|
Linux HowTo's -
Advance Linux HowTo's
|
|
Written by Allen Sanabria
|
|
Sunday, 10 February 2008 18:50 |
|
In this tutorial we will show you how to authenticate to a already configured ldap server
- This file "/etc/ldap.conf" is the 1st file that has to be modified as this is the file that tells the system which ldap server to authenticate too.
host yourdomain.com
base dc=yourdomain,dc=com
uri ldap://yourdomain.com/
ldap_version 3
rootbinddn cn=Manager,dc=yourdomain,dc=com
scope sub
timelimit 5
bind_timelimit 5
nss_reconnect_tries 2
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
pam_password exop
nss_base_passwd ou=People,dc=yourdomain,dc=com
nss_base_shadow ou=People,dc=yourdomain,dc=com
- Now we have to add the passwd in this file "/etc/ldap.secret" so that we can authenticate to the ldap server
password
- Now we have to modify this file "/etc/nsswitch.conf"
passwd: files ldap
group: files ldap
hosts: dns ldap
services: ldap [NOTFOUND=return] files
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files
netmasks: files
bootparams: files
publickey: files
automount: files
sendmailvars: files
netgroup: ldap [NOTFOUND=return] files
- Now it is time to modify the files in /etc/pam.d/ directory.
First file to be modified is "/etc/pam.d/login"
| auth |
sufficient |
pam_ldap.so |
| account |
sufficient |
pam_ldap.so |
| password |
sufficient |
pam_ldap.so |
| session |
sufficient |
pam_ldap.so |
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
auth required pam_tally.so onerr=succeed file=/var/log/faillog
account required pam_access.so
account required pam_time.so
account required pam_unix.so
account sufficient pam_ldap.so
password sufficient pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session required pam_env.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/spool/mail standard
session sufficient pam_ldap.so
session optional pam_lastlog.so
- Now we modify "/etc/pam.d/shadow"
| auth |
sufficient |
pam_ldap.so |
| account |
sufficient |
pam_ldap.so |
| password |
sufficient |
pam_ldap.so |
| session |
sufficient |
pam_ldap.so |
auth sufficient pam_rootok.so
auth required pam_unix.so
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so
account sufficient pam_ldap.so
session required pam_unix.so
session sufficient pam_ldap.so
password sufficient pam_ldap.so
password required pam_permit.so
- Now we modify "/etc/pam.d/passwd"
| password |
sufficient |
pam_ldap.so |
password sufficient pam_ldap.so
password required pam_unix.so shadow nullok
- Now we modify "/etc/pam.d/su"
| auth |
sufficient |
pam_ldap.so |
| account |
sufficient |
pam_ldap.so |
| session |
sufficient |
pam_ldap.so |
auth sufficient pam_ldap.so
auth sufficient pam_rootok.so
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_unix.so
- Now we modify "/etc/pam.d/sudo"
| auth |
sufficient |
pam_ldap.so |
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
auth required pam_nologin.so
- In this file "/etc/pam.d/sshd" you have to add 3 entries, one for auth, one for account, and one for session.
| auth |
sufficient |
pam_ldap.so |
| account |
sufficient |
pam_ldap.so |
| password |
required |
pam_ldap.so |
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_env.so
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
account required pam_time.so
password required pam_ldap.so
password required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix_session.so
session sufficient pam_ldap.so
session required pam_limits.so
|
|
Last Updated ( Wednesday, 14 May 2008 11:53 )
|
