Clients on the network use LDAP to authenticate user logins. We are running an LDAP server on Einstein. This server serves up the user information (passwd and shadow) and also lists of servers and workstations which tie into various permission schemes.
LDAP runs on einstein. For passwords and such it is protected with TSL encryption. (See Certificates.) The certificate is valid for einstein.unh.edu and einstein.farm.physics.unh.edu. The service program slapd handles requests from clients.
For clients, configuration for LDAP is in two locations: /etc/ldap.conf and /etc/openldap/ldap.conf. Here you set the host(s) that is serving the information. Specifically, einstein.unh.edu or einstein.farm.physics.unh. Also, ldap must be referenced in /etc/nsswitch.conf like so:
passwd: files ldap shadow: files ldap group: files ldap
Those may not be the only entries requiring a reference to ldap, but the GUI tool authconfig-gtk. is good at taking care of things. If a machine doesn't have that program, it's safe to look at another machine's files.
Once a user is authenticated, the client mounts the user's home directory. See Automount.
The best way to check whether LDAP is working is
getent passwd, which should show user passwords. If it does not work, then
env HOME=/root ldapsearch -ZZ '(uid=someusername)' may give more diagnostics. Try
ldapsearch -x '(uid=someusername)' to test LDAP without using the encryption layer.
If your node has a bad system time, the certificate may look like it is from the future and will not be accepted. So check system time if users cannot log in.
Another thing to check is if the client is able to connect to the LDAP server, and that the server is referenced in the appropriate configuration files.
If LDAP isn't configured properly, or the machine cannot reach the LDAP server, then the machine may experience a very long boot time (usually hanging during "Starting system message bus...").
Administrators can use the programs /usr/sbin/luseradd, /usr/sbin/luserdel, and /usr/sbin/lusermod to add, delete, and modify users from the directory. There is also a more-friendly(??) program for adding users: /usr/local/bin/adduser-npg, however it requires that the above programs and more be accessible via the PATH environmental variable (root has the appropriate path set up, but sudo won't use it).
What is needed for a succesful login?
- Entry in ldap tables or /etc/password and /etc/shadow
- Be in the correct group. Which group is correct is controlled by PAM in /etc/security/access.conf
I still cannot quite figure out how access to say, the farm nodes, is controlled. What groups you need to be in? Only npg and farm?
Some Useful LDAP Hints
- Add a user account: Use env HOME=/root /user/local/bin/adduser-npg
- You can look at and manipulate the tables with JXplorer (installed on improv). Login as root with the standard password for ldap.
- Be careful: slapcat, slapadd etc commands can only be run when slapd is NOT running Can be used to dump and restore the entire ldap database.
- Modify user items (i.e. shell, home, uid, gid) env HOME=/root /usr/sbin/lusermod --shell /bin/false minuti
- Add a user to a group: env HOME=/root /usr/sbin/lgroupmod --member-add uid group