Difference between revisions of "SAC:Setup LDAP Authentication"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
= Setting up FC4 to use LDAP for login authentication = | = Setting up FC4 to use LDAP for login authentication = | ||
− | + | The key file is the /etc/ldap.conf file which should contain: | |
− | + | host ldap.telascience.org | |
+ | base dc=telascience,dc=org | ||
+ | |||
+ | # Group to enforce membership of | ||
+ | pam_groupdn cn=Shell,ou=Groups,dc=telascience,dc=org | ||
+ | ssl no | ||
+ | tls_cacertdir /etc/openldap/cacerts | ||
+ | pam_password md5 | ||
+ | |||
+ | The key item here is pam_groupdn line so that only users in the group "Shell" can login, and the host for finding the ldap server. At some point the configuration may need to be updated to support SSL. | ||
+ | |||
+ | Also, to enable ldap authentication the pam configuration needs to be updated. On FC4 this is done by making the /etc/pam.d/system-auth file look like: | ||
+ | |||
+ | #%PAM-1.0 | ||
+ | # This file is auto-generated. | ||
+ | # User changes will be destroyed the next time authconfig is run. | ||
+ | auth required /lib/security/$ISA/pam_env.so | ||
+ | auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok | ||
+ | auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass | ||
+ | auth required /lib/security/$ISA/pam_deny.so | ||
+ | |||
+ | account required /lib/security/$ISA/pam_unix.so broken_shadow | ||
+ | account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet | ||
+ | account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so | ||
+ | account required /lib/security/$ISA/pam_permit.so | ||
+ | |||
+ | password requisite /lib/security/$ISA/pam_cracklib.so retry=3 | ||
+ | password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow | ||
+ | password sufficient /lib/security/$ISA/pam_ldap.so use_authtok | ||
+ | password required /lib/security/$ISA/pam_deny.so | ||
+ | |||
+ | session required /lib/security/$ISA/pam_limits.so | ||
+ | session required /lib/security/$ISA/pam_unix.so | ||
+ | session optional /lib/security/$ISA/pam_ldap.so | ||
+ | |||
+ | The key item here is the inclusion of pam_ldap.so as an option. | ||
= Setting up SVN server to use LDAP authentication = | = Setting up SVN server to use LDAP authentication = | ||
= Pointers to good LDAP information = | = Pointers to good LDAP information = |
Revision as of 20:21, 24 June 2006
Setting up FC4 to use LDAP for login authentication
The key file is the /etc/ldap.conf file which should contain:
host ldap.telascience.org base dc=telascience,dc=org # Group to enforce membership of pam_groupdn cn=Shell,ou=Groups,dc=telascience,dc=org
ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5
The key item here is pam_groupdn line so that only users in the group "Shell" can login, and the host for finding the ldap server. At some point the configuration may need to be updated to support SSL.
Also, to enable ldap authentication the pam configuration needs to be updated. On FC4 this is done by making the /etc/pam.d/system-auth file look like:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
The key item here is the inclusion of pam_ldap.so as an option.