Attachment #283307 for bug #176075

View | Details | Raw Unified | Return to bug 176075 | Differences between
Collapse All | Expand All




<author title="Author">
  <mail link="sj7trunks@pendulus.net">Benjamin Coles</mail>
</author>
<author title="Author">
  <mail link="swift"/>
</author>
<author title="Editor">
  <mail link="tseng@gentoo.org">Brandon Hale</mail>

<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
<license/>

<version>6</version>
<date>2011-08-13</date>

<chapter>
<title>Getting Started with OpenLDAP</title>


<pre caption="Generate password">
# <i>slappasswd</i>
New password: <i>my-password</i>
Re-enter new password: <i>my-password</i>
{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
</pre>

<p>
Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>. Below
we'll give a sample configuration file to get things started. For a more
detailed analysis of the configuration file, we suggest that you work through
the OpenLDAP Administrator's Guide.
</p>

<pre caption="/etc/openldap/slapd.conf">
include	/etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include	/etc/openldap/schema/misc.schema

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

serverID 0 <comment>Used in case of replication</comment>
loglevel 0
# moduleload    back_passwd.so
# moduleload    back_null.so
# moduleload    back_monitor.so
# moduleload    back_meta.so
moduleload    back_hdb.so
# moduleload    back_dnssrv.so

<comment>## Access Controls</comment>
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
  by self write
  by users read
  by anonymous read

<comment>## Database definition</comment>
database hdb
suffix "dc=genfic,dc=com"
checkpoint 32 30
rootdn "cn=Manager,dc=genfic,dc=com"
rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4" <comment># See earlier slappasswd command</comment>
directory "/var/lib/openldap-ldbm"
index objectClass eq

<comment>## Synchronisation (pull from other LDAP server)</comment>
syncrepl rid=000
  provider=ldap://ldap2.genfic.com
  type=refreshAndPersist
  retry="5 5 300 +"
  searchbase="dc=genfic,dc=com"
  attrs="*,+"
  bindmethod="simple"
  binddn="cn=ldapreader.genfic.com,dc=genfic,dc=com"
  credentials="ldapsyncpass"

index entryCSN eq
index entryUUID eq

mirrormode TRUE

overlay syncprov
syncprov-checkpoint 100 10
rootpw          <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i>
directory       /var/lib/openldap-ldbm
index           objectClass     eq
</pre>

<p>

<comment>(Add the following...)</comment>

BASE         dc=genfic, dc=com
URI          ldap://ldap.genfic.com:389/ ldap://ldap1.genfic.com:389/ ldap://ldap2.genfic.com:389/
TLS_REQCERT  allow
TIMELIMIT    2
</pre>

<p>
Now edit <path>/etc/conf.d/slapd</path> and set the following OPTS line:
</p>

<pre caption="/etc/conf.d/slapd">
OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
</pre>

<p>
Finally, create the <path>/var/lib/openldap-ldbm</path> structure:
</p>

<pre caption="Preparing the openldap-ldbm location">
~# <i>mkdir -p /var/lib/openldap-ldbm</i>
~# <i>chown ldap:ldap /var/lib/openldap-ldbm</i>
~# <i>chmod 700 /var/lib/openldap-ldbm</i>
</pre>

<p>

</chapter>

<chapter>
<title>Replication</title>
<section>
<title>If you need high availability</title>
<body>

<p>
If your environment requires high availability, then you need to setup
replication of changes across multiple LDAP systems. Replication within OpenLDAP
is, in this guide, set up using a specific replication account
(<c>ldapreader</c>) which has read rights on the primary LDAP server and which
pulls in changes from the primary LDAP server to the secundary.
</p>

<p>
This setup is then mirrored, allowing the secundary LDAP server to act as a
primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if
they are already in the LDAP structure.
</p>

</body>
</section>
<section>
<title>Setting Up Replication</title>
<body>

<p>
To setup replication, first setup a second OpenLDAP server, similarly as above.
However take care that, in the configuration file, 
</p>

<ul>
  <li>
    the <e>sync replication provider</e> is pointing to the <e>other</e> system
  </li>
  <li>
    the <e>serverID</e> of each OpenLDAP system is different
  </li>
</ul>

