Setting up FC4 to use LDAP for login authentication

The key file is the /etc/ldap.conf file which should contain:

 host ldap.telascience.org
 base dc=telascience,dc=org
 
 # Group to enforce membership of
 pam_groupdn cn=Shell,ou=Groups,dc=telascience,dc=org

 ssl no
 tls_cacertdir /etc/openldap/cacerts
 pam_password md5

The key item here is pam_groupdn line so that only users in the group "Shell" can login, and the host for finding the ldap server. At some point the configuration may need to be updated to support SSL.

Also, to enable ldap authentication the pam configuration needs to be updated. On FC4 this is done by making the /etc/pam.d/system-auth file look like:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so 

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

The key item here is the inclusion of pam_ldap.so as an option.

Setting up SVN server to use LDAP authentication

Pointers to good LDAP information

• http://ldots.org/ldap - moderately helpful.