Difference between revisions of "SAC:Setup LDAP Authentication"

From OSGeo
Jump to navigation Jump to search
(added notes on bugzilla.)
Line 1: Line 1:
 
= Setting up FC4 to use LDAP for login authentication =
 
= Setting up FC4 to use LDAP for login authentication =
  
The key file is the /etc/ldap.conf file which should contain:
+
Run:
  
   host ldap.telascience.org
+
   sudo authconfig
  base dc=telascience,dc=org
 
 
 
  # Group to enforce membership of
 
  pam_groupdn cn=Shell,ou=Groups,dc=telascience,dc=org
 
  
  ssl no
+
Enabled LDAP on first screen like this:
  tls_cacertdir /etc/openldap/cacerts
 
  pam_password md5
 
  
The key item here is pam_groupdn line so that only users in the group "Shell" can login, and the host for finding the ldap server. At some point the configuration may need to be updated to support SSL.
+
      │  User Information        Authentication                        │
 +
      │  [ ] Cache Information  [*] Use MD5 Passwords                  │
 +
      │  [ ] Use Hesiod          [*] Use Shadow Passwords              │
 +
      │  [*] Use LDAP            [*] Use LDAP Authentication            │
 +
      │  [ ] Use NIS            [ ] Use Kerberos                      │
 +
      │  [ ] Use Winbind        [ ] Use SMB Authentication            │
 +
      │                          [ ] Use Winbind Authentication        │
 +
      │                          [ ] Local authorization is sufficient
  
Also, to enable ldap authentication the pam configuration needs to be updated.  On FC4 this is done by making the /etc/pam.d/system-auth file look like:
+
Enter LDAP Settings like this:
  
#%PAM-1.0
+
      │          [ ] Use TLS                              │
# This file is auto-generated.
+
      │ Server: ldap.telascience.org____________________ │
# User changes will be destroyed the next time authconfig is run.
+
      │ Base DN: dc=telascience,dc=org___________________ │
auth        required      /lib/security/$ISA/pam_env.so
 
  auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
 
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
 
auth        required      /lib/security/$ISA/pam_deny.so
 
 
 
account    required      /lib/security/$ISA/pam_unix.so broken_shadow
 
account    sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
 
account    [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
 
account    required      /lib/security/$ISA/pam_permit.so
 
 
 
password    requisite    /lib/security/$ISA/pam_cracklib.so retry=3
 
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
 
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
 
password    required      /lib/security/$ISA/pam_deny.so
 
 
 
session    required      /lib/security/$ISA/pam_limits.so
 
session    required      /lib/security/$ISA/pam_unix.so
 
session    optional      /lib/security/$ISA/pam_ldap.so
 
 
 
The key item here is the inclusion of pam_ldap.so as an option.
 
  
 +
         
 
= Setting up SVN server to use LDAP authentication =  
 
= Setting up SVN server to use LDAP authentication =  
  

Revision as of 19:22, 18 July 2006

Setting up FC4 to use LDAP for login authentication

Run: 

 sudo authconfig

Enabled LDAP on first screen like this: 

     │  User Information        Authentication                         │ 
     │  [ ] Cache Information   [*] Use MD5 Passwords                  │ 
     │  [ ] Use Hesiod          [*] Use Shadow Passwords               │ 
     │  [*] Use LDAP            [*] Use LDAP Authentication            │ 
     │  [ ] Use NIS             [ ] Use Kerberos                       │ 
     │  [ ] Use Winbind         [ ] Use SMB Authentication             │ 
     │                          [ ] Use Winbind Authentication         │ 
     │                          [ ] Local authorization is sufficient  │

Enter LDAP Settings like this: 

     │          [ ] Use TLS                              │ 
     │  Server: ldap.telascience.org____________________ │ 
     │ Base DN: dc=telascience,dc=org___________________ │


Setting up SVN server to use LDAP authentication

Setting up Bugzilla to use LDAP Authentication

Details at: 

 http://www.bugzilla.org/docs/tip/html/extraconfig.html#bzldap

It seems that the LDAP entries require an email attribute that bugzilla can use for sending email, but generally speaking this seems like a well supported option for bugzilla. I do wonder if there is an option for users not in LDAP to create accounts in bugzilla for the purpose of submitting bugs. I think this is desirable or even necessary!


Pointers to good LDAP information

Retrieved from "http://wiki.osgeo.org/w/index.php?title=SAC:Setup_LDAP_Authentication&oldid=5964"