SAC:Setup LDAP Authentication

= Setting up FC4 to use LDAP for login authentication =

Run:

sudo authconfig

Enabled LDAP on first screen like this:

│ User Information        Authentication                         │ │ [ ] Cache Information   [*] Use MD5 Passwords                  │ │ [ ] Use Hesiod          [*] Use Shadow Passwords               │ │ [*] Use LDAP            [*] Use LDAP Authentication            │ │ [ ] Use NIS             [ ] Use Kerberos                       │ │ [ ] Use Winbind         [ ] Use SMB Authentication             │ │                         [ ] Use Winbind Authentication         │ │                         [ ] Local authorization is sufficient  │

Enter LDAP Settings like this:

│         [x] Use TLS                              │ │ Server: ldap.osgeo.org__________________________ │ │ Base DN: ou=People,dc=osgeo,dc=org_______________ │

authconfig sets a number of PAM-related items for us, but it does a poor job of setting up the LDAP configuration. We are going to edit /etc/ldap.conf and change it to look like this:

BASE dc=osgeo, dc=org URI ldaps://ldap.osgeo.org pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org nss_base_passwd ou=People,dc=osgeo,dc=org nss_base_shadow ou=People,dc=osgeo,dc=org nss_base_group ou=Group,dc=osgeo,dc=org ldap_version 3 TLS_CHECKPEER yes TLS_REQCERT demand TLS_CACERTDIR /etc/openldap/cacerts pam_password md5

After editing /etc/ldap.conf, we need to link /etc/openldap/ldap.conf to use that one, instead of its own.

mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.original ln -s /etc/ldap.conf /etc/openldap/ldap.conf

Next, you need to scp the DigiCertCA.crt from one of the existing blades to the machine you are enabling:

scp /etc/openldap/cacerts/DigiCertCA.crt hobu@mynewblade:/home/hobu

Once there, mv it into the same location: sudo mv DigiCertCA.crt /etc/openldap/cacerts

= Setting up SVN server to use LDAP authentication =

= Setting up Bugzilla to use LDAP Authentication =

Details at http://www.bugzilla.org/docs/tip/html/extraconfig.html#bzldap

It seems that the LDAP entries require an email attribute that bugzilla can use for sending email, but generally speaking this seems like a well supported option for bugzilla. I do wonder if there is an option for users not in LDAP to create accounts in bugzilla for the purpose of submitting bugs. I think this is desirable or even necessary!

= sudo =

http://www.courtesan.com/sudo/readme_ldap.html

= Pointers to good LDAP information =


 * http://ldots.org/ldap - moderately helpful.