SAC:Setup LDAP Authentication

From OSGeo
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Setting up FC4 to use LDAP for login authentication

Run: 

 sudo authconfig

Enabled LDAP on first screen like this: 

     │  User Information        Authentication                         │ 
     │  [ ] Cache Information   [*] Use MD5 Passwords                  │ 
     │  [ ] Use Hesiod          [*] Use Shadow Passwords               │ 
     │  [*] Use LDAP            [*] Use LDAP Authentication            │ 
     │  [ ] Use NIS             [ ] Use Kerberos                       │ 
     │  [ ] Use Winbind         [ ] Use SMB Authentication             │ 
     │                          [ ] Use Winbind Authentication         │ 
     │                          [ ] Local authorization is sufficient  │

Enter LDAP Settings like this: 

     │          [x] Use TLS                              │ 
     │  Server: ldap.osgeo.org__________________________ │ 
     │ Base DN: ou=People,dc=osgeo,dc=org_______________ │

authconfig sets a number of PAM-related items for us, but it does a poor job of setting up the LDAP configuration. We are going to edit /etc/ldap.conf and change it to look like this: 

 BASE dc=osgeo, dc=org
 URI ldaps://ldap.osgeo.org
 pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org
 nss_base_passwd ou=People,dc=osgeo,dc=org
 nss_base_shadow ou=People,dc=osgeo,dc=org
 nss_base_group  ou=Group,dc=osgeo,dc=org
 ldap_version 3
 TLS_CHECKPEER yes
 TLS_REQCERT demand
 TLS_CACERTDIR /etc/openldap/cacerts
 pam_password md5

After editing /etc/ldap.conf, we need to link /etc/openldap/ldap.conf to use that one, instead of its own. 

 mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.original
 ln -s /etc/ldap.conf /etc/openldap/ldap.conf

Next, you need to scp the DigiCertCA.crt from one of the existing blades to the machine you are enabling: 

 scp /etc/openldap/cacerts/DigiCertCA.crt hobu@mynewblade:/home/hobu

Once there, mv it into the same location: 

 sudo mv DigiCertCA.crt /etc/openldap/cacerts

Setting up SVN server to use LDAP authentication

Setting up Bugzilla to use LDAP Authentication

Details at http://www.bugzilla.org/docs/tip/html/extraconfig.html#bzldap

It seems that the LDAP entries require an email attribute that bugzilla can use for sending email, but generally speaking this seems like a well supported option for bugzilla. I do wonder if there is an option for users not in LDAP to create accounts in bugzilla for the purpose of submitting bugs. I think this is desirable or even necessary!

sudo

http://www.courtesan.com/sudo/readme_ldap.html

Pointers to good LDAP information

Retrieved from "http://wiki.osgeo.org/w/index.php?title=SAC:Setup_LDAP_Authentication&oldid=37138"