<p>
Next, create the synchronisation account. We will create an LDIF file (the
format used as data input for LDAP servers) and add it to each LDAP server:
</p>

<pre caption="Creating the ldapreader account">
~# <i>slappasswd -s myreaderpassword</i>
 {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM

~# <i>cat ldapreader.ldif</i>
dn: cn=ldapreader.genfic.com,dc=genfic,dc=com
userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapreader.genfic.com
description: LDAP reader used for synchronization

~# <i>ldapadd -x -W -D "cn=Manager,dc=genfic,dc=com" -f ldapreader.ldif</i>
Password: <comment>enter the administrative password</comment>
</pre>

</body>
</section>
</chapter>

<chapter>
<title>Client Configuration</title>
<section>
<title>Migrate existing data to ldap</title>
<body>

<p>
Configuring OpenLDAP for centralized administration and management of common
Linux/Unix items isn't easy, but thanks to some tools and scripts available on
the Internet, migrating a system from a single-system administrative
point-of-view towards an OpenLDAP-based, centralized managed system isn't hard
either.
</p>

<p>
Go to <uri
link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri>
and fetch the scripts there. You'll need the migration tools and the
<c>make_master.sh</c> script.
</p>

<p>
Next, extract the tools and copy the <c>make_master.sh</c> script inside the
extracted location:
</p>

<pre caption="Extracting the MigrationTools">
~# <i>mktemp -d</i>
/tmp/tmp.zchomocO3Q
~# <i>cd /tmp/tmp.zchomocO3Q</i>
~# <i>tar xvzf /path/to/MigrationTools.tgz</i>
~# <i>mv /path/to/make_master.sh MigrationTools-47</i>
~# <i>cd MigrationTools-47</i>
</pre>

<p>
The next step now is to migrate the information of your system to OpenLDAP. The
<c>make_master.sh</c> script will do this for you, after you have provided it
with the information regarding your LDAP structure and environment.
</p>

<p>
At the time of writing, the tools require the following input:
</p>

<table>
<tr>
  <th>Input</th>
  <th>Description</th>
  <th>Example</th>
</tr>
<tr>
  <ti>LDAP BaseDN</ti>
  <ti>The base location (root) of your tree</ti>
  <ti>dc=genfic,dc=com</ti>
</tr>
<tr>
  <ti>Mail domain</ti>
  <ti>Domain used in e-mail addresses</ti>
  <ti>genfic.com</ti>
</tr>
<tr>
  <ti>Mail host</ti>
  <ti>FQDN of your mail server infrastructure</ti>
  <ti>smtp.genfic.com</ti>
</tr>
<tr>
  <ti>LDAP Root DN</ti>
  <ti>Administrative account information for your LDAP structure</ti>
  <ti>cn=Manager,dc=genfic,dc=com</ti>
</tr>
<tr>
  <ti>LDAP Root Password</ti>
  <ti>
    Password for the administrative account, cfr earlier <c>slappasswd</c>
    command
  </ti>
  <ti></ti>
</tr>
</table>

<p>
The tool will also ask you which accounts and settings you want to migrate.
</p>

</body>

#%PAM-1.0

auth       required     pam_env.so
auth       <i>sufficient</i>   pam_unix.so try_first_pass likeauth nullok
<i>auth       sufficient   pam_ldap.so use_first_pass</i>
auth       required     pam_deny.so


account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password   <i>sufficient</i>   pam_unix.so try_first_pass use_authtok nullok md5 shadow
<i>password   sufficient   pam_ldap.so use_authtok use_first_pass</i>
password   required     pam_deny.so



suffix          "dc=genfic,dc=com"
<comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>
bind_policy soft
bind_timelimit 2
pam_password exop

ldap_version 3
nss_base_group ou=Group,dc=genfic,dc=com
nss_base_hosts ou=Hosts,dc=genfic,dc=com
nss_base_passwd ou=People,dc=genfic,dc=com
nss_base_shadow ou=People,dc=genfic,dc=com
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_password exop
nss_base_shadow ou=People,dc=genfic,dc=com
nss_base_group  ou=Group,dc=genfic,dc=com
nss_base_hosts  ou=Hosts,dc=genfic,dc=com

scope one
timelimit 2
uri ldap://ldap.genfic.com/ ldap://ldap1.genfic.com ldap://ldap2.genfic.com
</pre>

