This Blog is intended to collect information of my various Intrests,pen my opinion on the information gathered and not intended to educate any one of the information posted,but are most welcome to share there view on them
Tuesday, July 27, 2010
LDAP for authentication
Authenticating to a LDAP serverReasons for authenticating to an LDAP server.
Therefore the client has to become a user on the web server. That means they have to run the web server as root (not recommended) to be able to use the commands useradd and groupadd. Your second option is to put all users into a database, where the system looks at every login and controls individual access if the user exists.
This second opportunity is safer as you have one single location in the network where all users log in (like the NDS from Novell); you can administrate the users at a central point (Single Point of Administration).
# This data is necessary for starting the LDAP server.
# This entry determines the highest object in your LDAP database.
# This value must be adapted.
# This entry determines a person who has all permissions
# for the following object in the LDAP database.
# This value must be adapted.
# The root password.
# Directory with the LDAP database.
# Standard permissions for every user.
# Indices to maintain
index objectClass eq
The file /etc/ldap.conf must also be adapted because the programs nss_ldap and pam_ldap are accessing it (Be careful, do not edit the file: /etc/openldap/ldap.conf). It is also possible that the files are in a different place. If you use the option -sysconfdir= ... at configuration time, the files will reside in the corresponding directory.
# host where you can reach the LDAP server
# the base of the LDAP server
# At log in all objects which are contained in the object class
# posixAccount are searched for the user
# uid = user- und login name
# cn = christian name, surname would be sn
# afterwards the object classes are defined
# for the quite tricky values with shadow*
# the manpages of passwd, useradd and
# shadow should probably be consulted
# uidNumber = user number or user id
# gidNumber = group number or id the user belongs to
# homeDirectory = home directory
# loginShell = login shell
After this file is created it can be added to the LDAP server.
hosts: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
If you compiled the packages nss_ldap and pam_ldap yourself, a file named ldap.conf should exist in the directory /usr/local/etc. If it is not, the option -sysconfdir was used at compile time. You should look in the directory you chose then.
Debian users who have worked with apt-get own the two files pam-ldap.conf and libnss-ldap.conf. These files are the same and you could also create a link (e.g.: ln -snf /etc/pam-ldap.conf /etc/libnss-ldap.conf).
The content of this file determines which LDAP server to authenticate to and which objects contain the user- and password information.
It could look like the following:
Ldap.conf oder ldap-pam.conf
# IP des LDAP Servers
# base object of the server