Difference between revisions of "LDAP"
(Some reorganization and added some important info) |
|||
| Line 1: | Line 1: | ||
We are running an LDAP server on Einstein. This server serves up the user information (passwd and shadow) and also lists of servers and workstations which tie into various permission schemes. The overall setup seems somewhat complicated at first, so this documentation is '''much needed'''. | We are running an LDAP server on Einstein. This server serves up the user information (passwd and shadow) and also lists of servers and workstations which tie into various permission schemes. The overall setup seems somewhat complicated at first, so this documentation is '''much needed'''. | ||
| − | + | == Organization == | |
| − | + | LDAP runs on einstein. For passwords and such it is protected with TSL encryption. (See [[Certificates]].) The certificate is valid for einstein.unh.edu and einstein.farm.physics.unh.edu. | |
| − | + | == Troubleshooting == | |
| − | + | The best way to check whether LDAP is working is ''getent passwd'', which should show user passwords. If it does not work, then ''ldapsearch -ZZ '(uid=silas)' '' may give more diagnostics. Try 'ldapsearch -x '(uid=silas)' '' to test LDAP without using the encruption layer. | |
| − | + | However, if your node has a bad system time, the certificate may look like it is from the future and will not be accepted. So check system time if users cannot log in. | |
| − | + | == Configuration == | |
| − | + | For clients, configuration for LDAP is in '''two locations''': /etc/ldap.conf and /etc/openldap/ldap.conf. Here you set the host that is serving the information. Also, ldap must be referenced in /etc/nsswitch.conf like so: | |
| − | + | <pre>passwd: files ldap | |
| + | shadow: files ldap | ||
| + | group: files ldap</pre> | ||
| + | (Those '''may not''' be the only entries requiring a reference to ldap.) | ||
| + | == External Information == | ||
* [http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-ldap-pam.html Setup information] | * [http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-ldap-pam.html Setup information] | ||
* [http://www.openldap.org/doc/admin23/ OpenLDAP Software 2.3 Administrator's Guide] | * [http://www.openldap.org/doc/admin23/ OpenLDAP Software 2.3 Administrator's Guide] | ||
* [http://www.openldap.org/faq/data/cache/1.html OpenLDAP Faq-O-Matic] | * [http://www.openldap.org/faq/data/cache/1.html OpenLDAP Faq-O-Matic] | ||
Revision as of 13:20, 6 June 2007
We are running an LDAP server on Einstein. This server serves up the user information (passwd and shadow) and also lists of servers and workstations which tie into various permission schemes. The overall setup seems somewhat complicated at first, so this documentation is much needed.
Organization
LDAP runs on einstein. For passwords and such it is protected with TSL encryption. (See Certificates.) The certificate is valid for einstein.unh.edu and einstein.farm.physics.unh.edu.
Troubleshooting
The best way to check whether LDAP is working is getent passwd, which should show user passwords. If it does not work, then ldapsearch -ZZ '(uid=silas)' may give more diagnostics. Try 'ldapsearch -x '(uid=silas)' to test LDAP without using the encruption layer. However, if your node has a bad system time, the certificate may look like it is from the future and will not be accepted. So check system time if users cannot log in.
Configuration
For clients, configuration for LDAP is in two locations: /etc/ldap.conf and /etc/openldap/ldap.conf. Here you set the host that is serving the information. Also, ldap must be referenced in /etc/nsswitch.conf like so:
passwd: files ldap shadow: files ldap group: files ldap
(Those may not be the only entries requiring a reference to ldap.)
