SAC:Setup LDAP Authentication

From OSGeo
Jump to navigation Jump to search

Setting up FC4 to use LDAP for login authentication


 sudo authconfig

Enabled LDAP on first screen like this:

     │  User Information        Authentication                         │ 
     │  [ ] Cache Information   [*] Use MD5 Passwords                  │ 
     │  [ ] Use Hesiod          [*] Use Shadow Passwords               │ 
     │  [*] Use LDAP            [*] Use LDAP Authentication            │ 
     │  [ ] Use NIS             [ ] Use Kerberos                       │ 
     │  [ ] Use Winbind         [ ] Use SMB Authentication             │ 
     │                          [ ] Use Winbind Authentication         │ 
     │                          [ ] Local authorization is sufficient  │ 

Enter LDAP Settings like this:

     │          [x] Use TLS                              │ 
     │  Server: ldap.osgeo.org__________________________ │ 
     │ Base DN: ou=People,dc=osgeo,dc=org_______________ │

authconfig sets a number of PAM-related items for us, but it does a poor job of setting up the LDAP configuration. We are going to edit /etc/ldap.conf and change it to look like this:

 BASE dc=osgeo, dc=org
 URI ldaps://
 pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org
 nss_base_passwd ou=People,dc=osgeo,dc=org
 nss_base_shadow ou=People,dc=osgeo,dc=org
 nss_base_group  ou=Group,dc=osgeo,dc=org
 ldap_version 3
 TLS_CACERTDIR /etc/openldap/cacerts
 pam_password md5

After editing /etc/ldap.conf, we need to link /etc/openldap/ldap.conf to use that one, instead of its own.

 mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.original
 ln -s /etc/ldap.conf /etc/openldap/ldap.conf

Next, you need to scp the DigiCertCA.crt from one of the existing blades to the machine you are enabling:

 scp /etc/openldap/cacerts/DigiCertCA.crt hobu@mynewblade:/home/hobu

Once there, mv it into the same location:

 sudo mv DigiCertCA.crt /etc/openldap/cacerts

Setting up SVN server to use LDAP authentication

Setting up Bugzilla to use LDAP Authentication

Details at

It seems that the LDAP entries require an email attribute that bugzilla can use for sending email, but generally speaking this seems like a well supported option for bugzilla. I do wonder if there is an option for users not in LDAP to create accounts in bugzilla for the purpose of submitting bugs. I think this is desirable or even necessary!


Pointers to good LDAP information