<p>

</pre>

<p>
To test the changes, type:
</p>

<pre caption="Testing LDAP Auth">
# <i>getent passwd|grep 0:0</i>

<comment>(You should get two entries back:)</comment>
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
</pre>

<p>
If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>
was commented out (the <c>rootbinddn</c> line): you don't need it unless you
want to change a user's password as superuser. In this case you need to echo
the root password to <path>/etc/ldap.secret</path> in plaintext. This is
<brite>DANGEROUS</brite> and should be chmoded to 600. What you might want to
do is keep that file blank and when you need to change someones password thats
both in the ldap and <path>/etc/passwd</path>, put the pass in there for 10
seconds while changing the users password and remove it when done.
</p>

</body>

Return to bug 176075

Lines 8-15 Link Here

(-)ldap-howto.xml (-71 / +218 lines)
8	<author title="Author">	8	<author title="Author">
9	<mail link="sj7trunks@pendulus.net">Benjamin Coles</mail>	9	<mail link="sj7trunks@pendulus.net">Benjamin Coles</mail>
10	</author>	10	</author>
11	<author title="Editor">	11	<author title="Author">
12	<mail link="swift@gentoo.org">Sven Vermeulen</mail>	12	<mail link="swift"/>
13	</author>	13	</author>
14	<author title="Editor">	14	<author title="Editor">
15	<mail link="tseng@gentoo.org">Brandon Hale</mail>	15	<mail link="tseng@gentoo.org">Brandon Hale</mail>
Lines 33-40 Link Here
33	<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->	33	<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
34	<license/>	34	<license/>
35		35
36	<version>5</version>	36	<version>6</version>
37	<date>2011-04-17</date>	37	<date>2011-08-13</date>
38		38
39	<chapter>	39	<chapter>
40	<title>Getting Started with OpenLDAP</title>	40	<title>Getting Started with OpenLDAP</title>
Lines 166-217 Link Here
166		166
167	<pre caption="Generate password">	167	<pre caption="Generate password">
168	# <i>slappasswd</i>	168	# <i>slappasswd</i>
169	New password: my-password	169	New password: <i>my-password</i>
170	Re-enter new password: my-password	170	Re-enter new password: <i>my-password</i>
171	{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4	171	{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
172	</pre>	172	</pre>
173		173
174	<p>	174	<p>
175	Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>:	175	Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>. Below
		176	we'll give a sample configuration file to get things started. For a more
		177	detailed analysis of the configuration file, we suggest that you work through
		178	the OpenLDAP Administrator's Guide.
176	</p>	179	</p>
177		180
178	<pre caption="/etc/openldap/slapd.conf">	181	<pre caption="/etc/openldap/slapd.conf">
179	<comment># Include the needed data schemes below core.schema</comment>	182	include /etc/openldap/schema/core.schema
180	include /etc/openldap/schema/cosine.schema	183	include /etc/openldap/schema/cosine.schema
181	include /etc/openldap/schema/inetorgperson.schema	184	include /etc/openldap/schema/inetorgperson.schema
182	include /etc/openldap/schema/nis.schema	185	include /etc/openldap/schema/nis.schema
183		186	include /etc/openldap/schema/misc.schema
184	<comment>Uncomment modulepath and hdb module</comment>	187
185	# Load dynamic backend modules:	188	pidfile /var/run/openldap/slapd.pid
186	modulepath /usr/lib/openldap/openldap	189	argsfile /var/run/openldap/slapd.args
187	# moduleload back_shell.so	190
188	# moduleload back_relay.so	191	serverID 0 <comment>Used in case of replication</comment>
189	# moduleload back_perl.so	192	loglevel 0
190	# moduleload back_passwd.so
191	# moduleload back_null.so
192	# moduleload back_monitor.so
193	# moduleload back_meta.so
194	moduleload back_hdb.so
195	# moduleload back_dnssrv.so
196		193
197	<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment>	194	<comment>## Access Controls</comment>
