Fedora directory users - Dec 2009 - Re: [389-users] OK, so how do I use this thing?

On 12/1/09 6:40 PM, "Alan McKay" <alan.mckay@gmail.com> wrote:
>>     Take a look at documentation here:
>>     http://directory.fedoraproject.org/wiki/Documentation
> 
> I''ll go through that again, thanks.  I went through it a week ago
but
> did not find anything too useful, but I''m further along now and a
week
> is a long time when you are just starting out.
It will take time to learn LDAP as it is a huge topic. Here''s a book I
would
recommend: LDAP System Administration by Gerald Carter(O''Reilly
Publication)
> 
>>     To authenticate linux users, you will have to configure you client
hosts
>> to ldap server by configuring /etc/ldap.conf
>>     Which can be done using GUI/cmdline via authconfig-tui/authconfig
--help
> 
> Aha, this gives me a tidbit of what I''m looking for!  Enough to
> probably find some good results with man pages and google!  Thanks!
Google for "How to setup LDAP authentication" and there is ton of
info.
> 
>>     Look at Administration Guide
>>     http://www.redhat.com/docs/manuals/dir-server/8.1/admin/index.html
> 
> This I spent most of my day on today and as mentioned there is nothing
> really there for me on how to get cilents working against this.  Sure,
> lots of great detail on setting up every aspect of the server and
> stuff I''ll have to come back to (e.g. multi-master replication,
> password expiry and such), but not a single thing in the whole guide
> on "here is how you get client XYZ to work with LDAP"
Again, setting up simple (basic) LDAP authentication is configuring
ldap.conf and nsswitch.conf . But it is not sufficient, you have to make
changes here and there to meet all your requirements
> 
>> Do they need local accounts too?
>>     Local accounts are needed for root and other service accounts
> 
> Cool
> 
>> Local disks?
>>     Not sure what this means
> 
> If you do not have a local account, then where does your home dir come
> from?  Must come from a network disk, no?  But what if I want local
> disk, but authenticate through LDAP?  Can I do that too?  And if there
> is no local user, how do I chown files on the drive to that user?
Having a homer Directory is irrespective of where the account lives. You
definitely need a local disk where you OS is installed, unless you are using
Virtual machine and SAN storage. You can set PAM Module to create homedir on
login and change to it.(authconfig --enablemkhomedir)

http://www.mail-archive.com/seawolf-list@redhat.com/msg03331.html

> 
>> What about website?  Wikis?  All currently using htpasswd.   How do I
>> convert those?
>>     For websites, you can refer to Apache authentication via LDAP
> 
> Will do - thanks!
-Prashanth

On Wed, Dec 2, 2009 at 10:40 AM, Prashanth Sundaram <psundaram@wgen.net>
wrote:
> It will take time to learn LDAP as it is a huge topic. Here''s a
book I would
> recommend: LDAP System Administration by Gerald Carter(O''Reilly
Publication)
Yeah, no kidding - holy moly!   I just ordered that book about 30
minutes ago actually because everyone keeps recommending it to me.
> Google for "How to setup LDAP authentication" and there is ton of
info.
Too much :-)   My first test was a failure - locked myself out of the
system.  Fortunately I''m playing in a VMWare sandbox so I just blew
away the client OS and am reinstalling.  We''ll see where I get next
time :-)
> Again, setting up simple (basic) LDAP authentication is configuring
> ldap.conf and nsswitch.conf . But it is not sufficient, you have to make
> changes here and there to meet all your requirements
I''ll be happy if I can just get that simple thing going.  
We''ll see
where I get.
> Virtual machine and SAN storage. You can set PAM Module to create homedir
on
> login and change to it.(authconfig --enablemkhomedir)
>
> http://www.mail-archive.com/seawolf-list@redhat.com/msg03331.html
Nifty - thanks!


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

OK, after setting up my centos-ds server in pretty much a default
config, I added a user and then did some playing around with a client.

Here is all I had to do to get the client authenticating :

On the other (client) CentOS box, as root  :

system-config-authentication --enableldap --ldapserver=sandbox1
--ldapbasedn="dc=office,dc=example,dc=com" --update
system-config-authentication --enableldap --enableldapauth --update

Note that "sandbox1" is my centos-ds server.  And my domain is
"office.example.com" though of course my real domain name :-)

This just gives me basic auth - nothing fancy yet.  I have the homedir
in centos-ds set to ''/home/alan'', and before logging in on the
client,
as root I created that dir and set it to 0777.  Now I want to try to
get fancy :-)


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

Add another

system-config-authentication --enablemkhomedir --update

As the name suggests, do this on the client and homedirs will be made
for you automatically when they first log in.

w00t!!!


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"