LDAP

From Buffalo Lab, Inc.

Jump to: navigation, search

Hostname: ldap0.seneca.buffalolab.org
Version: 3
URI: ldap://ldap0.seneca.buffalolab.org/
Base: dc=buffalolab,dc=org
TLS: Yes (recommended)

TODO

  • Define posixGroups
  • Add in proper mechanisms to restrict login access (host-based, group-based, user-based)

Debian 5

Make sure NSS is working with Kerberos/LDAP before doing PAM Kerberos#NSS/LDAP 

apt-get install pam-ldap

URI: as above
Search base: as above
LDAP Version: as above
Make local root Database admin?: No
Does LDAP require a login?: No
Local crypt to use when changing passwords: crypt

pam_ldap does not support SASL GSSAPI binding and does DN searches using SIMPLE binds. This is a real pain since nss_ldap supports it just fine, so we end up having two solutions to the same problem.

I went with using an anonymous bind to find the DN. Possibly change in the future to use a proxy user. --Mlehner 02:19, 31 December 2009 (UTC)

/etc/pam_ldap.conf 

 base dc=buffalolab,dc=org
 uri ldap://ldap0.seneca.buffalolab.org/
 ldap_version 3
 ssl start_tls
 tls_checkpeer no

/etc/pam.d/common-auth 

 auth 	sufficient	pam_ldap.so
 auth	required	pam_unix.so nullok_secure

To test the setup, try to login over SSH or through the command line using an LDAP account.

Retrieved from "http://www.buffalolab.org/wiki/LDAP"
Personal tools