198	access to dn.base="" by * read	195	access to dn.base="" by * read
199	access to dn.base="cn=Subschema" by * read	196	access to dn.base="cn=Subschema" by * read
200	access to *	197	access to *
201	by self write	198	by self write
202	by users read	199	by users read
203	by anonymous auth	200	by anonymous read
204		201
		202	<comment>## Database definition</comment>
		203	database hdb
		204	suffix "dc=genfic,dc=com"
		205	checkpoint 32 30
		206	rootdn "cn=Manager,dc=genfic,dc=com"
		207	rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4" <comment># See earlier slappasswd command</comment>
		208	directory "/var/lib/openldap-ldbm"
		209	index objectClass eq
		210
		211	<comment>## Synchronisation (pull from other LDAP server)</comment>
		212	syncrepl rid=000
		213	provider=ldap://ldap2.genfic.com
		214	type=refreshAndPersist
		215	retry="5 5 300 +"
		216	searchbase="dc=genfic,dc=com"
		217	attrs="*,+"
		218	bindmethod="simple"
		219	binddn="cn=ldapreader.genfic.com,dc=genfic,dc=com"
		220	credentials="ldapsyncpass"
205		221
206	<comment># BDB Database definition</comment>	222	index entryCSN eq
		223	index entryUUID eq
207		224
208	database hdb	225	mirrormode TRUE
209	suffix "dc=genfic,dc=com"	226
210	checkpoint 32 30 # <kbyte> <min>	227	overlay syncprov
211	rootdn "cn=Manager,dc=genfic,dc=com"	228	syncprov-checkpoint 100 10
212	rootpw <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i>
213	directory /var/lib/openldap-ldbm
214	index objectClass eq
215	</pre>	229	</pre>
216		230
217	<p>	231	<p>
Lines 223-239 Link Here
223	<comment>(Add the following...)</comment>	237	<comment>(Add the following...)</comment>
224		238
225	BASE dc=genfic, dc=com	239	BASE dc=genfic, dc=com
226	URI ldap://auth.genfic.com:389/	240	URI ldap://ldap.genfic.com:389/ ldap://ldap1.genfic.com:389/ ldap://ldap2.genfic.com:389/
227	TLS_REQCERT allow	241	TLS_REQCERT allow
		242	TIMELIMIT 2
228	</pre>	243	</pre>
229		244
230	<p>	245	<p>
231	Now edit <path>/etc/conf.d/slapd</path> and uncomment the following OPTS line:	246	Now edit <path>/etc/conf.d/slapd</path> and set the following OPTS line:
232	</p>	247	</p>
233		248
234	<pre caption="/etc/conf.d/slapd">	249	<pre caption="/etc/conf.d/slapd">
235	<comment># Note: we don't use cn=config here, so stay with this line:</comment>	250	OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
236	OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"	251	</pre>
		252
		253	<p>
		254	Finally, create the <path>/var/lib/openldap-ldbm</path> structure:
		255	</p>
		256
		257	<pre caption="Preparing the openldap-ldbm location">
		258	~# <i>mkdir -p /var/lib/openldap-ldbm</i>
		259	~# <i>chown ldap:ldap /var/lib/openldap-ldbm</i>
		260	~# <i>chmod 700 /var/lib/openldap-ldbm</i>
237	</pre>	261	</pre>
238		262
239	<p>	263	<p>
Lines 262-279 Link Here
262	</chapter>	286	</chapter>
263		287
264	<chapter>	288	<chapter>
		289	<title>Replication</title>
		290	<section>
		291	<title>If you need high availability</title>
		292	<body>
		293
		294	<p>
		295	If your environment requires high availability, then you need to setup
		296	replication of changes across multiple LDAP systems. Replication within OpenLDAP
		297	is, in this guide, set up using a specific replication account
		298	(<c>ldapreader</c>) which has read rights on the primary LDAP server and which
		299	pulls in changes from the primary LDAP server to the secundary.
		300	</p>
		301
		302	<p>
		303	This setup is then mirrored, allowing the secundary LDAP server to act as a
		304	primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if
		305	they are already in the LDAP structure.
		306	</p>
		307
		308	</body>
		309	</section>
		310	<section>
		311	<title>Setting Up Replication</title>
		312	<body>
		313
		314	<p>
		315	To setup replication, first setup a second OpenLDAP server, similarly as above.
		316	However take care that, in the configuration file,
		317	</p>
		318
		319	<ul>
		320	<li>
