topic Re: Configure user authentication using OpenLDAP on Redhat Linux Enterprise 3 in Operating System - Linux

Configure user authentication using OpenLDAP on Redhat Linux Enterprise 3

yyghp — Mon, 16 May 2005 09:08:12 GMT

I am now configuring OpenLDAP on two servers running Redhat Linux Enterprise 3, in order to centralize user management, that is, i don't have to maintain users separately when they change password on one server, like windows PDC-BDC.

I followed "Red Hat Enterprise Linux Reference" guide, details below:
---------------------
Install the Necessary LDAP Package
First, make sure that the appropriate packages are installed on both the LDAP server and the
LDAP client machines. The LDAP server needs the openldap-servers package.
The openldap, openldap-clients, and nss_ldap packages need to be installed on all LDAP
client machines.

Edit the Configuration Files
a. On the server, edit the /etc/openldap/slapd.conf le on the LDAP
server to make sure it matches the speci cs of the organization. Refer to
Section 13.6.1 Editing /etc/openldap/slapd.conf for instructions about editing
slapd.conf.
b. On the client machines, both /etc/ldap.conf and /etc/openldap/ldap.conf need to
contain the proper server and search base information for the organization.
To do this, run the graphical Authentication Con guration Tool
(system-config-authentication) and select Enable LDAP Support under the User
Information tab.
It is also possible to edit these les by hand.
c. On the client machines, the /etc/nsswitch.conf must be edited to use LDAP.
To do this, run the Authentication Configuration Tool
(system-config-authentication) and select Enable LDAP Support under the User
Information tab.
If editing /etc/nsswitch.conf by hand, add ldap to the appropriate lines.
For example:
passwd: files ldap
shadow: files ldap
group: files ldap
---------------------

But after that, I created a new user "test" on ServerA(LDAP server), and try to login ServerB(LDAP client) as "test" ("test" don't have info. on ServerB), but failed to login, seemed it didn't search the authentication from LDAP server (ServerA)...

Do I miss any step(s) ?
How can I troubleshoot this ?
Thanks!

Re: Configure user authentication using OpenLDAP on Redhat Linux Enterprise 3

Gopi Sekar — Mon, 16 May 2005 10:17:38 GMT

If i am not mistaken, i think you should have People object group in your LDAP server, which defines all the objects required for login process.

I am not very sure whether you have it enabled. if not add it, define basic settings for user (password, shell, expiry etc). and see whether it works.

Regards,
Gopi

Re: Configure user authentication using OpenLDAP on Redhat Linux Enterprise 3

Johan Bergström — Mon, 16 May 2005 10:21:11 GMT

What "system-config-authentication" probably does is edit the PAM settings for your machine. I've never set this up on a RHEL machine. But look at your /etc/pam.d/login file. PAM needs to be aware of the ldapserver when trying to authenticate a user who is logging into the server.

You should have something like,
sufficient /lib/security/pam_ldap.so

in it. You can also try to add a "debug" after the module name. It should produce debug info in the syslog.

For more info see http://ldots.org/ldap/

Re: Configure user authentication using OpenLDAP on Redhat Linux Enterprise 3

yyghp — Mon, 16 May 2005 10:40:04 GMT

hi Gopi,

Thanks, but I don't think the user information ( including passwords ) are stored in the LDAP database, so I wonder whether I need to add Objects into the db...

Re: Configure user authentication using OpenLDAP on Redhat Linux Enterprise 3

yyghp — Mon, 16 May 2005 10:46:30 GMT

Hi Johan,

Yes, I couldn't find "/lib/security/pam_ldap.so" in the file "/etc/pam.d/login", why the offical redhat reference guide(http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/ch-ldap.html) doesn't mentioned this at all?
I am not familiar with PAM stuff, I worry about changing thing here, which may not be recoverable by myself.
Do you know any complete doc with which someone has successfully setup such environment ?
Thanks!

Re: Configure user authentication using OpenLDAP on Redhat Linux Enterprise 3

Gopi Sekar — Tue, 17 May 2005 01:06:57 GMT

have you added user in to ldap database? it works like this, you have to add user information like user name, shell, password etc in to LDAP objects (People).

then from the other system you can login as the newly added user in ldap.

to give one line answer: yes, you need to have user information including user id and password into ldap objects so that ldap based authentication will succeed

Gopi