1781
Comment:
|
3376
it works!
|
Deletions are marked like this. | Additions are marked like this. |
Line 4: | Line 4: |
Sun LDAP server on manbo set up, DN is dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au. | Sun LDAP server on manbo set up, DN is `dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`. Samba on manbo is pointing at it, as is sacheto and cobbler. |
Line 10: | Line 10: |
Server root is /var/mps/serverroot, admin passwords available upon application to [TRS]. /usr/sbin/directoryserver startconsole start the managery console thing. | Server root is `/var/mps/serverroot`, admin passwords available upon application to [TRS]. `/usr/sbin/directoryserver startconsole` starts the managery console thing. |
Line 13: | Line 13: |
dc=uwa,dc=edu,dc=au goes to ldap://directory.uwa.edu.au:389/o=The%20University%20of%20Western%20Australia eg: `ldapsearch -C -x -h manbo -b dc=uwa,dc=edu,dc=au '(cn=Alex Dawson)'` | `dc=uwa,dc=edu,dc=au` goes to `ldap://directory.uwa.edu.au:389/o=The%20University%20of%20Western%20Australia` eg: `ldapsearch -C -x -h manbo -b dc=uwa,dc=edu,dc=au '(cn=Alex Dawson)'` |
Line 16: | Line 16: |
* initialize OU entries * load user data from nis and samba |
* initialize OU entries - done * load user data from nis and samba - done |
Line 21: | Line 21: |
* initial version in `/home/wheel/bin/ucc-adduser.ldap`, to be used on mussel. | |
Line 24: | Line 25: |
* Enable LPK on sshds. | |
Line 37: | Line 39: |
* nss_base_passwd ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au * and for hosts with samba: nss_base_passwd ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au |
* nss_base_passwd `ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au` (should be the default) * and for hosts with samba: nss_base_passwd `ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au` |
Line 42: | Line 44: |
== Solaris LDAP clients == Arrgh the documentation is not very clear about what's going on until you already understand it, particularly if you come from an OpenLDAP backgroud. Basically, instead of binding as the user to the server, the client somehow magically binds with a proxy agent (which doesn't need read access to the user's password mind) and then authenticates the user. So binding as anonymous won't work, since anonymous can't actually bind to the server in a fashion that allows later authentication. Fortunately idsconfig will create the proxy user for you, but you have to understand that you want one first. The exception is if you have SASL/GSSAPI set up, but I think that means you're running kerberos, which we're not. So, to set up a solaris client, run `ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au 130.95.13.7`, edit `/etc/nsswitch.conf` and replace the `hosts:` entry with `files dns`, then add in `pam_ldap.so.1` to `/etc/pam.conf` as detailed [http://www.opensolaris.org/jive/thread.jspa?threadID=23434 here] or in `pam_ldap(4)`. For googlejuice - this may show itself as the error `pam_ldap: no legal authentication method configured` |
|
Line 47: | Line 57: |
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html | http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html [[BR]] http://www.nabble.com/anonymous-binding---is-it-needed---t1261737.html [[BR]] http://groups.google.com/group/comp.unix.solaris/msg/10e8a62bad96f288 |
This page is for working out the migration of UCC authentication to LDAP.
Current status
Sun LDAP server on manbo set up, DN is dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au. Samba on manbo is pointing at it, as is sacheto and cobbler.
Configuration Details
Server root is /var/mps/serverroot, admin passwords available upon application to [TRS]. /usr/sbin/directoryserver startconsole starts the managery console thing.
Referrals to UWA
dc=uwa,dc=edu,dc=au goes to ldap://directory.uwa.edu.au:389/o=The%20University%20of%20Western%20Australia eg: ldapsearch -C -x -h manbo -b dc=uwa,dc=edu,dc=au '(cn=Alex Dawson)'
To Do
- initialize OU entries - done
- load user data from nis and samba - done
- New user creation script, run on manbo?, can use either:
[http://cpu.sourceforge.net/ cpu] and smbpasswd
- smbldap-tools.
initial version in /home/wheel/bin/ucc-adduser.ldap, to be used on mussel.
- SSL - our own CA or pay for a cert?
- Replication?
Bonus crack - user address book, see (minimally functional) demo at http://mussel.ucc.asn.au/contagged-0.5
- Enable LPK on sshds.
User objectClasses
- Structural
- inetOrgPerson
- Auxiliary
- sambaSamAccount
- shadowAccount
Attribute Abuse
Stick dovecot mail_location in preferredDeliveryMethod
Client configuration
- libnss-ldap
nss_base_passwd ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au (should be the default)
and for hosts with samba: nss_base_passwd ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
- libpam-ldap
morwong will only accept {crypt} passwords. Maybe make ignore this and just make morwong ssh-key only?
Solaris LDAP clients
Arrgh the documentation is not very clear about what's going on until you already understand it, particularly if you come from an OpenLDAP backgroud.
Basically, instead of binding as the user to the server, the client somehow magically binds with a proxy agent (which doesn't need read access to the user's password mind) and then authenticates the user. So binding as anonymous won't work, since anonymous can't actually bind to the server in a fashion that allows later authentication. Fortunately idsconfig will create the proxy user for you, but you have to understand that you want one first. The exception is if you have SASL/GSSAPI set up, but I think that means you're running kerberos, which we're not.
So, to set up a solaris client, run ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au 130.95.13.7, edit /etc/nsswitch.conf and replace the hosts: entry with files dns, then add in pam_ldap.so.1 to /etc/pam.conf as detailed [http://www.opensolaris.org/jive/thread.jspa?threadID=23434 here] or in pam_ldap(4). For googlejuice - this may show itself as the error pam_ldap: no legal authentication method configured
Useful URLs
http://lists.samba.org/archive/samba/2005-March/101579.html BR http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html BR http://samba.org/samba/docs/man/Samba-Guide/happy.html BR http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html BR http://www.nabble.com/anonymous-binding---is-it-needed---t1261737.html BR http://groups.google.com/group/comp.unix.solaris/msg/10e8a62bad96f288