		321	the <e>sync replication provider</e> is pointing to the <e>other</e> system
		322	</li>
		323	<li>
		324	the <e>serverID</e> of each OpenLDAP system is different
		325	</li>
		326	</ul>
		327
		328	<p>
		329	Next, create the synchronisation account. We will create an LDIF file (the
		330	format used as data input for LDAP servers) and add it to each LDAP server:
		331	</p>
		332
		333	<pre caption="Creating the ldapreader account">
		334	~# <i>slappasswd -s myreaderpassword</i>
		335	{SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
		336
		337	~# <i>cat ldapreader.ldif</i>
		338	dn: cn=ldapreader.genfic.com,dc=genfic,dc=com
		339	userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
		340	objectClass: organizationalRole
		341	objectClass: simpleSecurityObject
		342	cn: ldapreader.genfic.com
		343	description: LDAP reader used for synchronization
		344
		345	~# <i>ldapadd -x -W -D "cn=Manager,dc=genfic,dc=com" -f ldapreader.ldif</i>
		346	Password: <comment>enter the administrative password</comment>
		347	</pre>
		348
		349	</body>
		350	</section>
		351	</chapter>
		352
353	<chapter>
265	<title>Client Configuration</title>	354	<title>Client Configuration</title>
266	<section>	355	<section>
267	<title>Migrate existing data to ldap</title>	356	<title>Migrate existing data to ldap</title>
268	<body>	357	<body>
269		358
270	<p>	359	<p>
		360	Configuring OpenLDAP for centralized administration and management of common
		361	Linux/Unix items isn't easy, but thanks to some tools and scripts available on
		362	the Internet, migrating a system from a single-system administrative
		363	point-of-view towards an OpenLDAP-based, centralized managed system isn't hard
		364	either.
		365	</p>
		366
		367	<p>
271	Go to <uri	368	Go to <uri
272	link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri>	369	link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri>
273	and fetch the scripts there. Configuration is stated on the page. We don't ship	370	and fetch the scripts there. You'll need the migration tools and the
274	this anymore because the scripts are a potential security hole if you leave	371	<c>make_master.sh</c> script.
275	them on the system after porting. When you've finished migrating your data,	372	</p>
276	continue to the next section.	373
		374	<p>
		375	Next, extract the tools and copy the <c>make_master.sh</c> script inside the
		376	extracted location:
		377	</p>
		378
		379	<pre caption="Extracting the MigrationTools">
		380	~# <i>mktemp -d</i>
		381	/tmp/tmp.zchomocO3Q
		382	~# <i>cd /tmp/tmp.zchomocO3Q</i>
		383	~# <i>tar xvzf /path/to/MigrationTools.tgz</i>
		384	~# <i>mv /path/to/make_master.sh MigrationTools-47</i>
		385	~# <i>cd MigrationTools-47</i>
		386	</pre>
		387
		388	<p>
		389	The next step now is to migrate the information of your system to OpenLDAP. The
		390	<c>make_master.sh</c> script will do this for you, after you have provided it
		391	with the information regarding your LDAP structure and environment.
		392	</p>
		393
		394	<p>
		395	At the time of writing, the tools require the following input:
		396	</p>
		397
		398	<table>
		399	<tr>
		400	<th>Input</th>
		401	<th>Description</th>
		402	<th>Example</th>
		403	</tr>
		404	<tr>
		405	<ti>LDAP BaseDN</ti>
		406	<ti>The base location (root) of your tree</ti>
		407	<ti>dc=genfic,dc=com</ti>
		408	</tr>
		409	<tr>
		410	<ti>Mail domain</ti>
		411	<ti>Domain used in e-mail addresses</ti>
		412	<ti>genfic.com</ti>
		413	</tr>
		414	<tr>
		415	<ti>Mail host</ti>
		416	<ti>FQDN of your mail server infrastructure</ti>
		417	<ti>smtp.genfic.com</ti>
		418	</tr>
		419	<tr>
		420	<ti>LDAP Root DN</ti>
		421	<ti>Administrative account information for your LDAP structure</ti>
		422	<ti>cn=Manager,dc=genfic,dc=com</ti>
		423	</tr>
		424	<tr>
		425	<ti>LDAP Root Password</ti>
		426	<ti>
		427	Password for the administrative account, cfr earlier <c>slappasswd</c>
		428	command
		429	</ti>
