Fedora directory users - Mar 2007 - Trying to set up a simple authentication and file server

Please excuse the obvious newbie posting: I am struggling to get my
head round fedora-ds and what I am trying to do must be so standard.

I am trying to set up a simple server for about 20 users that allows
clients running Redhat Enterprise 4 to authenticate over ldap and find
the automounter map which tells them how to automount a users home
space. 

We are moving from a solaris NIS server which from a clients
perspective is trivial to setup:
 you just run system-config-authentication
 + enable "configure NIS"
 + fill in the NIS domain and the NIS server and it just works.

Running system-config-authentication also has an option to enable
"configure LDAP" where you fill in the LDAP Search Base DN and the
LDAP
Server. I would like to create the server that will respond
appropriately. 

So my questions:

(1) Is fedora-ds the right tool for the job? Perhaps it is using a
sledgehammer to crack a nut.

(2) I''ve more or less got the authentication bit working but the
console seems counter intuitive. The opening screen has a tab "Users
and Group" which allows you to search and add users but this, as far as
I can see, as nothing to do with the users that the server will
authenticate. They need to be added way down the tree, 
by opening the Directory Server,
choosing the suffix and rightclicking the "People" and adding new. 
Is this the correct method of adding users?
(I don''t want to import them from the passwd file - there are so few of
them I want to do things by hand).

(3) How do I add the automap? Various websites talk about
"automountInformation:" entry, but where does that come in? It does
not
appear as an attribute I can add to a person.

(4) Does anyone know of a simple walk-through documentation to do this
as I am surely not the first person to try and do this with FDS?

Thanks for your help
Andy

Hi Andy,

Not to discourage you, but if you''re going to switch from NIS to LDAP, 
be prepared to spend a lot of time.
For a single site with 20 users, the simplicity of NIS might make it a 
better choice, particularly since you and your co-workers  are already 
familiar with it.
> (1) Is fedora-ds the right tool for the job? Perhaps it is using a
> sledgehammer to crack a nut.
FDS is a great tool, but yeah, it is kind of a sledgehammer for your case.

> (3) How do I add the automap? Various websites talk about
> "automountInformation:" entry, but where does that come in? It
does not
> appear as an attribute I can add to a person.
You need to add some extra schema.
http://directory.fedora.redhat.com/wiki/Howto:Automount

> (4) Does anyone know of a simple walk-through documentation to do this
> as I am surely not the first person to try and do this with FDS?
Gary Tay has a lot of good notes on NIS-to-LDAP topics here:
http://web.singnet.com.sg/~garyttt

I don''t know of any one-size-fits-all recipes.

Good luck!
-- George



Andy Schofield wrote:
> Please excuse the obvious newbie posting: I am struggling to get my
> head round fedora-ds and what I am trying to do must be so standard.
>
> I am trying to set up a simple server for about 20 users that allows
> clients running Redhat Enterprise 4 to authenticate over ldap and find
> the automounter map which tells them how to automount a users home
> space. 
>
> We are moving from a solaris NIS server which from a clients
> perspective is trivial to setup:
>  you just run system-config-authentication
>  + enable "configure NIS"
>  + fill in the NIS domain and the NIS server and it just works.
>
> Running system-config-authentication also has an option to enable
> "configure LDAP" where you fill in the LDAP Search Base DN and
the LDAP
> Server. I would like to create the server that will respond
> appropriately. 
>
> So my questions:
>
> (1) Is fedora-ds the right tool for the job? Perhaps it is using a
> sledgehammer to crack a nut.
>
> (2) I''ve more or less got the authentication bit working but the
> console seems counter intuitive. The opening screen has a tab "Users
> and Group" which allows you to search and add users but this, as far
as
> I can see, as nothing to do with the users that the server will
> authenticate. They need to be added way down the tree, 
> by opening the Directory Server,
> choosing the suffix and rightclicking the "People" and adding
new.
> Is this the correct method of adding users?
> (I don''t want to import them from the passwd file - there are so
few of
> them I want to do things by hand).
>
> (3) How do I add the automap? Various websites talk about
> "automountInformation:" entry, but where does that come in? It
does not
> appear as an attribute I can add to a person.
>
> (4) Does anyone know of a simple walk-through documentation to do this
> as I am surely not the first person to try and do this with FDS?
>
> Thanks for your help
> Andy

> (1) Is fedora-ds the right tool for the job? Perhaps it is using a
> sledgehammer to crack a nut.
I''ve set it up for a company with as little as 4 people. The payoff
is being able to use centralized auth for ssh, Apache, Samba, Bugzilla
and more. 
> (2) I''ve more or less got the authentication bit working but the
> console seems counter intuitive. The opening screen has a tab "Users
> and Group" which allows you to search and add users but this, as far
as
> I can see, as nothing to do with the users that the server will
> authenticate. They need to be added way down the tree, 
> by opening the Directory Server,
> choosing the suffix and rightclicking the "People" and adding
new.
> Is this the correct method of adding users?
> (I don''t want to import them from the passwd file - there are so
few of
> them I want to do things by hand).
I have put a INSTALL summary file and a bunch a scripts I use to 
maintain Unix accounts with FDS online. It may be of help to you.

http://www.panix.com/~kylet/ldap
> (3) How do I add the automap? Various websites talk about
> "automountInformation:" entry, but where does that come in? It
does not
> appear as an attribute I can add to a person.
automaps are separate entries in the directory. I''ve not used them yet,
but enough shops are using them that it must be easily implemented.

I know we use it one place I work under SunONE DS (essentially the
same as FDS) and it looks pretty straight forward. Feel free to email
me offline if you''d like some help of snippets of the schema and/or
LDIF samples.

-- 
- Kyle 
---------------------------------------------
kylet@panix.com   http://www.panix.com/~kylet    
---------------------------------------------

Thanks for the help, George and Kyle. I have basic authentication
working now.
> > (3) How do I add the automap? Various websites talk about
> > "automountInformation:" entry, but where does that come in?
It does
> > not appear as an attribute I can add to a person.
> 
> You need to add some extra schema.
> http://directory.fedora.redhat.com/wiki/Howto:Automount
> 
I have also got the autofs maps working too. 
At least it works for a Redhat Enterprise 4.4 client. I have not yet
tested it on a solaris client (and I am sure it won''t work for them).

So you need to add the scheme that Georges pointed out
in the link above:

http://directory.fedora.redhat.com/wiki/Howto:Automount

You save it as an .ldif file, but you can''t import it via the console.
I added it to the /opt/fedora-ds/slapd-*/config/schema directory with a
suitable high number like 90. This now gives you the appropriate
objects.

Here are some ldif files that allow a client to find auto.master and
auto.home.

dn: automountmapname=auto_master,dc=mydom,dc=com
automountInformation:
ldap:myldap.host.com:automountmapname=auto_home,dc=mydom,dc=com  --timeout=120
automountKey: /home
automountMapName: auto_master
objectClass: top
objectClass: automount
objectClass: automountmap

dn: automountmapname=auto_home,dc=mydom,dc=com
automountMapName: auto_home
objectClass: top
objectClass: automountmap
objectClass: automount
automountKey: *
automountInformation: -fstype=nfs,rw,hard,intr,nosuid
myfileserver.com:/export/home/&

Note that in /etc/nsswitch.conf you should have
automount:  files ldap

and have the ldap server correctly setup in 
/etc/ldap.conf

Note that in /etc/sysconfig/autofs is an option to use auto_master and
auto.master interchangably.

Hope this helps some other newbie.
Andy