Difference between revisions of "SAC:Setup LDAP Authentication"

From OSGeo
Jump to: navigation, search
(add notes on how to edit the ldap shell access group.)
(Replaced content with "Instructions for setting up LDAP login on OSL hosted VMs. This should be done as part of the SAC:Standard System Setup process. Category:Infrastructure")
Line 1: Line 1:
= Setting up FC4 to use LDAP for login authentication =
+
Instructions for setting up LDAP login on [[OSL]] hosted VMs.  This should be done as part of the [[SAC:Standard System Setup]] process.
  
Run:
 
  
  sudo authconfig
 
 
Enabled LDAP on first screen like this:
 
 
      │  User Information        Authentication                        │
 
      │  [ ] Cache Information  [*] Use MD5 Passwords                  │
 
      │  [ ] Use Hesiod          [*] Use Shadow Passwords              │
 
      │  [*] Use LDAP            [*] Use LDAP Authentication            │
 
      │  [ ] Use NIS            [ ] Use Kerberos                      │
 
      │  [ ] Use Winbind        [ ] Use SMB Authentication            │
 
      │                          [ ] Use Winbind Authentication        │
 
      │                          [ ] Local authorization is sufficient  │
 
 
Enter LDAP Settings like this:
 
 
      │          [x] Use TLS                              │
 
      │  Server: ldap.osgeo.org__________________________ │
 
      │ Base DN: ou=People,dc=osgeo,dc=org_______________ │
 
 
authconfig sets a number of PAM-related items for us, but it does a poor job of setting up the LDAP configuration.  We are going to edit /etc/ldap.conf and change it to look like this:
 
 
  BASE dc=osgeo, dc=org
 
  URI ldaps://ldap.osgeo.org
 
  pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org
 
  nss_base_passwd ou=People,dc=osgeo,dc=org
 
  nss_base_shadow ou=People,dc=osgeo,dc=org
 
  nss_base_group  ou=Group,dc=osgeo,dc=org
 
  ldap_version 3
 
  TLS_CHECKPEER yes
 
  TLS_REQCERT demand
 
  TLS_CACERTDIR /etc/openldap/cacerts
 
  pam_password md5
 
 
After editing /etc/ldap.conf, we need to link /etc/openldap/ldap.conf to use that one, instead of its own. 
 
 
  mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.original
 
  ln -s /etc/ldap.conf /etc/openldap/ldap.conf
 
 
Next, you need to scp the DigiCertCA.crt from one of the existing blades to the machine you are enabling:
 
 
  scp /etc/openldap/cacerts/DigiCertCA.crt hobu@mynewblade:/home/hobu
 
 
Once there, mv it into the same location:
 
 
 
  sudo mv DigiCertCA.crt /etc/openldap/cacerts
 
 
Once this is setup people can be added to the OSGeo LDAP Shell group by adding them at the following url for those already in the group:
 
 
  https://www.osgeo.org/cgi-bin/auth/ldap_shell.py
 
 
Sudo access must be added locally per server.
 
 
= Setting up SVN server to use LDAP authentication =
 
 
= Setting up Bugzilla to use LDAP Authentication =
 
 
Details at http://www.bugzilla.org/docs/tip/html/extraconfig.html#bzldap
 
 
It seems that the LDAP entries require an email attribute that bugzilla can use for sending email, but generally speaking this seems like a well supported option for bugzilla.  I do wonder if there is an option for users not in LDAP to create accounts in bugzilla for the purpose of submitting bugs.  I think this is desirable or even necessary!
 
 
= sudo =
 
 
http://www.courtesan.com/sudo/readme_ldap.html
 
 
= Pointers to good LDAP information =
 
 
* http://ldots.org/ldap - moderately helpful.
 
  
 
[[Category:Infrastructure]]
 
[[Category:Infrastructure]]

Revision as of 20:32, 27 September 2011

Instructions for setting up LDAP login on OSL hosted VMs. This should be done as part of the SAC:Standard System Setup process.