointers to good LDAP information)
(Setting up FC4 to use LDAP for login authentication)
Line 18: Line 18:
 
Enter LDAP Settings like this:
 
Enter LDAP Settings like this:
  
       │          [ ] Use TLS                              │  
+
       │          [x] Use TLS                              │  
       │  Server: ldap.telascience.org____________________ │  
+
       │  Server: ldap.osgeo.org__________________________ │  
       │ Base DN: dc=telascience,dc=org___________________
+
       │ Base DN: ou=People,dc=osgeo,dc=org_______________
  
Edit /etc/ldap.conf and change pam_groupdn line to read:
+
authconfig sets a number of PAM-related items for us, but it does a poor job of setting up the LDAP configuration.  We are going to edit /etc/ldap.conf and change it to look like this:
  
   pam_groupdn cn=Shell,ou=Groups,dc=telascience,dc=org
+
  BASE dc=osgeo, dc=org
 +
  URI ldaps://ldap.osgeo.org
 +
   pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org
 +
  nss_base_passwd ou=People,dc=osgeo,dc=org
 +
  nss_base_shadow ou=People,dc=osgeo,dc=org
 +
  nss_base_group  ou=Group,dc=osgeo,dc=org
 +
  ldap_version 3
 +
  TLS_CHECKPEER yes
 +
  TLS_REQCERT demand
 +
  TLS_CACERTDIR /etc/openldap/cacerts
 +
  pam_password md5
  
(or possibly cn=Admin for medium security systems)
+
After editing /etc/ldap.conf, we need to link /etc/openldap/ldap.conf to use that one, instead of its own. 
 +
 
 +
  mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.original
 +
  ln -s /etc/ldap.conf /etc/openldap/ldap.conf
 +
 
 +
Next, you need to scp the DigiCertCA.crt from one of the existing blades to the machine you are enabling:
 +
 
 +
  scp /etc/openldap/cacerts/DigiCertCA.crt hobu@mynewblade:/home/hobu
 +
 
 +
Once there, mv it into the same location:
 +
 
 +
  sudo mv DigiCertCA.crt /etc/openldap/cacerts
  
 
= Setting up SVN server to use LDAP authentication =  
 
= Setting up SVN server to use LDAP authentication =  

Revision as of 08:15, 30 March 2009

Setting up FC4 to use LDAP for login authentication

Run:

 sudo authconfig

Enabled LDAP on first screen like this:

     │  User Information        Authentication                         │ 
     │  [ ] Cache Information   [*] Use MD5 Passwords                  │ 
     │  [ ] Use Hesiod          [*] Use Shadow Passwords               │ 
     │  [*] Use LDAP            [*] Use LDAP Authentication            │ 
     │  [ ] Use NIS             [ ] Use Kerberos                       │ 
     │  [ ] Use Winbind         [ ] Use SMB Authentication             │ 
     │                          [ ] Use Winbind Authentication         │ 
     │                          [ ] Local authorization is sufficient  │ 

Enter LDAP Settings like this:

     │          [x] Use TLS                              │ 
     │  Server: ldap.osgeo.org__________________________ │ 
     │ Base DN: ou=People,dc=osgeo,dc=org_______________ │

authconfig sets a number of PAM-related items for us, but it does a poor job of setting up the LDAP configuration. We are going to edit /etc/ldap.conf and change it to look like this:

 BASE dc=osgeo, dc=org
 URI ldaps://ldap.osgeo.org
 pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org
 nss_base_passwd ou=People,dc=osgeo,dc=org
 nss_base_shadow ou=People,dc=osgeo,dc=org
 nss_base_group  ou=Group,dc=osgeo,dc=org
 ldap_version 3
 TLS_CHECKPEER yes
 TLS_REQCERT demand
 TLS_CACERTDIR /etc/openldap/cacerts
 pam_password md5

After editing /etc/ldap.conf, we need to link /etc/openldap/ldap.conf to use that one, instead of its own.

 mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.original
 ln -s /etc/ldap.conf /etc/openldap/ldap.conf

Next, you need to scp the DigiCertCA.crt from one of the existing blades to the machine you are enabling:

 scp /etc/openldap/cacerts/DigiCertCA.crt hobu@mynewblade:/home/hobu

Once there, mv it into the same location:

 sudo mv DigiCertCA.crt /etc/openldap/cacerts

Setting up SVN server to use LDAP authentication

Setting up Bugzilla to use LDAP Authentication

Details at http://www.bugzilla.org/docs/tip/html/extraconfig.html#bzldap

It seems that the LDAP entries require an email attribute that bugzilla can use for sending email, but generally speaking this seems like a well supported option for bugzilla. I do wonder if there is an option for users not in LDAP to create accounts in bugzilla for the purpose of submitting bugs. I think this is desirable or even necessary!

sudo

http://www.courtesan.com/sudo/readme_ldap.html

Pointers to good LDAP information