		430	<ti></ti>
		431	</tr>
		432	</table>
		433
		434	<p>
		435	The tool will also ask you which accounts and settings you want to migrate.
277	</p>	436	</p>
278		437
279	</body>	438	</body>
Lines 310-316 Link Here
310	#%PAM-1.0	469	#%PAM-1.0
311		470
312	auth required pam_env.so	471	auth required pam_env.so
313	auth sufficient pam_unix.so try_first_pass likeauth nullok	472	auth <i>sufficient</i> pam_unix.so try_first_pass likeauth nullok
314	<i>auth sufficient pam_ldap.so use_first_pass</i>	473	<i>auth sufficient pam_ldap.so use_first_pass</i>
315	auth required pam_deny.so	474	auth required pam_deny.so
316		475
Lines 318-324 Link Here
318	account required pam_unix.so	477	account required pam_unix.so
319		478
320	password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3	479	password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
321	password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow	480	password <i>sufficient</i> pam_unix.so try_first_pass use_authtok nullok md5 shadow
322	<i>password sufficient pam_ldap.so use_authtok use_first_pass</i>	481	<i>password sufficient pam_ldap.so use_authtok use_first_pass</i>
323	password required pam_deny.so	482	password required pam_deny.so
324		483
Lines 338-357 Link Here
338		497
339	suffix "dc=genfic,dc=com"	498	suffix "dc=genfic,dc=com"
340	<comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>	499	<comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>
341		500	bind_policy soft
342	uri ldap://auth.genfic.com/	501	bind_timelimit 2
343	pam_password exop
344
345	ldap_version 3	502	ldap_version 3
		503	nss_base_group ou=Group,dc=genfic,dc=com
		504	nss_base_hosts ou=Hosts,dc=genfic,dc=com
		505	nss_base_passwd ou=People,dc=genfic,dc=com
		506	nss_base_shadow ou=People,dc=genfic,dc=com
346	pam_filter objectclass=posixAccount	507	pam_filter objectclass=posixAccount
347	pam_login_attribute uid	508	pam_login_attribute uid
348	pam_member_attribute memberuid	509	pam_member_attribute memberuid
349	nss_base_passwd ou=People,dc=genfic,dc=com	510	pam_password exop
350	nss_base_shadow ou=People,dc=genfic,dc=com
351	nss_base_group ou=Group,dc=genfic,dc=com
352	nss_base_hosts ou=Hosts,dc=genfic,dc=com
353
354	scope one	511	scope one
		512	timelimit 2
		513	uri ldap://ldap.genfic.com/ ldap://ldap1.genfic.com ldap://ldap2.genfic.com
355	</pre>	514	</pre>
356		515
357	<p>	516	<p>
Lines 376-401 Link Here
376	</pre>	535	</pre>
377		536
378	<p>	537	<p>
379	To test the changes, type:
380	</p>
381
382	<pre caption="Testing LDAP Auth">
383	# <i>getent passwd\|grep 0:0</i>
384
385	<comment>(You should get two entries back:)</comment>
386	root:x:0:0:root:/root:/bin/bash
387	root:x:0:0:root:/root:/bin/bash
388	</pre>
389
390	<p>
391	If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>	538	If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>
392	was commented out (the <c>rootbinddn</c> line): you don't need it unless you	539	was commented out (the <c>rootbinddn</c> line): you don't need it unless you
393	want to change a user's password as superuser. In this case you need to echo	540	want to change a user's password as superuser. In this case you need to echo
394	the root password to <path>/etc/ldap.secret</path> in plaintext. This is	541	the root password to <path>/etc/ldap.secret</path> in plaintext. This is
395	<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that	542	<brite>DANGEROUS</brite> and should be chmoded to 600. What you might want to
396	file blank and when I need to change someones password thats both in the ldap	543	do is keep that file blank and when you need to change someones password thats
397	and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I	544	both in the ldap and <path>/etc/passwd</path>, put the pass in there for 10
398	change it and remove it when I'm done.	545	seconds while changing the users password and remove it when done.
399	</p>	546	</p>
400		547
401	</body>	548	</body>