Difference between revisions of "LDAP"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
(Some reorganization and added some important info)
(Reorganization, formatting, editing, and some new content)
Line 1: Line 1:
We are running an LDAP server on Einstein. This server serves up the user information (passwd and shadow) and also lists of servers and workstations which tie into various permission schemes. The overall setup seems somewhat complicated at first, so this documentation is '''much needed'''.
+
Clients on the network use LDAP to authenticate user logins.  We are running an LDAP server on Einstein. This server serves up the user information (passwd and shadow) and also lists of servers and workstations which tie into various permission schemes.
 
== Organization ==
 
== Organization ==
LDAP runs on einstein. For passwords and such it is protected with TSL encryption. (See [[Certificates]].) The certificate is valid for einstein.unh.edu and einstein.farm.physics.unh.edu.
+
LDAP runs on einstein. For passwords and such it is protected with TSL encryption. (See [[Certificates]].) The certificate is valid for einstein.unh.edu and einstein.farm.physics.unh.edu. The service program ''slapd'' handles requests from clients.
== Troubleshooting ==
 
The best way to check whether LDAP is working is ''getent passwd'', which should show user passwords. If it does not work, then ''ldapsearch -ZZ '(uid=silas)' '' may give more diagnostics. Try 'ldapsearch -x '(uid=silas)' '' to test LDAP without using the encruption layer.
 
However, if your node has a bad system time, the certificate may look like it is from the future and will not be accepted. So check system time if users cannot log in.
 
 
== Configuration ==
 
== Configuration ==
For clients, configuration for LDAP is in '''two locations''': /etc/ldap.conf and /etc/openldap/ldap.conf. Here you set the host that is serving the information.  Also, ldap must be referenced in /etc/nsswitch.conf like so:
+
For clients, configuration for LDAP is in '''two locations''': ''/etc/ldap.conf'' and ''/etc/openldap/ldap.conf''. Here you set the host(s) that is serving the information.  Specifically, einstein.unh.edu or einstein.farm.physics.unh.  Also, ldap must be referenced in ''/etc/nsswitch.conf'' like so:
 
<pre>passwd:    files ldap
 
<pre>passwd:    files ldap
 
shadow:    files ldap
 
shadow:    files ldap
 
group:      files ldap</pre>
 
group:      files ldap</pre>
 
(Those '''may not''' be the only entries requiring a reference to ldap.)
 
(Those '''may not''' be the only entries requiring a reference to ldap.)
 +
 +
Once a user is authenticated, the client mounts the user's home directory.  See [[Automount]].
 +
== Troubleshooting ==
 +
The best way to check whether LDAP is working is <code>getent passwd</code>, which should show user passwords. If it does not work, then <code>ldapsearch -ZZ '(uid=silas)'</code> may give more diagnostics. Try <code>ldapsearch -x '(uid=silas)'</code> to test LDAP without using the encryption layer.
 +
 +
If your node has a bad system time, the certificate may look like it is from the future and will not be accepted. So check system time if users cannot log in.
 +
 +
Another thing to check is if the client is able to connect to the LDAP server, and that the server is referenced in the appropriate configuration files.
 
== External Information ==
 
== External Information ==
 
* [http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-ldap-pam.html  Setup information]
 
* [http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-ldap-pam.html  Setup information]
 
* [http://www.openldap.org/doc/admin23/ OpenLDAP Software 2.3 Administrator's Guide]  
 
* [http://www.openldap.org/doc/admin23/ OpenLDAP Software 2.3 Administrator's Guide]  
 
* [http://www.openldap.org/faq/data/cache/1.html  OpenLDAP Faq-O-Matic]
 
* [http://www.openldap.org/faq/data/cache/1.html  OpenLDAP Faq-O-Matic]

Revision as of 18:09, 8 June 2007

Clients on the network use LDAP to authenticate user logins. We are running an LDAP server on Einstein. This server serves up the user information (passwd and shadow) and also lists of servers and workstations which tie into various permission schemes.

Organization

LDAP runs on einstein. For passwords and such it is protected with TSL encryption. (See Certificates.) The certificate is valid for einstein.unh.edu and einstein.farm.physics.unh.edu. The service program slapd handles requests from clients.

Configuration

For clients, configuration for LDAP is in two locations: /etc/ldap.conf and /etc/openldap/ldap.conf. Here you set the host(s) that is serving the information. Specifically, einstein.unh.edu or einstein.farm.physics.unh. Also, ldap must be referenced in /etc/nsswitch.conf like so:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

(Those may not be the only entries requiring a reference to ldap.)

Once a user is authenticated, the client mounts the user's home directory. See Automount.

Troubleshooting

The best way to check whether LDAP is working is getent passwd, which should show user passwords. If it does not work, then ldapsearch -ZZ '(uid=silas)' may give more diagnostics. Try ldapsearch -x '(uid=silas)' to test LDAP without using the encryption layer.

If your node has a bad system time, the certificate may look like it is from the future and will not be accepted. So check system time if users cannot log in.

Another thing to check is if the client is able to connect to the LDAP server, and that the server is referenced in the appropriate configuration files.

External Information