Differences between revisions 1 and 10 (spanning 9 versions)
Revision 1 as of 2007-02-13 18:23:06
Size: 997
Editor: JamesAndrewartha
Comment:
Revision 10 as of 2007-02-16 17:34:44
Size: 3219
Editor: JamesAndrewartha
Comment: urls for the epiphany
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
Current status: Sun LDAP server on manbo set up, DN is dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au = Current status =
Sun LDAP server on manbo set up, DN is `dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`.
Line 5: Line 6:
== To Do == [[TableOfContents]]

== Configuration Details ==

Server root is `/var/mps/serverroot`, admin passwords available upon application to [TRS]. `/usr/sbin/directoryserver startconsole` starts the managery console thing.

=== Referrals to UWA ===
`dc=uwa,dc=edu,dc=au` goes to `ldap://directory.uwa.edu.au:389/o=The%20University%20of%20Western%20Australia` eg: `ldapsearch -C -x -h manbo -b dc=uwa,dc=edu,dc=au '(cn=Alex Dawson)'`

= To Do =
Line 11: Line 21:
 * SSL - our own CA or pay for a cert?
Line 12: Line 23:
 * Bonus crack - user address book, see (minimally functional) demo at http://mussel.ucc.asn.au/contagged-0.5
 * Enable LPK on sshds.
Line 13: Line 26:
== User objectClasses == = User objectClasses =
Line 20: Line 33:
== Useful URLs ==
http://lists.samba.org/archive/samba/2005-March/101579.html[[BR]]
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html[[BR]]
http://samba.org/samba/docs/man/Samba-Guide/happy.html[[BR]]
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html		 === Attribute Abuse ===
Stick dovecot mail_location in preferredDeliveryMethod
Line 26: Line 36:
== Client configuration == = Client configuration =
Line 28: Line 38:
  * nss_base_passwd ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
  * and for hosts with samba: nss_base_passwd ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au		   * nss_base_passwd `ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au` (should be the default)
  * and for hosts with samba: nss_base_passwd `ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`
 * libpam-ldap

morwong will only accept {crypt} passwords. Maybe make ignore this and just make morwong ssh-key only?

== Solaris LDAP clients ==

Arrgh the documentation is not very clear about what's going on until you already understand it, particularly if you come from an OpenLDAP backgroud.

Basically, instead of binding as the user to the server, the client somehow magically binds with a proxy agent (which doesn't need read access to the user's password mind) and then authenticates the user. So binding as anonymous won't work, since anonymous can't actually bind to the server in a fashion that allows later authentication. Fortunately idsconfig will create the proxy user for you, but you have to understand that you want one first. The exception is if you have SASL/GSSAPI set up, but I think that means you're running kerberos, which we're not.

So, to set up a solaris client, run `ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au 130.95.13.7`, edit `/etc/nsswitch.conf` and replace the `hosts:` entry with `files dns`, then add in `pam_ldap.so.1` to `/etc/pam.conf` as detailed [http://www.opensolaris.org/jive/thread.jspa?threadID=23434 here] or in `pam_ldap(4)`. For googlejuice - this may show itself as the error `pam_ldap: no legal authentication method configured`

= Useful URLs =
http://lists.samba.org/archive/samba/2005-March/101579.html [[BR]]
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html [[BR]]
http://samba.org/samba/docs/man/Samba-Guide/happy.html [[BR]]
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html [[BR]]
http://www.nabble.com/anonymous-binding---is-it-needed---t1261737.html [[BR]]
http://groups.google.com/group/comp.unix.solaris/msg/10e8a62bad96f288

This page is for working out the migration of UCC authentication to LDAP.

Current status

Sun LDAP server on manbo set up, DN is dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au.

TableOfContents

Configuration Details

Server root is /var/mps/serverroot, admin passwords available upon application to [TRS]. /usr/sbin/directoryserver startconsole starts the managery console thing.

Referrals to UWA

dc=uwa,dc=edu,dc=au goes to ldap://directory.uwa.edu.au:389/o=The%20University%20of%20Western%20Australia eg: ldapsearch -C -x -h manbo -b dc=uwa,dc=edu,dc=au '(cn=Alex Dawson)'

To Do

  • initialize OU entries
  • load user data from nis and samba
  • New user creation script, run on manbo?, can use either:
  • SSL - our own CA or pay for a cert?
  • Replication?

  • Bonus crack - user address book, see (minimally functional) demo at http://mussel.ucc.asn.au/contagged-0.5

  • Enable LPK on sshds.

User objectClasses

  • Structural
    • inetOrgPerson
  • Auxiliary
    • sambaSamAccount
    • shadowAccount

Attribute Abuse

Stick dovecot mail_location in preferredDeliveryMethod

Client configuration

  • libnss-ldap

    • nss_base_passwd ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au (should be the default)

    • and for hosts with samba: nss_base_passwd ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au

  • libpam-ldap

morwong will only accept {crypt} passwords. Maybe make ignore this and just make morwong ssh-key only?

Solaris LDAP clients

Arrgh the documentation is not very clear about what's going on until you already understand it, particularly if you come from an OpenLDAP backgroud.

Basically, instead of binding as the user to the server, the client somehow magically binds with a proxy agent (which doesn't need read access to the user's password mind) and then authenticates the user. So binding as anonymous won't work, since anonymous can't actually bind to the server in a fashion that allows later authentication. Fortunately idsconfig will create the proxy user for you, but you have to understand that you want one first. The exception is if you have SASL/GSSAPI set up, but I think that means you're running kerberos, which we're not.

So, to set up a solaris client, run ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au 130.95.13.7, edit /etc/nsswitch.conf and replace the hosts: entry with files dns, then add in pam_ldap.so.1 to /etc/pam.conf as detailed [http://www.opensolaris.org/jive/thread.jspa?threadID=23434 here] or in pam_ldap(4). For googlejuice - this may show itself as the error pam_ldap: no legal authentication method configured

Useful URLs

http://lists.samba.org/archive/samba/2005-March/101579.html BR http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html BR http://samba.org/samba/docs/man/Samba-Guide/happy.html BR http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html BR http://www.nabble.com/anonymous-binding---is-it-needed---t1261737.html BR http://groups.google.com/group/comp.unix.solaris/msg/10e8a62bad96f288

uccwiki: LDAP (last edited 2020-01-29 21:09:17 by DavidAdam)

MoinMoin Powered | Python Powered
Written to be specifications compliant.

UCC

Wiki content is publicly editable, and as such does not necessarily reflect
the views of the University Computer Club, the Guild or the University of
Western Australia.

Contact the webmasters.