Professional Documents
Culture Documents
Jason Heiss
February 2002
Why is everybody still using NIS?
tic ice ed w d
k e pa
u
t, ss ith
nc ass
en wo
r
r
cr rd
“U erv
ted
rn
“S
service ticket
am
e”
ice
”
Encrypted
TGT
service ticket
User User
password
LDAP Basics
Schemas
• LDAP uses schemas to define what attributes an
object can and must have
– posixAccount object class corresponds to an entry in a
passwd file
– posixGroup corresponds to a group
• The same object can implement multiple object
classes
– uid=jheiss,ou=people,dc=example,dc=com might be a
posixAccount, inetOrgPerson and pilotPerson
Schema Examples
attributetype ( 0.9.2342.19200300.100.1.1
NAME ( 'uid' 'userid' )
DESC 'RFC1274: user identifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
dn: ou=people,dc=example,dc=com
objectclass: organizationalUnit
ou: People
dn: uid=jheiss,ou=people,dc=example,dc=com
objectClass: posixAccount
commonName: Jason Heiss
surname: Heiss
uid: jheiss
userPassword: {KERBEROS}jheiss@EXAMPLE.COM
loginShell: /bin/bash
uidNumber: 500
gidNumber: 100
homeDirectory: /home/jheiss
Initial Database Population
• ldapadd -x -D
“cn=Manager,dc=example,dc=com” -W -f
initial.ldif
• Remove rootdn and rootpw from slapd.conf
and restart
• All future edits should be authorized via
ACLs in slapd.conf
Testing Server
• Test in stages
– kinit
– ldapsearch -H ldap://hostname/ -x
– ldapsearch -H ldaps://hostname/ -x
– ldapsearch -H ldap://hostname/ -ZZ -x
– ldapsearch -H ldap://hostname/
– ldapsearch -H ldaps://hostname/
– ldapsearch -H ldap://hostname/ -ZZ
LDAP Clients
• Install nss_ldap
• Edit /etc/ldap.conf
host ldap1.example.com ldap2.example.com
base dc=example,dc=com
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/ssl/ca-cert.pem
• Edit /etc/openldap/ldap.conf
URI ldaps://ldap1.example.com/ ldaps://ldap2.example.com/
BASE dc=example,dc=com
Testing Client
• ldapsearch
– Makes sure /etc/openldap/ldap.conf is setup properly
and that connection to server is good
• id username
• getent passwd username
• If things don’t work
– Try turning of checkpeer in /etc/ldap.conf
– Try setting ssl to no in /etc/ldap.conf
– Try turning off nscd
Troubleshooting
• Sample error messages
– ldap_sasl_interactive_bind_s: Local error
• ldap/hostname service principal not setup
• User doesn’t have ticket or ticket has expired
– ldap_sasl_interactive_bind_s: Can't contact
LDAP server
• Checking hostname from CN field of SSL cert failed
• See my web page in references for more
Controlling Access
• Linux
– Add to /etc/pam.d/whatever
account required /lib/security/pam_access.so
– Edit /etc/security/access.conf
• See /usr/share/doc/pam-*/txts/README.pam_access for
syntax
• Solaris
– Add entries to /etc/project after removing default
entries (except user.root)
user.username:uid::::
LDAP Management
• OpenLDAP tools
– ldapadd, ldapmodify, ldapdelete
– Not very user friendly
• Jason’s tools
– ldapcat, ldapedit, ldapposixadd
– Useful for folks used to NIS
• Integration into centralized tools
– Perl and Net::LDAP
• Sample code on web page
Support
• Kerberos
– comp.protocols.kerberos
• OpenLDAP
– echo subscribe | mail openldap-software-
request@openldap.org
• nss_ldap
– echo subscribe | mail nssldap-
request@padl.com
References
• http://ofb.net/~jheiss/krbldap/
– Kerberos replication script
– Sample SEAM pam.conf
– Examples of integrating Kerberos management into
existing tools
– Sample slapd.conf
– Sample nss_ldap and OpenLDAP ldap.conf’s
– Sample LDIF
– List of OpenLDAP error messages
– LDAP tools and sample Net::LDAP code
References
• Friendly Kerberos introduction:
http://web.mit.edu/kerberos/www/dialogue.html
References
• Kerberos
– MIT: http://web.mit.edu/kerberos/www/
– Heimdal: http://www.pdc.kth.se/heimdal/
– SEAM: http://www.sun.com/software/solaris/ds/ds-
seam/
• Encryption modules necessary for Kerberized NFS:
http://www.sun.com/software/solaris/encryption/download.html
• Full SEAM package:
http://www.sun.com/bigadmin/content/adminPack/
References
• pam_krb5
– Red Hat
• /usr/share/doc/pam_krb5-*/README on a Red Hat box
– Linux PAM Project:
http://www.advogato.org/proj/pam_krb5/
• SASL: http://asg.web.cmu.edu/sasl/sasl-
library.html
• LDAP
– OpenLDAP: http://www.openldap.org/