LDAP Authentication in Linux 189
hausmasta writes "HowtoForge has published a walkthrough to show you how to store your users in LDAP and authenticate some of the services against it. It will not show how to install particular packages, as it is distribution/system dependent, instead it will focus on pure configuration of all components needed to have LDAP authentication/storage of users. The howto assumes that you are migrating from a regular passwd/shadow authentication, but it is also suitable for people who do it from scratch."
Re:Why would one want to do this? (Score:3, Informative)
Put together pam_ldap and pam_krb5 and you can do a lot of nifty stuff. You probably wouldn't care about hardly any of it for a standalone computer, but for a true multiuser system in a multisystem environment... almost anything else is scandalously silly.
Re:Why would one want to do this? (Score:5, Informative)
With some decent admin tools you can even share your users between variants of Unix and Windows environments.
There are some advantages of LDAP over NIS which are worth mentioning. LDAP can be made more secure than NIS (NIS+ is better in this respect, but oh so much more of a pain to administer) through the use of SSL or better authentication methods. LDAP will usually scale better for many thousands of users than plain NIS. NIS is limited as to what data may be stored for a user, which is ok if all you want your user database for is authentication and basic authorization, but LDAP is much more flexible if you need to store other user information and would rather have a single user store.
There are some sites that even use Unix LDAP clients to authenticate to an Active Directory service running on windows platforms. This can be done much more transparantly with LDAP than many other authentication methods.
http://www.nordicedge.se/ [nordicedge.se]
NordicEdge AB
Re:Why would one want to do this? (Score:3, Informative)
Other options (Score:3, Informative)
For administration, check out JXplorer. It makes it easy to add/delete/modify users.
Our wiki Linux LDAP Howto (Score:3, Informative)
I hope you find it useful.
Re:Why would one want to do this? (Score:3, Informative)
You can also keep NIS around just for those maps.
Re:Why would one want to do this? (Score:4, Informative)
A quick google and here is a link you might like to look at:
http://www.linuxjournal.com/article/6266 [linuxjournal.com]
There are many other sources of information on this out there.
Anthony Whitehead
NordicEdge AB
Re:I always wondered... (Score:5, Informative)
OpenDirectory by Apple is also an LDAPv3 implementation be it more pure than MS's implementation. You can combine both AD and OD on Mac to get a unified Windows-compatible login capabilities in the network that also get the benefits of using OD (force preferences and security settings on users/computers) without schema changes on either side.
RedHat also relies on LDAP for network-wide authentication in their products as does IBM and recently even Novell and lots of companies use it for different purposes in one or another way.
Re:Other options (Score:2, Informative)
SPLAT - Scalable Periodic LDAP Attribute Transmogr (Score:3, Informative)
Host-based control (Score:2, Informative)
Re:I always wondered... (Score:4, Informative)
Novell's been using it longer than pretty much anyone. Check out NDS [wikipedia.org] for more info. Microsoft was more or less copying Novell, not any of the UNIX vendors (who were mostly still using NIS and friends when active directory came out).
Comment removed (Score:3, Informative)
Comment removed (Score:4, Informative)
As was already mentioned..... (Score:2, Informative)
Just use Novell Directory Services, or EDirectory as it is now named.
Nope it aint free, nope it aint open source. But it DOES rock the house!
Scales to over a billion objects. Easy administration and setup.
Runs on practicaly everything Form Linux, Unix, Solaris, Windows, Copiers, Printers to Toasters and Web Servers.
Why yes I am a Novell Fan Boy. Whats your fucking point!
Re:Reliability (Score:3, Informative)
I'd change it back, or if you're not using NIS, give just "passwd: files ldap" a shot, both files and compat are redundant at best. Whichever PAM file you have there is odd, auth should fail if a "required" module doesn't succeed. Here's mine:
Basically, make sure that pam_unix is before pam_ldap, that they are both "sufficient", and put a required pam_deny.so at the end, and your passwd should override any ldap. Also make sure to check both /etc/pam.d/* and /etc/pam.conf. pam.d should override pam.conf, but it doesn't hurt to check. The pam.d dir will probably have different files for different services, so make sure to check ssh if you're having a problem with that, login if it's with console logins, and so on. They might include other files, but whoever edited them might have changed stuff. HTH.
Re:LDAP is a pain in the arse (Score:2, Informative)
I tried to take a NIS domain, mixed linux/solaris clients and convert into a single LDAP auth'ing environment, plus LDAP auth for our webservers
I must say, despite all the pain, it was absolutely beautiful when it was working. I even managed to get all the auto mount maps working as well