SAC:Setup LDAP Authentication

= Setting up FC4 to use LDAP for login authentication =

The key file is the /etc/ldap.conf file which should contain:

host ldap.telascience.org base dc=telascience,dc=org # Group to enforce membership of pam_groupdn cn=Shell,ou=Groups,dc=telascience,dc=org

ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5

The key item here is pam_groupdn line so that only users in the group "Shell" can login, and the host for finding the ldap server. At some point the configuration may need to be updated to support SSL.

Also, to enable ldap authentication the pam configuration needs to be updated. On FC4 this is done by making the /etc/pam.d/system-auth file look like:

auth       required      /lib/security/$ISA/pam_env.so auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok auth       sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass auth       required      /lib/security/$ISA/pam_deny.so
 * 1) %PAM-1.0
 * 2) This file is auto-generated.
 * 3) User changes will be destroyed the next time authconfig is run.

account    required      /lib/security/$ISA/pam_unix.so broken_shadow account    sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account    [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account     required      /lib/security/$ISA/pam_permit.so

password   requisite     /lib/security/$ISA/pam_cracklib.so retry=3 password   sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password   sufficient    /lib/security/$ISA/pam_ldap.so use_authtok password   required      /lib/security/$ISA/pam_deny.so

session    required      /lib/security/$ISA/pam_limits.so session     required      /lib/security/$ISA/pam_unix.so session     optional      /lib/security/$ISA/pam_ldap.so

The key item here is the inclusion of pam_ldap.so as an option.

= Setting up SVN server to use LDAP authentication =

= Setting up Bugzilla to use LDAP Authentication =

Details at:

http://www.bugzilla.org/docs/tip/html/extraconfig.html#bzldap

It seems that the LDAP entries require an email attribute that bugzilla can use for sending email, but generally speaking this seems like a well supported option for bugzilla. I do wonder if there is an option for users not in LDAP to create accounts in bugzilla for the purpose of submitting bugs. I think this is desirable or even necessary!

= Pointers to good LDAP information =


 * http://ldots.org/ldap - moderately helpful.