LDAP (Light Weight Directory Access Protocall) is used as a central storage directory for storing user information. All the clients authenticate via a single LDAP server. It reduces data redundancy.
For authenticating clients we need to configure both the server and the client machines.
This configuration is for the deepOfix server and will work smoothly with debian clients (though the configuration is same for most of the linux clients) .
allow bind_anon_dn
loglevel 0
include /var/easypush/ldap/etc/openldap/schema/cosine.schema
include /var/easypush/ldap/etc/openldap/schema/inetorgperson.schema
include /var/easypush/ldap/etc/openldap/schema/nis.schema
include /var/easypush/ldap/etc/openldap/schema/samba.schema
include /var/easypush/ldap/etc/openldap/schema/qmail.schema
include /var/easypush/ldap/etc/openldap/schema/deepofixuser.schema
directory /var/easypush/ldap/var/openldap-data
index objectClass eq
access to attrs="userPassword,sambaLMPassword,sambaNTPassword"
by dn="uid=easypush,ou=people,dc=mnit,dc=ac,dc=in" write
by anonymous auth
by self write
by * none
access to dn.subtree="dc=mnit,dc=ac,dc=in"
by dn="uid=easypush,ou=people,dc=mnit,dc=ac,dc=in" write
by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read
by self write
by users read
access to dn.subtree="ou=people,dc=mnit,dc=ac,dc=in"
by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read
by users read
access to dn.subtree="ou=group,dc=mnit,dc=ac,dc=in"
by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read
by users read
access to dn.subtree="ou=addressbook,dc=mnit,dc=ac,dc=in"
by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read
by users read
sizelimit 1500
TLSCertificateKeyFile "/var/easypush/etc/certificates/server.ke
The easypush server manager would open up from where user accounts can be added very easily.
# sv –v up slapd
A. Install the following packages
# apt-get install libpam-ldap libnss-ldap nss-switch nscd (On Debian)
B. Change the following configuration files:
base dc=mnit,dc=ac,dc=in
ldap_version 3
binddn uid=admin,ou=people,dc=mnit,dc=ac,dc=in
bindpw ******
host 192.168.1.20
base dc=mnit,dc=ac,dc=in
ldap_version 3
pam_password_prohibit_message Please change the password using the EasyPush Server Manager.
binddn uid=admin,ou=people,dc=mnit,dc=ac,dc=in
bindpw ******
3. /etc/nss-switch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup:
4. /etc/ldap/ldap.conf
base dc=mnit,dc=ac,dc=in
uri ldap://192.168.1.20:389
ldap_version 3
scope sub
pam_login_attribute uid
pam_filter objectClass=posixAccount
5. /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure
6. /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
7. /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_foreground.so
session sufficient pam_ldap.so
session required pam_unix.so
►Now restart the client machine and login as any of the users present in ldap directory added through the easypush server manager. (If correct passwords are given then the user gets authenticated and is given his separate home directory)
0 comments:
Post a Comment