Difference between revisions of "SAC:Setup LDAP Authentication"
| Line 18: | Line 18: | ||
Enter LDAP Settings like this: | Enter LDAP Settings like this: | ||
| − | │ [ ] Use TLS │ | + | │ [x] Use TLS │ |
| − | │ Server: ldap. | + | │ Server: ldap.osgeo.org__________________________ │ |
| − | │ Base DN: dc= | + | │ Base DN: ou=People,dc=osgeo,dc=org_______________ │ |
| − | + | authconfig sets a number of PAM-related items for us, but it does a poor job of setting up the LDAP configuration. We are going to edit /etc/ldap.conf and change it to look like this: | |
| − | pam_groupdn cn=Shell,ou= | + | BASE dc=osgeo, dc=org |
| + | URI ldaps://ldap.osgeo.org | ||
| + | pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org | ||
| + | nss_base_passwd ou=People,dc=osgeo,dc=org | ||
| + | nss_base_shadow ou=People,dc=osgeo,dc=org | ||
| + | nss_base_group ou=Group,dc=osgeo,dc=org | ||
| + | ldap_version 3 | ||
| + | TLS_CHECKPEER yes | ||
| + | TLS_REQCERT demand | ||
| + | TLS_CACERTDIR /etc/openldap/cacerts | ||
| + | pam_password md5 | ||
| − | + | After editing /etc/ldap.conf, we need to link /etc/openldap/ldap.conf to use that one, instead of its own. | |
| + | |||
| + | mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.original | ||
| + | ln -s /etc/ldap.conf /etc/openldap/ldap.conf | ||
| + | |||
| + | Next, you need to scp the DigiCertCA.crt from one of the existing blades to the machine you are enabling: | ||
| + | |||
| + | scp /etc/openldap/cacerts/DigiCertCA.crt hobu@mynewblade:/home/hobu | ||
| + | |||
| + | Once there, mv it into the same location: | ||
| + | |||
| + | sudo mv DigiCertCA.crt /etc/openldap/cacerts | ||
= Setting up SVN server to use LDAP authentication = | = Setting up SVN server to use LDAP authentication = | ||
Revision as of 08:15, 30 March 2009
Setting up FC4 to use LDAP for login authentication
Run:
sudo authconfig
Enabled LDAP on first screen like this:
│ User Information Authentication │
│ [ ] Cache Information [*] Use MD5 Passwords │
│ [ ] Use Hesiod [*] Use Shadow Passwords │
│ [*] Use LDAP [*] Use LDAP Authentication │
│ [ ] Use NIS [ ] Use Kerberos │
│ [ ] Use Winbind [ ] Use SMB Authentication │
│ [ ] Use Winbind Authentication │
│ [ ] Local authorization is sufficient │
Enter LDAP Settings like this:
│ [x] Use TLS │
│ Server: ldap.osgeo.org__________________________ │
│ Base DN: ou=People,dc=osgeo,dc=org_______________ │
authconfig sets a number of PAM-related items for us, but it does a poor job of setting up the LDAP configuration. We are going to edit /etc/ldap.conf and change it to look like this:
BASE dc=osgeo, dc=org URI ldaps://ldap.osgeo.org pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org nss_base_passwd ou=People,dc=osgeo,dc=org nss_base_shadow ou=People,dc=osgeo,dc=org nss_base_group ou=Group,dc=osgeo,dc=org ldap_version 3 TLS_CHECKPEER yes TLS_REQCERT demand TLS_CACERTDIR /etc/openldap/cacerts pam_password md5
After editing /etc/ldap.conf, we need to link /etc/openldap/ldap.conf to use that one, instead of its own.
mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.original ln -s /etc/ldap.conf /etc/openldap/ldap.conf
Next, you need to scp the DigiCertCA.crt from one of the existing blades to the machine you are enabling:
scp /etc/openldap/cacerts/DigiCertCA.crt hobu@mynewblade:/home/hobu
Once there, mv it into the same location:
sudo mv DigiCertCA.crt /etc/openldap/cacerts
Setting up SVN server to use LDAP authentication
Setting up Bugzilla to use LDAP Authentication
Details at http://www.bugzilla.org/docs/tip/html/extraconfig.html#bzldap
It seems that the LDAP entries require an email attribute that bugzilla can use for sending email, but generally speaking this seems like a well supported option for bugzilla. I do wonder if there is an option for users not in LDAP to create accounts in bugzilla for the purpose of submitting bugs. I think this is desirable or even necessary!
sudo
http://www.courtesan.com/sudo/readme_ldap.html
Pointers to good LDAP information
- http://ldots.org/ldap - moderately helpful.