topic Re: Authentication using LDAP in Operating System - HP-UX

Authentication using LDAP

oza — Fri, 30 Apr 2010 06:13:56 GMT

Hi,
I need to implement central authentication mechanism for Linux using LDAP. The LDAP is already setup and running. I have over 1000 Redhat Linux boxes that I want the authentication to be done centrally from the LDAP. I will also want resilence, so that when the LDAP is down, I can still logon to my linux boxes. Any detail documentation or hints will be appreciated.

Re: Authentication using LDAP

Michal Kapalka (mikap) — Fri, 30 Apr 2010 07:17:15 GMT

hi,

check this docu :

http://www.yolinux.com/TUTORIALS/LDAP_Authentication.html

mikap

Re: Authentication using LDAP

bullz — Fri, 30 Apr 2010 12:20:50 GMT

Haa haaa funny, you want to use ldap for 1000 servers to make your job easier, same way if ldap is down, u want the server to login via local accout as well? am i right?

In such case, you need to have an account on LDAP and local server as well, and need to modify /etc/nsswitch.conf accordinlgy.

ex

passwd ldap [NOTFOUND] files

not sure about the above systax, google for apt.

Re: Authentication using LDAP

oza — Mon, 17 May 2010 13:53:20 GMT

The challenge that I have is that when I failed the LDAP, the password fail to logon locally.

Re: Authentication using LDAP

Ivan Krastev — Mon, 17 May 2010 22:58:54 GMT

See these options for authconfig (from man page):

The --enablelocauthorize option allows to bypass checking network authentication services for autho-
rization and the --enablesysnetauth allows authentication of system accounts (with uid < 500) by
these services.

regards,
ivan

Re: Authentication using LDAP

ozas — Thu, 27 May 2010 07:33:32 GMT

Bullz, I have tried your suggestion but still did not work. Ivan can you explain more about the authconfig:

My /etc/nsswitch.conf is now set as:

passwd: files ldap
shadow: files ldap
group: files ldap

Do my LDAP need to have any special attributes on the schema?

Any suggestion will be appreciated. When the LDAP is running the password set from the LDAP works. But when I stop/fail the LDAP, am unable to logon with the same password to the client.

Re: Authentication using LDAP

ozas — Thu, 27 May 2010 07:39:36 GMT

Below is my /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so