Installing LDAP components

Prerequisites

Red Hat Linux installed
Windows 2000 Active Directory with Schema Extensions

Installation

Open LDAP

Get Open LDAP from OpenLDAPŽ . I'm using openldap-2.0.25, but I can't see any other version not working properly.

mkdir openldap
cd openldap
ftp ftp.openldap.org
anonymous
youremailaddress@yourcompany.com
bin
get pub/OpenLDAP/openldap-release/openldap-2.0.25.tgz ./openldap-2.0.25.tgz

Now let's install it...

gzip -d openldap-2.0.25.tgz
tar -xf openldap-2.0.25.tar
cd openldap-2.0.25
./configure --enable-ldap
make depend
make
make test
make install

NSS LDAP

Get nss_ldap from PADL Software Pty Ltd. I'm using version 199, but I can't see why any other version wouldn't work properly.

mkdir nss_ldap cd nss_ldap ftp ftp.padl.com anonymous youremailaddress@yourcompany.com bin
get pub/nss_ldap-199.tar.gz ./nss_ldap-199.tar.gz
quit

Now let's install it...

gzip -d nss_ldap-199.tar.gz
tar -xf nss_ldap-199.tar
cd nss_ldap-199
./configure --enable-schema-mapping --enable-rfc2307bi
make
make check
make install

PAM LDAP

Get pam_ldap from PADL Software Pty Ltd. I'm using version 151, but I can't see why any other version wouldn't work properly.

mkdir pam_ldap
cd pam_ldap
ftp ftp.padl.com
bin
get pub/pam_ldap-151.tar.gz ./nss_ldap-199.tar.gz
quit

Now let's install it...

gzip -d pam_ldap.tgz
tar -xf pam_ldap.tar
cd pam_ldap-151
./configure --enable-schema-mapping --enable-rfc2307bi
make
make check
make install

Configuring

Run authconfig to configure the authentication method.

authconfig

On the first screen, select "Use LDAP". Enter the IP address of the LDAP server (which is your Windows 2000 Active Directory) and the base DN that youenteredwhenyousetupActiveDirectory(e.g.:dc=yourcompany,dc=com). Go to the next page. Make sure that "Use LDAP Authentication" is checked and that the "Server" and "Base DN" are correct. Then select OK.

Now we need to create an /etc/ldap.conf file. You must have the entries that follow at a minimum.

mv /etc/ldap.conf /etc/ldap.conf.old vi /etc/ldap.conf

# Your LDAP server. Must be resolvable without using LDAP. host 192.168.0.1 192.168.0.2 # The distinguished name of the search base. base dc=yourcompany,dc=com # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn CN=LDAPAuthUser,CN=Users,dc=yourcompany,dc=com # The credentials to bind with. # Optional: default is no credential. bindpw password # The search scope. scope sub #scope one #scope base # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password md5 nss_base_passwd cn=Users,dc=yourcompany,dc=com?sub nss_base_shadow cn=Users,dc=yourcompany,dc=com?sub nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid EmailUID nss_map_attribute uniqueMember posixMember # nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute cn EmailUID pam_login_attribute EmailUID pam_filter objectClass=User ssl no

Now we need to create a /usr/local/etc/openldap/ldap.conf file. You must have the entries that follow at a minimum.

mv /usr/local/etc/openldap/ldap.conf /usr/local/etc/openldap/ldap.conf.old vi /usr/local/etc/openldap/ldap.conf

HOST 192.168.0.1 BASE dc=yourcompany,dc=com

Now we are going to link /etc/openldap/ldap.conf to the one we just created.

ln /etc/openldap/ldap.conf /usr/local/etc/openldap/ldap.conf

Now we need to point PAM to our new LDAP configuration

mv /etc/pam.d/login /etc/pam.d/login.old vi /etc/pam.d/login

# Check the password against Unix first auth sufficient /lib/security/pam_unix_auth.so # Take that same password and try against LDAP auth required /lib/security/pam_ldap.so try_first_pass account required /lib/security/pam_unix_acct.so password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so

Table of Contents Previous Next

Š 2002 Henry Beatty Last Modified:

Disclaimer: I will not be held responsible for any problems encountered by following these instructions. This is informational only. Do not use this on a production system. Use at your own risk.