Difference between revisions of "SAC:Setup LDAP Authentication"

From OSGeo
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Setting up FC4 to use LDAP for login authentication =
+
Instructions for setting up LDAP login on [[OSL]] hosted VMs. This should be done as part of the [[SAC:Standard System Setup]] process.  
 
 
Run:
 
 
 
  sudo authconfig
 
 
 
Enabled LDAP on first screen like this:
 
 
 
      │  User Information        Authentication                        │
 
      │  [ ] Cache Information  [*] Use MD5 Passwords                  │
 
      │  [ ] Use Hesiod          [*] Use Shadow Passwords              │
 
      │ [*] Use LDAP            [*] Use LDAP Authentication            │
 
      │  [ ] Use NIS            [ ] Use Kerberos                      │
 
      │  [ ] Use Winbind        [ ] Use SMB Authentication            │
 
      │                          [ ] Use Winbind Authentication        │
 
      │                          [ ] Local authorization is sufficient  │
 
 
 
Enter LDAP Settings like this:
 
 
 
      │          [x] Use TLS                              │
 
      │  Server: ldap.osgeo.org__________________________ │
 
      │ Base DN: ou=People,dc=osgeo,dc=org_______________ │
 
 
 
authconfig sets a number of PAM-related items for us, but it does a poor job of setting up the LDAP configuration.  We are going to edit /etc/ldap.conf and change it to look like this:
 
 
 
  BASE dc=osgeo, dc=org
 
  URI ldaps://ldap.osgeo.org
 
  pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org
 
  nss_base_passwd ou=People,dc=osgeo,dc=org
 
  nss_base_shadow ou=People,dc=osgeo,dc=org
 
  nss_base_group  ou=Group,dc=osgeo,dc=org
 
  ldap_version 3
 
  TLS_CHECKPEER yes
 
  TLS_REQCERT demand
 
  TLS_CACERTDIR /etc/openldap/cacerts
 
  pam_password md5
 
 
 
After editing /etc/ldap.conf, we need to link /etc/openldap/ldap.conf to use that one, instead of its own. 
 
 
 
  mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.original
 
  ln -s /etc/ldap.conf /etc/openldap/ldap.conf
 
 
 
Next, you need to scp the DigiCertCA.crt from one of the existing blades to the machine you are enabling:
 
 
 
  scp /etc/openldap/cacerts/DigiCertCA.crt hobu@mynewblade:/home/hobu
 
 
 
Once there, mv it into the same location:
 
 
 
  sudo mv DigiCertCA.crt /etc/openldap/cacerts
 
 
 
= Setting up SVN server to use LDAP authentication =
 
 
 
= Setting up Bugzilla to use LDAP Authentication =
 
 
 
Details at http://www.bugzilla.org/docs/tip/html/extraconfig.html#bzldap
 
 
 
It seems that the LDAP entries require an email attribute that bugzilla can use for sending email, but generally speaking this seems like a well supported option for bugzilla.  I do wonder if there is an option for users not in LDAP to create accounts in bugzilla for the purpose of submitting bugs.  I think this is desirable or even necessary!
 
 
 
= sudo =
 
 
 
http://www.courtesan.com/sudo/readme_ldap.html
 
 
 
= Pointers to good LDAP information =
 
 
 
* http://ldots.org/ldap - moderately helpful.
 
  
 
[[Category:Infrastructure]]
 
[[Category:Infrastructure]]

Latest revision as of 22:19, 27 September 2011

Instructions for setting up LDAP login on OSL hosted VMs. This should be done as part of the SAC:Standard System Setup process.

Retrieved from "http://wiki.osgeo.org/w/index.php?title=SAC:Setup_LDAP_Authentication&oldid=57746"