Ldap for user management

Here is a quick explanation of the process required in order to use ldap for user management.

Software required:

openldap: You may use other servers, too.
nscd: Useful for speeding up name service requests also needed for:
nss-ldap: Allows one to make pwent etc requests go to ldap
pam-ldap: Allows one to pass authentication requests to ldap.

Software that you might want:

My useradd etc. replacements (shameless self promotion)
gq: A cute ldap client

Configuration:

openldap: In order to configure openldap for use with user account information, it is necessary to load some extra schema and make certain that permissions are lenient enough to allow users to change their information while not insecure.

pam-ldap: The pam-ldap configuration tells the pam-ldap authentication module where to look for user information.

Name service switch: In order for the semi-ubiquitous getpwent() getpwuid() and friends to succeed in a distributed environment, one must either have an entry in the passwd file for all of your users, or run nscd; which can call upon other services (like nis, DCE, or ldap) in order to retrieve this information.

Pam configuration: The final step is to tell pam to enable ldap authentication for some subset of the services upon your machine. This is done using /etc/pam.d/services (or /etc/pam.conf on solaris.

Boot strapping your ldap database:
Before you can actually add any users or groups, you must have their organizational units in place. Here is a little ldif which can be used to place them. (I acquired this ldif from my machine by issuing the following command:)

ldapsearch -L -b "dc=griffin" -D "cn=admin,dc=griffin" -h localhost -x -w mypass '(objectclass=*)'

The -L means to give ldif formatting (-LL removes comments, -LLL removes the version number. -b "dc=griffin" tells it to search my base domain -- you can also set this in the ldap.conf found in /etc/ldap on my machine. -D "cn=admin,dc=griffin" is the admin Distinguished Name. -h specifies what machine. -x makes sure ldap doesn't try to use SASL. -w mypass gets it to use my password. And last '(objectclass=*)' is the filter I am searching on -- which says, give me everything of every objectclass.

version: 1

#
# filter: (objectclass=*)
# requesting: ALL
#

# griffin
dn: dc=griffin
objectClass: dcObject
dc: griffin

# People, griffin
dn: ou=People,dc=griffin
objectClass: organizationalUnit
ou: People

# Roaming, griffin
dn: ou=Roaming,dc=griffin
objectClass: organizationalUnit
ou: Roaming

# Group, griffin
dn: ou=Group,dc=griffin
objectClass: organizationalUnit
ou: Group

You may add the above ldif to your ldap server with the following command:

ldapadd -b "dc=griffin" -D "cn=admin,dc=griffin" -h localhost -x -w mypass -f objects.ldif

Ashton Trey Belew

Last modified: Thu Mar 21 09:35:41 EST 2002